The Role of Artificial Intelligence in Protecting Healthcare Networks
5/19/2022Adam Mansour7 minutes
As we all struggle to meet the demands of changing economic conditions and changing threat landscapes, we must realize that we all have a shared responsibility to protect our healthcare system from cyberattacks.
In 2020, the number of ransomware attempts against healthcare organizations rose by 123%—at a time when the industry (and society as a whole) could least afford downtime in healthcare settings. The total cost of that downtime was almost $21 billion, double the total from just a year earlier. Additionally, the average ransomware payment rose82% to over $500K instead of trying to assert a total number.
With 642 breaches of 500 or more records in 2020 affecting 30 million individuals and 714 such breaches in 2021 affecting more than 40 million people, a great deal remains to be done to protect the healthcare sector from cyberattacks.
The most significant cyber threat for healthcare providers is loss of operations because of ransomware, loss of data ᠆ particularly of Protected Health Information (PHI)᠆, and transaction fraud in their electronic record systems. As such, a lot of time and money is spent protecting endpoints and databases.
Because of the pandemic, as operations teams began to scale and certain products came to end-of-life, many healthcare IT teams now find themselves also contending with the cloud and its potential vulnerabilities. IT may be adapting itself to the use of Microsoft Teams or cloud-based file sharing in Microsoft 365, for example.
As many healthcare organizations wonder if new technology such as artificial intelligence (AI) can help provide better security, understanding the value of AI in securing endpoints, networks, and the cloud is a priority.
Over the past few years, machine learning (ML), a subset of AI, has gained much traction in the cybersecurity world because it helps organizations make better decisions at scale with their data. ML aims to eliminate traditional trial-and-error approaches based on static analysis of data, which is often inaccurate and unreliable, by generalizing insight from large data sets.
However, when most people think of AI, they may overestimate its ability to replicate the human mind, or see it as simply a data analysis tool useful for identifying specific trends or making predictions.
It's crucial, then, to demystify AI's role within cybersecurity and understand its maturity across different technologies, where it's applicable, and where it isn't. And when choosing a provider, it is vital to know whether their AI offerings provide value or are just something they include to claim competitiveness. We examine below the applicability of such offerings, across the endpoint, network, and cloud.
To take our statistics at ActZero as an example, if you look at our service for March 2022,\roughly 40% of attacks were detected thanks to machine learning (ML), which caught everything from malware to ransomware to new-age attacks like fileless malware or emerging attacks.
When we study new threats on the dark web over that same 30-day period, most of the malware being bought and sold by hackers and the techniques they are modifying are caught by ML. So, ML is an incredibly valuable tool against attack and is quite mature in its application of AI to endpoint security.
40% is great, but that still leaves another 60% of attacks unaccounted for. What stopped them? Chalk that up to practitioner knowledge and testing, such as red team testing, practicing Incident Response processes, and validating products on a continuous basis.
The truth about ML is that, as mature as it is, it still requires a great deal of modification and parameter tuning to achieve very high outputs.
While you'll hear impressive statistics from vendors about 99% or 100% block rates in MITRE, you must understand that these products start 'loose.' They get smart over time, but you have to put the work in to test and develop them. This ML development can only happen if you're testing against real-world threat scenarios, constantly.
So, if you have file-based analysis that's supposed to stop malware, can you test that? Can you validate what the software or the service is actually doing? Do you have the ability to look at which gaps are bypassing this? If it's about account takeover, could you simulate an account takeover from another system and see whether that particular protection triggers?
Pair your endpoint protection with a service that will ensure constant testing to refine your protection and that your ML is primed for better results.
Suppose you've not yet seen the business case for moving to the cloud and are still sitting on a seven-year amortization on virtual machines or other on-premise servers. In that case, it's imperative that you collect information and assess what's coming in and out of network traffic from your firewall.
The good news is that most firewall products are very good. Perhaps you've invested in one with IPS and URL filtering, providing some tripwire protection. You can get early indications that somebody is trying to hack your environment by sending weak payloads or weak attack scripts against your defenses (again, these are attack tools hackers can download on the dark web).
In such cases, your firewall should alert you that there's an attack pattern developing and permanently block the source. Failure to do so means allowing your attacker unlimited shots on goal, and while your firewall is a very good goalie, no goalie can stop every shot.You then want to leverage machine learning or data science to add threat intelligence synchronization. This blocks IP addresses proactively and scans the dark web for bad actors using those addresses. ML can also identify malicious actors trying out attacks on your firewall and automatically change your policies to deal with them. Neither your firewall nor your SIEM does this by default. It may be available as an add-on to your firewall, but most people stop at open-source threat intelligence.
This is an excellent opportunity to find out from your vendor their success rate. Any vendor should be able to tell you their block rate. Likewise, you'll want to understand how they will adapt their IP lists to traffic coming through your firewall, how they compare them to lists of known bad actors, where they acquire these lists, and how accurate those lists are.
Based on what we see across our client environments at ActZero, oftentimes over half of all incoming traffic is bad. This alone should make clear just how valuable it is to have threat intelligence synced with your firewall. If you're trusting just firewalls to block packets, you may be giving the attacker infinite opportunities to try and breach your system.
Within cloud environments, ML plays a critical role in discovering threatst. Account takeover or account fraud are prime examples. Such attacks—where someone logs in and does things a normal user wouldn't do, such as taking over an admin account, deleting mailboxes, changing mail forwarding rules, or spoofing addresses—are things that human practitioners can catch. Still, they are very subtle changes, and services like Microsoft 365 don't notify you about them. Machine learning is excellent at digging through Microsoft API logs and flagging differences between normal login behavior and malicious logins.
You can benefit by leveraging a service that takes ML to the cloud, and then asking about the vendor's false positive rate. As mentioned, to be most effective, ML models need to be fine-tuned and tested constantly. And an ML that is still 'loose' tends to give a lot of bad signal and wasted alerts that you don't have time for in healthcare, especially since you're likely a shared security and IT admin resource with a lot on your plate.
You need ML alerts to be accurate and effective because of the implications for users on your systems. After all, you'll be locking accounts based on these ML outputs, so they'd better be right.
When it comes to the adoption of AI in the healthcare industry, there's a lot of fear, uncertainty, and doubt.. Many companies make wandering assertions AI and Big Data, along with some huge price tags for these edge technologies to companies who haven't yet figured out their business need. So how are you to know who to trust?
My advice is that if you have a vendor who you're considering going with, ask for a proof of concept. Get them to test their AI tools live in your environment to show you actual attacks and the real prevention their software accomplishes—essentially, get them to do a penetration test for you.
If they are a company that regularly tests their software against ML, it should be no problem for them to test live for you and to do so at no cost.
And I promise you, the results will be illuminating; you might realize that your endpoints are not as protected as you believed and that you are potentially letting that other 40% of traffic take a free shot at your systems. Such a test will demonstrate the value of the vendor's product directly and provide perfect attribution of effectiveness. It will let you walk into your CIO or director's office with the proof of your due diligence and make the case for why there is a compelling reason to invest now and not wait until you get hacked to discover gaps in your security.
Don't rely on a false sense of security. Understand where the market is and where your protection really lies.
To get a proof of concept from ActZero and see a live demonstration of how our MDR and AI tools can protect your endpoints, network, and cloud, click here.
A thought-leader in Cyber technology, Adam Mansour has the depth of knowledge of an industry veteran, with over 15 years experience in the Cybersecurity sector. As Head of Sales Engineering of ActZero, Adam is driving the company's Virtual Chief Information Security Officer (VCISO) and technology integration programs, and its evolution as the industry’s leading Managed Detection and Response (MDR) service provider.
Adam’s experience is both broad and deep within the sector, and spans endpoint, network and cloud systems security; audits and architecture; building and managing SOCs; software development and resellership alike; healthcare, education, defense and financial organizations; global enterprises of all sizes. Most recently, he served as VCISO helping customers through new privacy regulations GDPR, CCPA and Bill C-11 and guidance on how to prevent complex malware such as SolarGate and RaaS.
Prior to ActZero, Adam was the Founder and CTO of IntelliGO Networks (acquired by ActZero) and he developed its proprietary MDR software, built to service the threat hunting process. He also had key roles in managed security services for SIEM, NGFW and Penetration Testing performed by the company.
Adam holds a BASc in Computer Science as well as multiple industry certifications and awards for ethical hacking and various cyber technologies.
Curious about how ActZero can evolve your cybersecurity strategy?