Why isn’t healthcare defending the IoT?
Hackers are typically two years ahead of cybersecurity defenders in terms of technology, experts believe, and the consequences of that gap can be disturbing and damaging.
Ask Justin Fier, director of cyber intelligence and analytics for Darktrace, a cybersecurity firm whose strategies and technologies are rooted in machine learning. In that role, he’s seen many eye-popping security incidents, from inside jobs and corporate espionage to nation-state spying.
He shared some of his war stories with attendees of the Health IT & Analytics Summit this week in Baltimore, Maryland. But as unsettling as each anecdote was, they all pointed to a couple of overarching themes—problems facing healthcare and every other sector.
“The mandate of security has changed, but I’m not convinced that has been relayed to the various security teams,” Fier said.
Just two years ago, data defenders were mostly charged with protecting desktop computers, servers, and printers. Now, they must safeguard everything with an IP address—namely, connected devices, or the Internet of Things (IoT)—but many have yet to understand this shift.
All of Darktrace’s customers come up short by 15 to 25 percent when asked how many devices are on their network, Fier said. To him, that disconnect is a sign of the rise of the IoT, which has made it impossible for security teams to know of every device connected to their network.
“Customers often look at me with a blank stare when I ask who’s looking over IoT,” he added. “So the question is, what is the role of your security team, and are they watching all of these devices, or are they doing the legacy job?”
To better understand how cybersecurity teams must evolve, Fier pointed to 5 case studies that highlight the new threats facing healthcare and every other industry. Here they are.
In this case, a systems administrator installed two $5 Raspberry Pi computers beneath the floorboard, connecting them to the network, in exchange for a bribe. It turned out that the tech was collecting the credentials of every employee who visited a certain website. “We believe they were actually planning to sell these credentials on the dark web,” Fier said. In the end, this story became a lesson on insider threats and the need to know your network.
Gumstix devices, part of the Raspberry Pi family, are even smaller than the typical Pi board, though they cost hundreds of dollars more. These computers resemble a stick of gum, thus the name. In this case, one had been plugged into an IoT device on a corporate campus—and despite walking past this intrusion every day, security was none the wiser.
The gist: Digital kiosks dotted the facility, allowing employees to swipe a badge and access all sorts of human resources information, from vacation time to their cafeteria credit. The kiosks transferred this data from and to the mothership, “totally unencrypted,” Fier said. Anyone in the building could access the information—as could the imposing Rasberry Pi device.
In spring 2016, Darktrace’s machine-learning technology was scanning the network of a new client for irregularities. When it analyzed the 50 or so video-conferencing devices throughout the building, it noticed that one was operating strangely. It had begun to receive inbound connections, meaning someone outside the organization was accessing the device, and it was leaking quite a bit of data.
Fier and his team figured the culprit was someone who was simply goofing around. “You don’t need to be a hacker to break into these devices,” he said. “Just Google the model number and the word ‘exploit.’”
But further investigation revealed that the offense occurred in the board room, during a two-week period when the directors were discussing a big merger. “It was a textbook case of corporate espionage,” Fier said.
How, though, can a security team allow more than 10 gigs of audio files to leave the network and head to an unknown device?
In this case, it became clear that a foreign country was spying on a Darktrace client. The team knew that blocking the nation-state was futile, as its hackers would simply work around the wall. Instead, Fier and his colleagues decided to stop the country’s malicious exfiltration for a period of time, a seemingly small step. “But when they go back to their listening post, there’s a big hole in the data set,” he said.
The key here: The security team can monitor the intruder and use autonomous response technology to essentially take offensive actions against them. This approach goes beyond merely blocking a connection, and it’s something that Fier believes should be more widespread.
When the chief data scientist of this unnamed organization resigned, the individual nabbed six gigs of data via the cloud. The person’s subject matter expertise and knowledge of the company made for an effortless heist. But those same conditions should have made this employee stand out as a potential threat right off the bat.
Fier said this story underscores the need for security and human resources (HR) to collaborate. HR should flag soon-to-be-gone employees in a system as high risk, alerting the defenders to any problems before they become disasters and enabling them to build proactive walls.
Get the best insights in healthcare analytics directly to your inbox.