Securing Healthcare Against Advanced Persistent Threats

Garret Grajek
Garret Grajek

Guest post by Garret Grajek, chief security officer, dincloud.

A March 2014 study by the Ponemon Institute titled, “Ponemon Report on Patient Privacy & Data Security,” stated that cybercriminal attacks on healthcare organizations have doubled in the past three years. If you follow IT news at all, you know that healthcare organizations are also under attack, with some of the latest of these attacks being what experts classify as APTs (Advanced Persistent Threats). APT attacks distinguish themselves by being persistent attacks orchestrated by an organized (and usually well-funded) institution, either government or criminal, with a specific target and purpose for the attack.

APTs distinguish themselves from past “script kiddies” and accidental hackers who execute “crimes of opportunity” (e.g. they find a site that they can do an SQL injection and see what data they can download). Advanced persistent threats however follow the opposite workflow – they select a target and then use any and all mechanisms to obtain access to the data they desire.

You’re in healthcare – but should you care?

Healthcare IT systems are a target rich environment for advanced persistent threats attacks. What’s the reward? PHI (Personal Health Information) and PII (Personal Identification Information).  PHI/PII for hackers is the gift that keeps on giving! With someone’s identity information, hackers can create multiple accounts – financial and other – for the purposes of fraud.  This was seen in mid-August when Community Health Systems announced that it had fell victim to an APT attack earlier that year from an APT group based in China. Chinese hackers stole medical records for 4.5 million patients, according to a regulatory filing from the healthcare provider. And how can we forget the security breach at, the government’s health insurance marketplace.

Healthcare has the same type of information, and more. User identities, associated e-mail addresses, phone numbers, street addresses, and often insurance, credit, and other key PII information (like employer’s and spouse information), are held by health care providers. Attackers know this, and for these reasons, health care entities have become an easy target for advanced persistent threats attacks.

Defending Against APTs

According to Bruce Schneier, considered America’s lead cryptographer by many, the future of hacking is APT and we will only see more of these attacks. His break down of how to defend against an APT is very enlightening; Schneier says to defend against APTs we should follow the principals of OODA (Observe, Orient, Decide, Act):

This is a very rational, learned approach to the threats from an organized and well-funded attacker who has targeted your organization for the purpose of stealing your data. But do you have the resources to execute on OODA against these threats?

How does healthcare stack up against APT?

Health care providers need to align their resources, both manpower and IT, to meet these steps. The Bruce Schneier OODA checklist can help healthcare organizations understand if they are ready to meet these challenges.

For example, with health care, the steps look like this:

In summary, protecting against APT attacks is a matter of understanding the workflow of these attacks, and then intelligently preparing to identify, decide and act on them. Healthcare organizations are under attack, just as many other organizations, but there are tools and methodologies that exist to make it a secure playing field.

Garret Grajek is the chief security officer at dincloud, a cloud service provider and transformation company that helps businesses and public/private organizations rapidly migrate to the cloud through the hosting of servers, desktops, storage and other cloud services via its strong channel base of VARs and MSPs. Visit dinCloud on LinkedIn:

Write a Comment

Your email address will not be published. Required fields are marked *