A Chicago Tribune article recently carried an ominous headline: "Healthcare organizations under siege from cyberattacks, study says." According to the SANS-Norse report cited in the article, 375 healthcare organizations are currently compromised, with more expected to succumb as hackers target the growing amount of patient information from federal and state healthcare exchanges. The good news is that healthcare IT teams can utilize the ExtraHop wire data analytics platform to detect compromised systems and other anomalous activity.
ExtraHop geomaps reveal the geographic location of client requests for various application protocols.
1. Detecting Attacks
One of the interesting facts brought to light by the SANS-Norse report is that many of the compromised healthcare companies were unaware that they were even under attack. This is partly due to the number and diversity of systems for which healthcare IT teams are responsible. The ExtraHop platform can help improve the security and performance of healthcare applications
by discovering applications and activity on the network in as little as 15 minutes after installation, providing rapid insight into potential attacks. For example, IT teams can generate ExtraHop geomaps with a push of a button to reveal the geographic location of traffic for a specific protocol and group of devices
. Additionally, the ExtraHop platform automatically learns normal activity and can support rule-based parameters and alerts for abnormal events such as excessive failed network logins.
2. Passive Monitoring of All Network-Connected Assets
In addition to traditional clients and servers, healthcare organizations also have the unique challenge of having to monitor medical device data systems (MDDS) like radiologic imaging systems, medication management systems, and electrocardiogram systems. In order for these systems to be certified by the U.S. Food and Drug Administration (FDA), they cannot have any third-party software installed on them, including monitoring agents. The ExtraHop platform is able to passively monitor any and all devices on the network, including MDDSs, without deploying any agents and without the need for FDA certification. Even though the FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity, the potential of requiring new FDA certification is possible depending on the nature of the change to the MDDS. Failure to maintain FDA certification includes the potential for any of the following actions: FDA requested recall, FDA mandated recall, warning letter, seizure, injunction, prosecution, civil penalties, or detention as detailed on the FDA website
3. Verifying Firewall Rules and Configurations
As mentioned in the Chicago Tribune article, firewalls are often inappropriately configured in healthcare environments. The ExtraHop platform can be used to verify that firewall rules are implemented correctly. Recently, a colleague and I informed a customer about the free cloud app monitoring solution module
and helped them install it on their ExtraHop platform within minutes. The customer instantly saw that users were able to access social media websites when those sites were supposed to be blocked by the firewall. Empowered by the information from ExtraHop, the IT team made changes to the firewall configurations and confirmed that those changes were working.
4. Monitoring Activity Inside and Outside the Perimeter
Once an attacker gains access to one network device, they often use that device as a jump-off point to attack other hosts on the network. The ExtraHop platform enables IT teams to continuously monitor all L2-L7 communications on their internal network as well as communications between internal hosts and external clients. Security teams often have good defense for traffic coming into their environment, but can use ExtraHop to comprehensively monitor egress traffic.
In addition to detecting unencrypted PII data in transit, ExtraHop reveals clients and servers using less than 2,048-bit encryption.
5. Real-Time Alerts On Sensitive Data in Transit
The ExtraHop platform in realtime can detect and alert on personally identifiable information such as SSNs and credit cards passing in the clear on the network. For instance, ExtraHop engineers have written a trigger that detects unencrypted credit card information using Luhn's algorithm
. This is useful for both detecting data exfiltration and supporting HIPAA security audits
With the growing cybersecurity concerns in healthcare, IT teams need a solution that provides deep wire data analytics for all L2-L7 communications in real time, including full bi-directional transaction payloads. If you're interested, try our free, interactive online demo