As we all struggle to meet the demands of changing economic conditions and changing threat landscapes, we must realize that we all have a shared responsibility to protect our healthcare system from cyberattacks.
In 2020, the number of ransomware attempts against healthcare organizations rose by 123%—at a time when the industry (and society as a whole) could least afford downtime in healthcare settings. The total cost of that downtime was almost $21 billion, double the total from just a year earlier. Additionally, the average ransomware payment rose 82% to over $500K instead of trying to assert a total number.
To date, over two-thirds of healthcare organizations in the United States have at one time or another been victims of ransomware attacks, with 33% hit two or more times.
With 642 breaches of 500 or more records in 2020 affecting 30 million individuals and 714 such breaches in 2021 affecting more than 40 million people, a great deal remains to be done to protect the healthcare sector from cyberattacks.
The most significant cyber threat for healthcare providers is loss of operations because of ransomware, loss of data ᠆ particularly of Protected Health Information (PHI)᠆, and transaction fraud in their electronic record systems. As such, a lot of time and money is spent protecting endpoints and databases.
Because of the pandemic, as operations teams began to scale and certain products came to end-of-life, many healthcare IT teams now find themselves also contending with the cloud and its potential vulnerabilities. IT may be adapting itself to the use of Microsoft Teams or cloud-based file sharing in Microsoft 365, for example.
As many healthcare organizations wonder if new technology such as artificial intelligence (AI) can help provide better security, understanding the value of AI in securing endpoints, networks, and the cloud is a priority.
Over the past few years, machine learning (ML), a subset of AI, has gained much traction in the cybersecurity world because it helps organizations make better decisions at scale with their data. ML aims to eliminate traditional trial-and-error approaches based on static analysis of data, which is often inaccurate and unreliable, by generalizing insight from large data sets.
However, when most people think of AI, they may overestimate its ability to replicate the human mind, or see it as simply a data analysis tool useful for identifying specific trends or making predictions.
As a healthcare provider, your top spending initiative this year will likely be around cybersecurity. However, it isn't easy to know what will work for your organization. You may already have invested in technology, or you may be looking at new technology with a high price tag and wondering what new features or benefits you will gain.
It's crucial, then, to demystify AI's role within cybersecurity and understand its maturity across different technologies, where it's applicable, and where it isn't. And when choosing a provider, it is vital to know whether their AI offerings provide value or are just something they include to claim competitiveness. We examine below the applicability of such offerings, across the endpoint, network, and cloud.
Machine Learning for Security on Endpoints
To take our statistics at ActZero as an example, if you look at our service for March 2022, roughly 40% of attacks were detected thanks to machine learning (ML), which caught everything from malware to ransomware to new-age attacks like fileless malware or emerging attacks.
When we study new threats on the dark web over that same 30-day period, most of the malware being bought and sold by hackers and the techniques they are modifying are caught by ML. So, ML is an incredibly valuable tool against attack and is quite mature in its application of AI to endpoint security.
40% is great, but that still leaves another 60% of attacks unaccounted for. What stopped them? Chalk that up to practitioner knowledge and testing, such as red team testing, practicing Incident Response processes, and validating products on a continuous basis.
The truth about ML is that, as mature as it is, it still requires a great deal of modification and parameter tuning to achieve very high outputs.
While you'll hear impressive statistics from vendors about 99% or 100% block rates in MITRE, you must understand that these products start 'loose.' They get smart over time, but you have to put the work in to test and develop them. This ML development can only happen if you're testing against real-world threat scenarios, constantly.
So, if you have file-based analysis that's supposed to stop malware, can you test that? Can you validate what the software or the service is actually doing? Do you have the ability to look at which gaps are bypassing this? If it's about account takeover, could you simulate an account takeover from another system and see whether that particular protection triggers?
Pair your endpoint protection with a service that will ensure constant testing to refine your protection and that your ML is primed for better results.
Applications of Machine Learning for Network Security
Suppose you've not yet seen the business case for moving to the cloud and are still sitting on a seven-year amortization on virtual machines or other on-premise servers. In that case, it's imperative that you collect information and assess what's coming in and out of network traffic from your firewall.
The good news is that most firewall products are very good. Perhaps you've invested in one with IPS and URL filtering, providing some tripwire protection. You can get early indications that somebody is trying to hack your environment by sending weak payloads or weak attack scripts against your defenses (again, these are attack tools hackers can download on the dark web).
In such cases, your firewall should alert you that there's an attack pattern developing and permanently block the source. Failure to do so means allowing your attacker unlimited shots on goal, and while your firewall is a very good goalie, no goalie can stop every shot.You then want to leverage machine learning or data science to add threat intelligence synchronization. This blocks IP addresses proactively and scans the dark web for bad actors using those addresses. ML can also identify malicious actors trying out attacks on your firewall and automatically change your policies to deal with them. Neither your firewall nor your SIEM does this by default. It may be available as an add-on to your firewall, but most people stop at open-source threat intelligence.
This is an excellent opportunity to find out from your vendor their success rate. Any vendor should be able to tell you their block rate. Likewise, you'll want to understand how they will adapt their IP lists to traffic coming through your firewall, how they compare them to lists of known bad actors, where they acquire these lists, and how accurate those lists are.
Based on what we see across our client environments at ActZero, oftentimes over half of all incoming traffic is bad. This alone should make clear just how valuable it is to have threat intelligence synced with your firewall. If you're trusting just firewalls to block packets, you may be giving the attacker infinite opportunities to try and breach your system.
Cloud Security and Machine Learning
Within cloud environments, ML plays a critical role in discovering threatst. Account takeover or account fraud are prime examples. Such attacks—where someone logs in and does things a normal user wouldn't do, such as taking over an admin account, deleting mailboxes, changing mail forwarding rules, or spoofing addresses—are things that human practitioners can catch. Still, they are very subtle changes, and services like Microsoft 365 don't notify you about them. Machine learning is excellent at digging through Microsoft API logs and flagging differences between normal login behavior and malicious logins.
You can benefit by leveraging a service that takes ML to the cloud, and then asking about the vendor's false positive rate. As mentioned, to be most effective, ML models need to be fine-tuned and tested constantly. And an ML that is still 'loose' tends to give a lot of bad signal and wasted alerts that you don't have time for in healthcare, especially since you're likely a shared security and IT admin resource with a lot on your plate.
You need ML alerts to be accurate and effective because of the implications for users on your systems. After all, you'll be locking accounts based on these ML outputs, so they'd better be right.
When interviewing potential vendors—whether a SIEM provider, MSB, or MDR—look for a verified low false positive rate. This speaks more to the maturity not of AI in the market but of the vendors who have implemented and tuned this detection. ML detection that works is an incredibly valuable tool for new cloud users but is incredibly annoying if it doesn't. Check out our Cybersecurity Vendor Evaluation Package for questions you can ask them to assess their capabilities.
Get a proof of concept: Healthcare Ransomware Readiness Assessment
When it comes to the adoption of AI in the healthcare industry, there's a lot of fear, uncertainty, and doubt.. Many companies make wandering assertions AI and Big Data, along with some huge price tags for these edge technologies to companies who haven't yet figured out their business need. So how are you to know who to trust?
My advice is that if you have a vendor who you're considering going with, ask for a proof of concept. Get them to test their AI tools live in your environment to show you actual attacks and the real prevention their software accomplishes—essentially, get them to do a penetration test for you.
If they are a company that regularly tests their software against ML, it should be no problem for them to test live for you and to do so at no cost.
And I promise you, the results will be illuminating; you might realize that your endpoints are not as protected as you believed and that you are potentially letting that other 40% of traffic take a free shot at your systems. Such a test will demonstrate the value of the vendor's product directly and provide perfect attribution of effectiveness. It will let you walk into your CIO or director's office with the proof of your due diligence and make the case for why there is a compelling reason to invest now and not wait until you get hacked to discover gaps in your security.
Don't rely on a false sense of security. Understand where the market is and where your protection really lies.
Check out our eBook, Modern Cybersecurity For Healthcare, which provides a comprehensive list of tactics as applied to the healthcare industry and a vast list of supporting resources to enable remediation of threats at specific stages of the recovery process.