Addressing APTs in healthcare: Taking a unified security approach

Unfortunately, while tempting, throwing technology at various attack vectors isn't the answer.
By David Finn
08:00 AM

Criminal attacks are now the number one cause of healthcare data breaches, rather than employee negligence or lost and stolen devices. In other words, for the first time, the majority of attacks on healthcare are intentional rather than accidental. Symantec's own Internet Security Threat Report (ISTR) noted this trend in 2014 and predicted the arrival of this inflection point.

As healthcare organizations continue to see themselves a large target, one type of attack method that is particularly concerning is Advanced Persistent Threats, or APTs. APTs launched by virtual nation-states with unlimited resources are among the worst kinds of online attacks. Complex, stealthy, and constantly morphing, APTs avoid detection by using multiple phases to break into a network. Once in-- via an infected USB device, an unprotected medical device, a phishing email, or a drive-by download, for example--they map a network for an understanding of workflows and utilization. Then, they backwards-engineer their activities to mimic normal behavior, and settle in for the long term to harvest data at their will.

What's a healthcare organization to do?

Unfortunately, while tempting, throwing technology at various attack vectors isn't the answer. Plenty of vendors claim to protect customers from APTs, however, even after implementing solutions meant to stop them, many organizations remain under fire. Merely installing a detection tool will result in tens or even hundreds of thousands of flagged anomalies, and you can't send the cavalry after everything. What's needed to meet wily APTs head-on is a careful, best-practice approach combined with a layered security strategy.

Understand your environment

The first step to combatting APTs is to understand your environment at least as well as your adversaries. Only when you know what's normal for your network can you spot anomalies when they occur. Tools can help you here, but it's still a tedious yet essential job that involves painstakingly tracking how and where data flows and understanding exactly how your organization's systems are being used. An important part of this effort is continuously factoring in changes in data and work flows that are being driven by care delivery and reimbursement model changes, as well as changes in the compute environment itself, that occur on a daily, if not hourly, basis.

Once you've carefully mapped the environment, you'll need to identify what's normal or in the realm of normal--what behavior may be anomalous but not necessarily dangerous. This phase entails setting and understanding benchmarks. When you decide what it is you're looking for, you can tune your monitoring tools to flag certain types of behavior, particularly those of reconnaissance packets that are one of the signatures of APT attacks.

Understand the threat landscape

Managing your own environment is only half of the equation. If you're only looking inward, chances are you'll miss a new attack. To effectively combat cyber crime, you need the biggest picture possible so you can prepare for what's coming and orient your tools accordingly--and that requires looking at what's happening in the external world.

The problem is, it takes skills and headcount to do this, and healthcare is beset by a serious shortfall in security personnel. In a recent survey (PDF) by the Health Information Management and Systems Society (HIMSS), a third of healthcare managers said they had to postpone or scale back an IT project because of inadequate staffing. In addition, security leadership is lacking. According to a recent KPMG survey, 19 percent of healthcare providers lack a leader in charge of information security, and 25 percent have no security operations center in place at all.

As a result, it's crucial that healthcare organizations partner with a security company that's focused on finding the bad actors. Look for one that understands healthcare. Since healthcare is required to share data, a big part of the job is ensuring that data gets to the right people. By the same token, a partner only looking at healthcare is also insufficient. If you have an insurance company or a gift shop on your network that uses a point-of-sale system, you'll want a partner that's abreast of cyber threats cross-industry. Not only can a partner help you install your own defenses and monitor the ecosystem for you, but they can also share the threats you and others are surfacing for the benefit of all.

Select technology solutions

The days of selecting a single point solution to address specific problems such as malware, unauthorized access, or data loss are over. To identify anomalous file movements or data transfers, you must monitor not only the network, but also systems and user behavior, and then correlate everything. Only a unified security strategy that connects the dots can do this--and I've broken it down to three main pillars.

Threat protection: With the rapidly evolving threat landscape, healthcare organizations must employ threat protection technologies for their endpoints, datacenters, and gateways. And rather than just preventing, these technologies must also be able to detect and respond to these attacks and breaches when they occur.

Information protection: These technologies include data loss prevention, encryption, identity proofing, and access management, all of which should extend to cloud and mobile environments. Your goal is to ensure protection of data and identities regardless of where the data resides, whether on premise, in transit, or in the cloud.  

Security services: Your security strategy should also encompass more than technology. To shift the advantage from the adversaries, organizations should incorporate cyber security services, whether via internal resources or by working with a partner. Services can range from traditional monitoring to incident response, applied intelligence, and security simulation and training.

To tie this all together, a security analytics platform can help unify and correlate all efforts and convert telemetry into actionable intelligence.

Recovery considerations

Even with a solid foundation and a strong approach to threat protection, the evidence shows that a breach of some kind is inevitable. Therefore, in addition to knowing how to detect and respond to trespasses, you must plan your course of action for when a breach occurs. This goes beyond tools to mobilizing public relations and legal staff and reporting the breach to appropriate parties. As laws continue to tighten, the accepted response time for these activities is shortening. What used to take months to resolve must now occur in weeks, or even days.

An integrated approach

Effectively protecting healthcare from cyber crime requires an integrated approach that spans four key areas: threat protection, information protection, cyber security services, and a unified security analytics platform to correlate all activities. To learn more on how Symantec can help protect your organization from ATPs and other attacks, we invite you to join us for our upcoming webcast, Healthcare Under Attack: Combating Advanced Persistent Threats on November 16th.