Hospitals are for healing humans. But protecting and healing hospitals needs machines

Sponsored Feature Browse through a selection of hospital mission statements and common themes quickly emerge: putting patients and community first, acting with integrity, pushing the bounds of medical research.

What you probably won't see is a commitment to running a 24x7 cyber security team, tightening up intrusion detection and response, or denying cybercrime gangs the funding to expand their activities.

The problem is hospitals, and the healthcare sector in general, are prime targets for hackers. After all, it's hard to deny that healthcare facilities qualify as "critical infrastructure". They are literally a matter of life and death, the primary mission their efforts and budgets are focused on.

That may explain why hospitals' spending on cybersecurity tools and personnel can be more constrained in comparison to organizations in other industries. But while other businesses worry about reputational damage when they're hit by a ransomware attack, hospitals have to worry about canceled operations and ambulances backing up outside the emergency department.

There's another factor at play. Hospitals are privy to some of the most sensitive personal information out there. As the US's Cybersecurity and Infrastructure Security Agency (CISA) observes, threat actors are increasingly using "triple extortion" techniques which threaten to inform their targets' stakeholders and disrupt Internet access, but perhaps more alarming, publicly release stolen information.

So, if an attack does get through, there is immense pressure on hospitals to simply pay the ransom.

Smaller medical facilities in the firing line

CISA reports that ransomware gangs are diversifying away from big game hunting in the country, to target medium-sized organizations. This is partly to "reduce scrutiny" - ie sneak under the radar of larger organizations with more pervasive cyber security defenses - putting smaller medical facilities in the firing line.

The UK's National Cyber Security Centre, part of GCHQ, highlighted the threat in its 2021 annual report. It revealed that health sector organizations, including vaccine suppliers, accounted for 20 per cent of the 777 incidents it had been directly involved in over the previous 12 months.

Just how devastating the effects can be was highlighted by a cyber attack on Ireland's health system in May 2021 which used the Conti ransomware. The organization quickly decided to shut down its systems, leaving health professionals relying on pen and paper. It was four months before all the organization's servers could be brought back online.

The Irish Health Service Executive has since revealed that recovery costs for the organization were $600m - a shocking sum given the country's population is just over 5 million. Moreover, the subsequent report revealed "several detections of the attackers' activity prior to the detonation of the ransomware, but these "did not result in a cyber security incident."

US authorities have also noted that hackers are maximizing the impact of their attacks by staging them on holidays or weekends, when office staff, network administrators and security experts are likely to be thinner on the ground – but when a hospital might be at its most stretched.

This last factor gets to the nub of the problem. Attackers constantly adapt to their targets, both on a technical and human level.

They will take their time picking a target, identifying a vulnerability, and refining spear phishing and other techniques to deliver malware. Likewise, they continuously refine their malware, increasingly utilizing automation and algorithms. Once they're in, things can move at machine speed, whether that's in terms of lateral movement through systems to find target data, encrypting that data, or exfiltrating it.

Infection control

Alternatively, attackers will often take a "low and slow" approach, stealthily moving around the victim's systems, looking for and exfiltrating data. In doing so they often exploit the organizations' own servers and services - which are less likely to be blocked - to escape detection.

That's not to say that defenders, and the tools and services suppliers supporting them, aren't able to detect intrusions or known malware. But it's a different story for new strains of malware, which doesn't amount to simply trying to spot that GBs of data have been exfiltrated to an unknown IP address, or worse, getting a message demanding a bitcoin transfer.

And if anomalous behavior is successfully picked up, then what? Who makes the decision on whether to shut down systems? Is a security pro on site at 3am on a Sunday morning, ready to leap into action? Or does the next step in escalation rely on someone tumbling out of bed in response to a phone call, or an email alert. Are they able to take targeted action to quarantine infected systems and data? Or is their only option to flip the one big red lever marked "stop everything"?

The advice from organizations like CISO and the NCSC is clear. Organizations must rely on defense in depth. It's important to understand that this includes not just securing against a potential intrusion but having a plan which can react to and mitigate an attack. And, ideally, enable the organization to continue operations while all this is happening or at least minimize downtime.

But if the damage is being done at machine speed, the response can't wait for a human to get up and start making decisions. The response needs to be at machine speed too.

That's one of the key principles behind Darktrace's approach to countering cyber criminals. Darktrace's Autonomous Response technology, Darktrace Antigena, is predicated on understanding what it calls an organization's "pattern of life" – an evolving blueprint of normal activity that extends through different divisions or units, right down to individual users and devices.

No humans required

Antigena instigates an unsupervised AI-learning process, meaning that security staff do not need to get bogged down in the tedious definition of a normal state, nor do they have to remember to revisit it for updating and tuning as the business itself changes and evolves.

It establishes a base for identifying anomalous behavior that indicates an attack is underway which is not reliant on the signatures of previous attacks – fighting the last war - but which is tuned to the unique and changing circumstances of the organization.

By providing a definition of what normal behavior is for the organization, at a macro level, or down to individual domains, and users and devices, business activities which follow regular patterns can be allowed to continue, even amidst an active attack. So, a ransomware attack on a hospital or medical facility need not result in the shutdown of an entire site or organization – or as in the case of the Conti attack on Ireland, an entire nation's healthcare system. Antigena will even allow an individual infected device to continue with normal business operations – shutting down only the malicious activity.

The technology has successfully been deployed at 390 healthcare organizations. Craig York, CTO at Milton Keynes Hospital (MKH) describes it as "just another pair of eyes, one that never sleeps and which takes action in seconds to protect every digital asset you have."

This frees up busy cyber security staff and broader IT teams from firefighting and minimizes the danger of alert fatigue, meaning they're able to spend more time trialing innovative med-tech and work on broader digital transformation projects for the hospital. Or to put it in terms of MKH's mission statement, to help it be "an outstanding acute hospital and part of a health and care system working well together."

Anatomy of a Maze ransomware attack

But if knowing that the technology is there is one thing, what's it like to have to rely on it in real time? A Darktrace case study describes how its Antigena Network technology helped another healthcare customer deal with an attack using the Maze ransomware.

The attackers found their way in using spear phishing techniques. Once in, the payload immediately began scanning the network and sought to escalate its access within the organization's Research and Development subnet. Darktrace's AI technology picked up a successful compromise of admin level credentials, unusual RDP activity, and multiple Kerberos authentication attempts. It also spotted a connection to a suspicious domain, from which the TOR browser bundle was downloaded, followed by the upload of sensitive data to a rare domain.

The attack was tracked throughout, with Darktrace's AI Analyst software launching an investigation, and creating a report for a human analyst to scrutinize further. It's important to note that the only reason the attack got as far as it did, was that Darktrace's Autonomous Response capability was configured in passive mode, meaning positive action to contain the attack was the prerogative of a human.

Whether the organization defaults to passive mode in the future remains to be seen.

It does seem clear though that the healthcare sector will follow broader technology trends. At one end this means more remote working – and presumably remote patient care – potentially leaving more attack paths open. At the other end, it means the adoption of IoT and 5G, and the creation of more data. All of which creates more entry points for attackers, as well as more data that can be targeted.

Meanwhile, ransomware developers will continue to innovate and replicate too. US authorities issued a warning about Hive just last month, "an exceptionally aggressive, financially-motivated ransomware group known to maintain sophisticated capabilities who have historically targeted healthcare organizations frequently".

To counter the Hive threat, the HSS Cybersecurity Program recommended, "Continuous monitoring is critical, and should be supported by a constant input of threat data" as well as "An active vulnerability management program must be comprehensive in scope and timely in implementation of the latest software updates" and cover traditional information technology infrastructure as well as any medical devices or equipment that is network-connected."

The question is: is this something that can be left entirely in the hands of humans to manage?

Sponsored by Darktrace