Threat intelligence for healthcare: how to get the most out of your investment
Healthcare C-suite leaders are facing challenging times. This is the most breached sector globally, accounting for 24% of all cases investigated by Verizon. Valuable patient data, mission critical but exposed digital endpoints and strict compliance requirements all add to the cybersecurity challenge.
This is where threat intelligence (TI) can help to stem the tide of attacks and get security teams back on the front foot. But finding the right tools for your organization is essential if you want to maximize ROI and minimize risk.
In critical condition
Healthcare organizations (HCOs) have seen their IT systems evolve over the years to the point where today’s environments are a mix of old and new, legacy and cutting edge. One report claims that in 2017, 60% of NHS trusts still used Windows XP. And yet some HCOs are leading the charge by rolling out fully digitized patient record (EHR) systems, and investing in IoT technologies like smart drug infusion pumps, internet-connected heart monitors and even “smart beds”.
This digital transformation is essential if healthcare providers are to improve worker productivity, streamline processes and enhance patient care as they come under increasing pressure from an ageing population. But with new digital systems come new risks: of data loss, extortion and damaging system outages.
WannaCry is perhaps the best example of a major online disruption to healthcare. In this case the infamous 2017 ransomware attack forced an estimated 19,000 cancelled operations and appointments in the NHS, costing the UK’s health service £92m ($72m) in lost output and IT overtime. This wasn’t even a direct attack. In the US, SamSam ransomware has been responsible for more targeted outages at over 200 organizations including many hospitals, causing $30m in losses over the past three years.
Data breaches are another big risk. EHR data is highly lucrative as it usually contains a blend of insurance, personal and financial information that has a relatively long shelf-life for fraudsters. One report claims stolen EHR databases can demand up to $500,000 on the cybercrime underground. Recently over 2.6m patient details were compromised in an attack on US provider Atrium Health.
For C-level executives the potential impact of such attacks could be catastrophic. Outages and major breaches can cause financial and reputational damage. Although public anger is often directed at the attacker, especially if they’ve caused an outage impacting patient welfare, this can soon turn onto the HCO if it is thought that best practices in cybersecurity weren’t followed. In the EU, both the GDPR and NIS Directive regulate the sector, adding further pressure on healthcare leaders.
Time to get proactive
Threat intelligence is a major tool in the arsenal of modern IT security teams, enabling them to evolve from a reactive to a proactive stance. What does that mean in practice? It could mean hunting for malware out in the wild that’s heading for your organization before it gets you. Using IOC data you can make your organization more resilient by feeding it directly into security tools like intrusion prevention systems, and patching any exposed vulnerabilities. It could also mean spotting card details, credentials and other sensitive data that may have been stolen or leaked from the organization and ended up on the dark web. It could even mean finding evidence of an upcoming hacktivist attack on social media, or a phishing campaign abusing your brand which is circulating online.
Yet effective TI requires you to have the right tools to hand. Vendors which offer a modular approach are most suitable because you pay for what you need, choosing the functionality that aligns best with your organization’s requirements. It’s also important to understand how the TI is delivered. Systems which are little more than a collection of threat data feeds may not give you the actionable insight you need, and security teams can often miss key alerts. These feeds need to be managed, consolidated and contextualized to offer high value TI. The best solutions will offer a user-friendly dashboard interface with output personalized depending on who is viewing it. And they’ll ensure data is available in machine readable format (eg STIX/TAXII) so it can be fed directly into firewalls, IDS etc.
Fresh and actionable
For the best possible results, the data used to produce your TI must be ultra-fresh and come from a wide range of human and machine-generated sources — both internal and external. This could include global threat databases; social networks; dark web forums; CERTS; sinkhole sensors, honeypots and crawlers; analyst reports; AV feeds; URL/IP/DNS lists and much more. It should then be enriched by human intelligence, sandbox analysis, automated threat classification and scoring and more.
There’s a great deal of complexity here. But the best TI platforms will hide this from the end user, simply providing fresh, actionable, targeted insight for your organization. That’s exactly what you need to mitigate cyber risk and help support digital growth.