Healthcare organizations are often at increased risk when it comes to data, network and system security compared to companies in other industries.
Not only do the volume and value of data they house make them a target, their dependency on access to that data means attackers can cause widespread disruption and wield significant leverage by withholding it. We've seen many cases where entire hospitals have been crippled for days by ransomware, hindering patient care delivery, and in some instances, resulting in large ransom payments to criminals. Added to those costs is damage to provider reputation not to mention fines and penalties imposed by HHS for HIPAA violations.
To help mitigate the risk, many organizations are turning to threat intelligence feeds, increasingly complex data logging, and security information and event management (SIEM) tools sources in the hopes that knowing more — about current threats, about what's happening on the network, etc. — will help make them more secure in the face of increasingly sophisticated threats. However, for as helpful as these tools and approaches can be, the deluge of data they generate can actually make things more difficult when an infection needs to be isolated quickly and a rapid response is of the essence. Security teams need to ensure they don't hook themselves up to fire hoses when all they can consume is a reasonable drink.
How much is the right amount of data to collect? What's the best way to effectively analyze it? To answer those questions, here are a few best practice "dos and don'ts" for leveraging Big Data for optimum security.
Do: Collect appropriate data to meet specific security objectives.
Don't: Take a one-size-fits-all approach.
In the case of attacks spreading from infected endpoints, identifying and stopping an attack quickly requires efficient incident response, and is best served by a focused set of indicators of compromise, delivered urgently. Too much data bogs down the the process, and can mask the actual infection, which may allow the infection to spread across the network.
Once the infection is halted, though, system restoration and forensic examination requires more extensive, detailed data. Both sets of data serve a critical purpose, but applying the same policies and tools to gather the same depth of information at both points will bury your team in unwanted data, or leave them short, if you don't think about the appropriate strategy up front.
Do: Reassess data sources regularly to re-prioritize and eliminate noise.
Don't: Forget that with more data comes more responsibility.
Security is constantly evolving, and so should your data gathering. As threats and your sources of data change, periodic pruning is necessary to eliminate redundancies and strategically prioritize for the new environment. For example, if a strong host-based data loss prevention (DLP) solution is reducing network-based detection of data exfiltration to near-zero, you can probably throttle back on your network-based sniffing of those outbound transactions. Likewise, more effective gateway filtering, successful user training, or stronger endpoint protection may minimize the need for host-based intrusion detection, reducing the priority of HIDS data collection.
This not only helps make security more manageable, it also reduces the risk that comes along with creating and storing unnecessary data. After all, the more data you have, the more data you're responsible for, and failure to deal with it appropriately could put you at risk of noncompliance or public criticism in the event of an attack. Periodically re-evaluate your data collection needs and adjust policy and tools as needed to find your sweet spot.
Do: Align your data analysis capacity with your business needs.
Don't: Try to handle it internally at all costs.
Health care organizations are held to a high standard of protection through HIPAA compliance mandates, and it doesn't require an actual breach or loss of data to be in violation. Today, a single successful ransomware attack is a reportable security incident unless proven otherwise. The fact that an attacker accessed or gained control of patient data doesn't have to be proven, it simply has to be a possibility that can't be ruled out. For smaller organizations with fewer resources, managing the full breadth and depth of data security amid HIPAA compliance mandates can be extremely taxing, if not impossible.
To rapidly analyze real-time data on immediate threats and process detailed recovery information while conducting complete, in-depth analysis and investigation, think about bringing in some outside help. Vendors that specialize in HIPAA-compliant real-time threat monitoring and ongoing audit compliance can prove invaluable in maintaining a strong, compliant security posture.
Do: Look for sources of new data that complement existing data.
Don't: Put all of your eggs in one basket.
While decreasing dwell time — the period of time malware or a breach goes undetected — is important, so is decreasing the likelihood that your organization will be affected by malware in the first place. Traditional preventative security measures can help to block known attacks, and they are improving through the use of growing data sets and machine learning to improve their blacklists. This analysis of static files allows them to make educated guesses which programs to block when they look suspicious. Unfortunately, hackers have come up with new strategies to circumvent this process, including new "fileless attacks" that neither require nor leave files files on disk. With no files to scan, scan-based protection can't recognize and stop these attacks.
To complement traditional anti-virus protection and fill this gap, a runtime malware defense solution can identify malicious program activity in real-time, identifying these attacks based on their behavior, rather than on their attributes. When the suspicious behavior is detected, the programs can be stopped immediately, before any damage is done.
Technology has advanced to the point where the capacity to gather security information is outstripping the human capability to prioritize and contextualize it, even with the help of data management platforms. Thriving in this new environment requires that leaders rationalize their need for data, create a strategy for its ongoing use, and attempt to limit redundant, aged, or unnecessary information. By doing this, security focus can be maintained on the most critical areas and events without the distraction of unmanageable noise.
About Jack Danahy
Jack Danahy is the co-founder and CTO of runtime malware defense pioneer Barkly, and a 25-year innovator in computer, network, and data security. He was the founder and CEO of two successful security companies: Qiave Technologies (acquired by Watchguard Technologies in 2000) and Ounce Labs (acquired by IBM in 2009). Jack is a frequent writer and speaker on security and security issues, and has received multiple patents in a variety of security technologies. Prior to founding Barkly, Jack was the Director of Advanced Security for IBM, and led the delivery of security services for IBM in North America.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.