Securing Healthcare Against Advanced Persistent Threats
Guest post by Garret Grajek, chief security officer, dincloud.
A March 2014 study by the Ponemon Institute titled, “Ponemon Report on Patient Privacy & Data Security,” stated that cybercriminal attacks on healthcare organizations have doubled in the past three years. If you follow IT news at all, you know that healthcare organizations are also under attack, with some of the latest of these attacks being what experts classify as APTs (Advanced Persistent Threats). APT attacks distinguish themselves by being persistent attacks orchestrated by an organized (and usually well-funded) institution, either government or criminal, with a specific target and purpose for the attack.
APTs distinguish themselves from past “script kiddies” and accidental hackers who execute “crimes of opportunity” (e.g. they find a site that they can do an SQL injection and see what data they can download). Advanced persistent threats however follow the opposite workflow – they select a target and then use any and all mechanisms to obtain access to the data they desire.
You’re in healthcare – but should you care?
Healthcare IT systems are a target rich environment for advanced persistent threats attacks. What’s the reward? PHI (Personal Health Information) and PII (Personal Identification Information). PHI/PII for hackers is the gift that keeps on giving! With someone’s identity information, hackers can create multiple accounts – financial and other – for the purposes of fraud. This was seen in mid-August when Community Health Systems announced that it had fell victim to an APT attack earlier that year from an APT group based in China. Chinese hackers stole medical records for 4.5 million patients, according to a regulatory filing from the healthcare provider. And how can we forget the security breach at HealthCare.gov, the government’s health insurance marketplace.
Healthcare has the same type of information, and more. User identities, associated e-mail addresses, phone numbers, street addresses, and often insurance, credit, and other key PII information (like employer’s and spouse information), are held by health care providers. Attackers know this, and for these reasons, health care entities have become an easy target for advanced persistent threats attacks.
Defending Against APTs
According to Bruce Schneier, considered America’s lead cryptographer by many, the future of hacking is APT and we will only see more of these attacks. His break down of how to defend against an APT is very enlightening; Schneier says to defend against APTs we should follow the principals of OODA (Observe, Orient, Decide, Act):
- Observe – Know what is going on in our environment.
- Orient – Know what this means in the context of your environment.
- Decide – Figure out what your course of behavior should be.
- Act – Decide course of action.
This is a very rational, learned approach to the threats from an organized and well-funded attacker who has targeted your organization for the purpose of stealing your data. But do you have the resources to execute on OODA against these threats?
How does healthcare stack up against APT?
Health care providers need to align their resources, both manpower and IT, to meet these steps. The Bruce Schneier OODA checklist can help healthcare organizations understand if they are ready to meet these challenges.
For example, with health care, the steps look like this:
- Observe – for both inbound traffic on BOTH web and network, the health care provider should insurance they have BOTH firewall and an IP reputation service to observe inbound traffic.
- Orient – the firewalls, IPS and IP Reputation solutions need to be tuned to look for certain types of attacks, especially the reconnaissance packets that are the hallmark of APT attacks that are trying to steal healthcare PHI.
- Decide – Alerts should be set on these detection devices that go to key team members. Adequate staffing and human resources (full time, contract, or services) is paramount here as this is where most organizations fail. (Reference: Target ignored the hacker alerts).
- Act – The personnel involved should be given clear directions on actions to take when suspicious traffic is seen. Most of the modern IPS, IPR and IP Reputation tools have mitigation abilities built in. Tools should be selected that both identity and (can) block traffic. Managed service providers and private clouds are trained to perform this service and should be looked at for consideration.
In summary, protecting against APT attacks is a matter of understanding the workflow of these attacks, and then intelligently preparing to identify, decide and act on them. Healthcare organizations are under attack, just as many other organizations, but there are tools and methodologies that exist to make it a secure playing field.
Garret Grajek is the chief security officer at dincloud, a cloud service provider and transformation company that helps businesses and public/private organizations rapidly migrate to the cloud through the hosting of servers, desktops, storage and other cloud services via its strong channel base of VARs and MSPs. Visit dinCloud on LinkedIn: www.linkedin.com/company/dincloud.