Preventing Healthcare Data Breaches: The Power of Packet Data - Vinay Sharma, Regional Director, India and SAARC, NETSCOUT.

Healthcare organizations place top priority on delivering the best care and patient experience, followed by achieving cyber resilience and driving revenue growth.  By embracing digital transformation, hospitals can achieve these goals.  Advanced technologies are swiftly implemented to enhance the quality of care and build trust in the organization while also strengthening the organization’s cybersecurity posture.

The healthcare industry’s mission is to improve and save lives.  The modern networks and applications at healthcare facilities rely on consistent quality performance and continuous availability of the infrastructure that supports them.  IT teams have to ensure healthcare technology systems are operating at peak performance so that patients receive the best quality care. However, along with digital transformation comes the complexity of cybersecurity risks, and healthcare providers have to cope with this new challenge.  Any disruption in the performance or availability of patient information systems, appointment scheduling, or other services can lead to a delay in treatment, compromising the bottom line and, more importantly, patient care.

Several recent cyberattacks have revealed that healthcare networks are prime targets for cybercriminals, with healthcare systems and hospital networks creating large attack surfaces due to complex, unintegrated systems that create vulnerabilities.

The Attack

Let’s say one morning, a hospital IT team notices unusual activity in their network.  The hospital systems go down, and critical patient records are locked.  Phones do not stop ringing.  Doctors and nurses are facing challenges in accessing critical life-saving information.  The hospital has been targeted by cybercriminals who have successfully launched a ransomware attack, which has crippled the hospital’s network.  These attackers are demanding millions of dollars from the hospital to restore access.

Immediate Impact and Response

It all started with a phishing email.  A hospital employee unknowingly clicked a malicious link, downloading a payload that installed the ransomware’s command-and-control backdoor.  Logs captured the email’s delivery and the file download, but couldn’t analyze the payload’s behavior.

The fully deployed ransomware encrypted electronic health records (EHRs), appointment schedules, and medication orders.  Emergency care was delayed, and surgeries were postponed.  The cybercriminals were demanding payment, forcing the hospital to choose between paying or jeopardizing patient safety.  Network logs confirmed certain systems became inaccessible, and huge volumes of encrypted traffic were detected.  However, identifying the exact files that were impacted or the spreading of ransomware was not possible.

Prior to locking files, the attackers extracted sensitive patient information such as medical histories and billing information.  The criminals intended to sell it on the dark web.  Logs captured unusual outbound data transfers, but not the contents of the data.  Only traffic volume and destination Internet Protocols were shown. 

The attackers also moved laterally and went ahead to exploit unpatched vulnerabilities in connected medical devices instead of beginning with administrative access.  Failed login attempts and privilege escalations were recorded by the logs, but there was no visibility into how attackers were able to move between devices and into the tools used or the techniques applied.

Packet Data Reveals Multi-Phased Attack Prior to Exfiltration and Encryption

If packet data had been used instead of the logs, it would have revealed the early stages of the attacker’s multi-staged attack.  For example, packet data can provide evidence of the initial compromise, command and control communication with external servers, abnormal amounts of and the exact data being exfiltrated prior to encryption.

Packet data would have ascertained which patient records were stolen, offering clarity on the scope of the breach and aiding in meeting Health Insurance Portability and Accountability Act (HIPAA) breach notification requirements.  Furthermore, packet data could have detected exfiltration techniques such as Domain Name System (DNS) tunneling, which is not possible with the use of logs.  Malicious commands, unauthorized device access, and even unusual traffic patterns between medical Internet of Things (IoT) devices would have been exposed by packet data.  These are an early warning of lateral movement before the ransomware is deployed.

At every stage of this attack, packet data would have delivered critical insights that logs simply could not.  While logs provide event summaries, packet data presents the unfiltered reality in real-time, exposing attack techniques, compromised data, and missed opportunities for earlier detection.

Only a powerful Network Detection and Response (NDR) platform can eliminate network blind spots.  At the core of this comprehensive platform, there should be deep packet inspection (DPI), offering healthcare organizations unmatched security visibility to identify vulnerabilities and threats precisely.  By leveraging advanced network threat detection techniques and cutting-edge machine learning algorithms, the platform should ensure the detection of both known and zero-day threats. Seamless integration with EDR/SIEM/SOAR/XDR tools enables security teams to use the platform to investigate 3^rd party alerts or proactively hunt for signs of anomalous activity that have been missed, empowering organizations to quickly respond to security threats.

Healthcare organizations can take control of their network security by embracing the capabilities of the comprehensive platform.  This comprehensive and proactive security brings peace of mind and an increased level of cyber-intelligent security, strengthening the hospital’s security posture.