Report: A vulnerable attack surface exists in healthcare enterprise IT networks

April 29, 2019
Vectra research highlights precarious security risks in the healthcare industry due to legacy infrastructures and unmanaged devices

SAN JOSE, Calif., April 24, 2019 Vectra, the leader in network threat detection and response, announced that the proliferation of healthcare internet-of-things (IoT) devices, along with unpartitioned networks, insufficient access controls and the reliance on legacy systems, has exposed a vulnerable attack surface that can be exploited by cybercriminals determined to steal personally identifiable information (PII) and protected health information (PHI), in addition to disrupting healthcare delivery processes.

Published in the Vectra 2019 Spotlight Report on Healthcare, these findings underscore the importance of utilizing machine learning and artificial intelligence (AI) to detect hidden threat behaviors in enterprise IT networks before cybercriminals have a chance to spy, spread and steal.

“Machine learning and AI can assist healthcare organizations in better-securing networks, workloads and devices, and provide data security by analyzing behaviors across systems,” said Jon Oltsik, senior principal analyst at Enterprise Strategy Group. According to ESG research, “12 percent of enterprise organizations have already deployed AI-based security analytics extensively, and 27 percent have deployed AI-based security analytics on a limited basis. We expect these implementation trends will continue to gain.”

Gaps in policies and procedures can result in errors by healthcare staff members. Examples of these errors include improper handling and storage of patient files, which is a soft spot for cyber criminals when they target global organizations and industries looking for weaknesses to exploit.

The 2019 Spotlight Report on Healthcare is based on observations and data from the 2019 RSA Conference Edition of the Attacker Behavior Industry Report, which reveals behaviors and trends in networks from a sample of 354 opt-in enterprise organizations in healthcare and eight other industries. Motivated attackers often mask their malicious actions by blending in with existing network traffic behaviors.

From July through December 2018, the Cognito threat-detection and response platform from Vectra monitored network traffic and collected metadata from more than three million workloads and devices from customer cloud, data center and enterprise environments. The analysis of this metadata provides a better understanding of attacker behaviors and trends as well as business risks, enabling Vectra customers to avoid disastrous data breaches.

Key findings from the 2019 Spotlight Report on Healthcare

§  The most prevalent method attackers use to hide command-and-control communications in healthcare networks was hidden HTTPS tunnels. This traffic represents external communication involving multiple sessions over long periods of time that appear to be normal encrypted web traffic.

§  The most common method attackers use to hide exfiltration behaviors in healthcare networks was hidden DNS tunnels. The second-most-common exfiltration method used was smash and grab, which occurs when a large volume of data is sent in a short period of time to an external destination not commonly in use. The third most detected method for hiding data exfiltration was data smuggling, which occurs when an internal host device acquires large amounts of data from one or more internal servers and subsequently sends a significant amount of data to an external system.

§  Vectra observed a spike in behaviors consistent with attackers performing internal reconnaissance in the form of internal darknet scans and Microsoft Server Message Block (SMB) account scans. Internal darknet scans occur when internal host devices search for internal IP addresses that do not exist on the network. SMB account scans occur when a host rapidly makes use of multiple accounts via the SMB protocol that is typically used for file sharing.

§ While many healthcare organizations experienced ransomware attacks in recent years, the report found that ransomware attacks were not as prevalent in the second half of 2018. However, ransomware will remain a concern among healthcare organizations. Every organization should continue to monitor for ransomware attacks early in the attack lifecycle before files are encrypted and clinical operations are disrupted.

§ Botnet attacks are opportunistic and are not targeted at specific organizations. While botnet attacks persist everywhere, their rate of occurrence in healthcare is lower than in other industries.

“Healthcare organizations struggle with managing legacy systems and medical devices that traditionally have weak security controls, yet both provide critical access to patient health information,” said Chris Morales, head of security analytics at Vectra. “Improving visibility into network behavior enables healthcare organizations to manage risk of legacy systems and new technology they embrace.

The Cognito platform accelerates network threat detection and response using sophisticated artificial intelligence to collect, enrich and store network metadata with the right context to detect, hunt and investigate hidden threats in real time. The Cognito platform scales efficiently to the largest organization’s networks with a distributed architecture that includes a mix of physical, virtual and cloud sensors to provide 360-degree visibility across cloud, data center, user and IoT networks, leaving attackers with nowhere to hide. For more information on Cognito Stream, Cognito Recall or Cognito Detect, visit vectra.ai.

About Vectra

Vectra® is the leader in network detection and response – from cloud and data center workloads to user and IoT devices. Its Cognito® platform accelerates threat detection and investigation using artificial intelligence to enrich network metadata it collects and stores with the right context to detect, hunt and investigate known and unknown threats in real time. Vectra offers three applications on the Cognito platform to address high-priority use cases. Cognito Stream™ sends security-enriched metadata to data lakes and SIEM. Cognito Recall™ is a cloud-based application to store and investigate threats in enriched metadata. And Cognito Detect™ uses AI to reveal and prioritize hidden and unknown attackers at speed. For more information, visit vectra.ai.