Wednesday , 20 June 2018
Home » NEWS » THIS WEEK’S GURUS » When InfoSec is life or death – finding a cure for ransomware
Chris Morales, Vectra Networks
When InfoSec is life or death – finding a cure for ransomware

When InfoSec is life or death – finding a cure for ransomware

Healthcare organisations are a prime target of cyber attackers because they are reliant on vulnerable legacy systems, medical Internet of Things (IoT) devices with weak security and have a life or death need for immediate access to information. The healthcare industry has remained a consummate laggard when it comes to cybersecurity. With the UK government setting its sights on a paperless NHS by 2020 and digitising all patient data, UK hospitals will increasingly become a juicy target for cybercriminals. Without robust security solutions in place, the digitised records and services are ripe for the picking. It’s the cart before the horse. To protect themselves from threats such as ransomware, hospitals need to realise that traditional perimeter defences are no longer enough.

So, what is the diagnosis?

It has a lot to do with complexity. Building a proactive defence is complex and many times tedious, especially threat hunting. Complexity requires highly skilled labour and can be expensive and time consuming to find and onboard.

Perhaps the biggest issue in healthcare information security is the lack of talent to fill existing needs. It isn’t just the cost of skilled cyber warriors; there simply aren’t enough of them. Other issues of concern include the cost to build an effective programme followed by the ability to respond to emerging threats with ransomware being the most prominent. 

Barriers to entry

The cybersecurity skills shortage continues to be a major concern. Finding complex threats requires exceptional knowledge. Security analysts must know about attackers, industry regulations and about the local healthcare environment. All this while watching the network 24/7.

It’s a tall order. But there exists technology such as sophisticated artificial intelligence software that augments existing staff to close the cybersecurity skills gap needed to automate threat hunting. This reduces the barrier to entry needed for Tier 1 analyst work.

On a related note, it’s important to remember that time equals money. When it comes to threat hunting, reducing the impact means the defender must be faster at finding threats than an attacker is at finding and stealing valuable information. Time-equals-money should be broken down into how much work an analyst can do in a single day and how many analysts you need.

Here’s the formula:
(cost) = (number of events) x (time to resolution) x (staff value)

Many healthcare organisations have leveraged artificial intelligence software to automate real-time threat hunting and reduce the time spent on threat investigations and remediation by 75-90% – without adding incident-response headcount. And the solution is specifically tuned to detect the ransomware threat that’s plaguing the industry.

Unfortunately, healthcare organisations have become high-value targets for ransomware. With lives at stake, medical teams can’t be denied access to systems and data critical to patient care.

Then there are medical IoT devices. These vulnerable, unprotected IP-enabled devices are an easy entry point for cyber attackers who can then move laterally through the network in search of personal health information (PHI) and other key assets.

The persistent, internally driven network attack has become the norm, and healthcare security teams, products and processes must adapt accordingly to head off disaster. Cybercriminals make things tougher by quickly and easily modifying their malware and launching a succession of advanced persistent threats (APTs). 

The bottom line

Healthcare organisations should start by automating the hunt for cyber attackers inside their networks. Working in real-time, it must provide visibility into attacker behaviours hidden in all network traffic and connected host devices, including IoT and BYOD. It must detect every phase in the cyber-attack kill chain like command-and-control communications, internal reconnaissance, lateral movement and data exfiltration behaviours.


Chris Morales, head of security analytics, Vectra Networks

About Lara Lackie

Lara Lackie is a reporter for The IT Security Guru.