By Paul Keely, general manager, Born in the Cloud business unit at Open Systems.
Cyberattacks are never easy. But when ransomware actors recently hit several U.S. hospitals with attacks, it was especially problematic. Anything that wipes out a hospital’s compute environment is bad because hospitals are now 100% digital. Add to that the fact that the U.S. is recording around 100,000 COVID-19 cases a day, and you’ve got a real challenge on your hands.
This Was a Large and Sophisticated Attack
There are two general types of cyberattacks. Spray-and-pray attacks don’t have a particular target. Attackers simply go into an environment and hope the worm or malware spreads. WannaCry, which crippled the U.K. National Health Service in 2017, is a spray-and-pray attack.
The recent attack on the U.S. hospitals is known as an advanced persistent threat. This kind of attack is far more sophisticated, and focused on a specific area – in this case, the American healthcare system. We haven’t heard of a similar attack in Europe.
This attack doesn’t appear to have been staged for fun by a group of guys in a college dorm room. It’s a big attack. The FBI is telling American healthcare systems to block 150 IP addresses.
The Threat Ravaged Some and Left Others Unscathed
Some of the targeted healthcare organizations were severely affected by this recent attack. The malware landed on computers and moved very rapidly to encrypt hard drives, making the IT resources of these organizations essentially useless.
At least one impacted organization may have to build and migrate everybody slowly but surely to a new Active Directory environment. That’s a doomsday scenario. Active Directory acts as the very core of an organization’s identity. Without Active Directory, an organization can’t say for sure whether its IT environment – and, thus, its organization as a whole – is safe.
One of these organizations had all of its on-premises data centers breached, but everything that was in the cloud was untouched. Meanwhile, a separate medical facility that was targeted – but is using our cloud-based managed threat management and machine learning algorithms – was completely unscathed.
This is living proof that healthcare providers have one of two experiences with cybersecurity. They either spend some time and money to make their organization secure now. Or they get breached, lose a ton of money and then spend some more to make their organizations secure.
Device Certification Lag Time Creates Significant Risk
One fundamental cybersecurity challenge is the certification of devices in connected healthcare environments. It’s not uncommon for device certification to involve a 10-year process. If a company builds a CT scan, MRI or ultrasound machine, the device that’s managing that machine has to go through a decade-long certification process. So, by the time the device gets to market, it has reached its end of life – the supplier no longer supports or secures the device.
A healthcare organization might invest $250,000 to $1 million in a machine that’s going to run for the next 15 years in a hospital. But often the IT that’s managing that device is so old that it makes it impossible to update or reconfigure it. This end-of-life challenge has serious ramifications.
Operational technology (OT) can address this significant problem. Microsoft has a tool called CyberX that can passively monitor OT devices throughout an environment. Cybersecurity experts in security operations centers (SOCs) can use this tool to spot vulnerabilities. If they identify threats, they can restrict how, and whether, communications go to these devices.
Threat Actors Actually Like Going to the Hospital
Hospitals and patient records are unlike any other data sources in the world. Healthcare organizations know everything about us and our families – date of birth, blood type, billing details. They have our social security numbers, and they know the companies that we work for and where we live. That includes everything that bad actors need to steal our identities.
The healthcare industry knows that it has to modernize and embrace the internet of things (IoT). Much of the infrastructure in hospitals is already connected. This includes doors, elevators, lights and thermostats. And connected monitoring systems enable healthcare professionals to monitor patients and log data even when they’re not in the patients’ rooms.
Centralized, connected systems can enable hospitals to provide better service with fewer people. But when hospitals brought such connected infrastructure into their environments, the only function of the IoT devices was to work – it wasn’t to work safely.
The Best Treatment Is Leaving Cybersecurity to the Experts
Different departments in hospitals want different things from IT. Senior consultants in departments that work with cardiac patients ask for different connected devices than people in charge of hospital maternity wards. But unless IT can monitor, patch, update and secure the IoT devices in every department within the hospital, these devices can become a long-term risk.
If you are a hospital decision-maker, consider that risk, look around and note what you see. A CFO we worked with recently did that with the head of the organization’s IT department. The executive asked why there were computer servers where there could have been patient beds. He wondered aloud why the hospital wasn’t using this valuable space for an ICU ward.
As it turns out, that’s exactly what this hospital now plans to do. This is possible because the hospital elected to outsource its data center management and cybersecurity to a cloud-based service provider. This will free up needed space in the building, which is especially important amid the pandemic. The hospital will not have to hire and retain expensive and hard-to-find data scientists, machine learning specialists and cybersecurity veterans to run an in-house SOC. The hospital can focus on what it does best – treating patients – and leave the job of threat detection, prevention and response to the experts.
The Most Effective Prescription Contains a Mix of People and Technology
The experts who run cloud-based managed detection and response (MDR) providers’ SOCs are vital to safeguarding hospitals’ connected environments. SOC security analysts can recognize nuanced signals of attack and investigate whether alerts signal true positive security incidents. The experts at MDR providers also can work with hospital IT teams to create and update hospital security policies to reduce the chances of future cyberattacks.
The pace at which cyberattacks evolve and expand, and the deluge of data organizations deal with today today, mean that humans can’t do it alone. That’s why leading MDR providers use the power of cloud-based machine learning (ML) to understand, address and limit risk.
Compliance is one of the biggest challenges that healthcare organizations face. They need to comply with cybersecurity and privacy rules specified in regulations such as GDPR and HIPAA. Yet, the people and organizations within the healthcare ecosystem need to share patient data. ML in the cloud can ensure that data sharing is done in a secure way. For example, Microsoft has built plain language ML algorithms that can understand whether outgoing emails contain patient records. That enables MDR providers that employ this capability to identify such situations, and either block the email or strip out the data that shouldn’t be included in it.
ML also can help to increase understanding and prompt action by bringing context to situations. A hospital’s MDR provider could use ML to see that a doctor had downloaded a set of data at 2 a.m. from a certain area in the building. By leveraging all available information, such as the employee scheduling software, the MDR provider could see that the doctor wasn’t even working at that time and that the doctor had never before been in that part of the hospital. Cloud-based ML can quickly connect the dots to understand what is out of the ordinary, which helps MDR providers quickly recognize and contain cyberthreats.
Amid the global pandemic, keeping our healthcare resources available is more important than ever. U.S. hospitals are low-hanging fruit for cyberattacks, and securing these complex and connected environments is close to impossible for in-house IT teams at these organizations.
Hiring an MDR provider helps hospitals overcome these challenges and give cybersecurity the attention it deserves. That said, not all MDR providers are the same. A good security company will stop attacks that other can’t. A great MDR provider will stop attacks that others can’t see.