Electronic Health Reporter

Guest post by David Thompson, senior director, product management, LightCyber.

A targeted data breach is one of the most vexing problems facing healthcare organizations today. Just in the first three months of 2015 alone, 99 million patient healthcare records were compromised—that’s about one-third of the entire U.S. population, and those are just the ones we know about. According to some sources, 90 percent of healthcare organizations have already been breached, but we aren’t sure which ones.

The cybercriminals behind a targeted data breach do not want to be exposed—and make no mistake, these breaches are run by people, not autonomous software. Unlike the hackers of earlier days, these operatives want to stay hidden and conduct their work in secret. Even if they have successfully completed their initial goals—let’s say exfiltrate patient medical records—a cybercriminal team will likely want to stay undiscovered to continue to steal more data as it is collected, or leverage this access to break into another company. Often this will involve commandeering valid credentials from the first organization to gain access to another, perhaps a partner healthcare organization, an insurance company, an independent lab or some other entity.

The simple truth is that most healthcare organizations lack the means to detect an active data breach. First, let me define a data breach, since there is so much confusion over the term. A breach is the entire process—from initial network penetration through data exfiltration— cybercriminals go through to achieve their goals.

Often a breach is perceived as only the initial penetration into the network or infection of a machine. This one act is over in an instant, but it is the focus of considerable security resources. In other words, a large proportion of security resources are devoted to preventing single step in the breach process that lasts less than a minute, but is only the first step toward a goal.

Also, initial penetration is not as easy to spot and block as you might guess. Since the way into the network may be accomplished through the use of valid credentials acquired through social engineering or clever spear phishing, detecting the intrusion can be difficult. Effective prevention of intrusions is based on use of statically defined descriptions of software code or behavior (signatures and hashes), so it is successful mainly when known malware is used to conduct a breach. So, preventing an intrusion has a marginal success rate, but it is often seen as the last change an organization has in defeating a targeted breach.

Once an attacker is inside the network, most organizations lack the ability to find them. At the same time, an attacker is inherently at a disadvantage, having landed inside an unfamiliar network. This disadvantage is quickly dissipated since they can often go completely undetected for weeks, months or even longer. The industry average dwell time is around six months, plenty of time for an attacker to explore a network and get at assets.

Why is it that organizations are seemingly powerless to find an active data breach once an intruder has penetrated a network? There are four main reasons.

First, many healthcare organizations simply do not have any tools or processes for detecting a breach after an intruder has penetrated the network. When asked, most security or IT executives from a healthcare organization get extremely uncomfortable if challenged with the question, “What is your confidence level that you can quickly detect an active data breach?” Similarly, if you ask what they have in place to find a post-intrusion attacker, the response is one of discomfort or consternation. Ask this at a party and you may not get invited back!

To be fair, detection has a history of being difficult, personnel-intensive and ineffective. In addition, the new behavioral profiling technologies designed to detect active breaches are not well known or understood by security or IT personnel.

The second reason for the inability to detect an active breach before it’s too late is that security systems that might be in place in larger organizations produce a flood of security alerts that is far beyond anyone’s capacity to use them productively. SIEM systems, IDS/IPS and even firewalls can generate hundreds or thousands of daily alerts, mostly dominated by false positives. It’s possible that an indication of a breach may show up in this mountain of alerts, but it would be like finding a needle in a haystack. In addition these systems have a view that is too limited to understand that a single act may be part of an active breach.

A third reason for the inability to detect an active breach is that many organizations are still too focused on preventive security. On one hand, organizations understand and believe the FBI, Gartner and others that it is no longer possible to achieve complete prevention. On the other hand, these organizations have not changed their security priorities or budgets to match, and they are focused almost exclusively on prevention. Prevention is still essential, but it is not sufficient to deter being victimized by a targeted data breach. These organizations understand present and future realities, but they keep on living in the past.

A fourth reason is that an organization may have some detection focus, but it is centered on malware. Malware hunting is valuable since it can cause serious damage to systems and create a path for malicious actions, but will not lead to uncovering an active data breach. Often times, malware is not used in a data breach, or if it is, it is too difficult to see it as connected to a larger scheme. It’s the classic “forest for the trees” problem. We’ve even seen cases where a company has accurately detected and removed malware, yet not impeded the overall breach at all!

So what’s a healthcare organization to do? Fortunately there are new approaches to detecting an active breach before theft and damage occur. These approaches not only involve a new system for active breach detection, but also new strategies that accept the unthinkable—that an organization’s network will be breached, and that the new challenge is to find the active attacker as quickly and accurately as possible. This strategy informs the way resources are structured and overall security conducted. Preventive security is still important, and so are audits, incident response, forensics and other disciplines. At the same time, healthcare organizations need to wake up to the new realities of targeted data breaches and drive proactive change to avoid ending up in tomorrow’s headlines.