Building a Better Cyberdefense: A smarter anti-hacker defense

Editor's note: This story is part of an online special report and has been edited for the print edition of Modern Healthcare. Please visit the web version of Building a Better Cyberdefense.

Brian Selfridge walked into a hospital owned by a midsize health system in the Northeast, sat down in a conference room and plugged into a wired internet connection. After about an hour, he found a database on the hospital's network that was secured with a default password, which he used to gain access to a server, from which he extracted the passwords of anyone who had logged into that machine.

Selfridge created his own account in the system and used other accounts to do the same thing on other machines on the server. Eventually, he discovered an account with administrative permissions, which he used to create an additional administrative account. That allowed him to download the password of every user in the hospital's network. After five hours of hacking he'd hit the jackpot: He had access to employee and patient information, emails, billing records and other sensitive information used to run the hospital.

Thankfully for his victim, Selfridge hacks for good. He's a partner at Meditology, a cybersecurity consulting firm for providers and payers. A bad actor could have done everything he did, he said. The hospital's IT staff weren't warned he would be coming, and the open environments of hospitals make it possible for anyone to walk in and use their wireless networks, or even wired connections.

While Selfridge initially used a wired connection and later switched to wireless, he says he could have done the whole operation on Wi-Fi, which means he could have accomplished his mission in a public area like a cafeteria, where he'd likely go unnoticed.

Here's the good news. At any point during his mission, advanced cybersecurity tools could have detected his unusual behavior, Selfridge said. Smart software would have noticed that it's unusual for a foreign computer to create new accounts, or that someone had logged in using a compromised account. Some component of cyberdefense should have especially taken notice when Selfridge and his team were able to make such a high-level account that allowed them full access.

“Something should have alerted them in big red letters that we made an administrator's account and downloaded all of the passwords,” Selfridge said.

Cybersecurity platforms that employ advanced technologies like artificial intelligence, machine learning and predictive analytics are being marketed to providers, who have lagged behind other industries in protecting critical data. If deployed correctly, the technology has significant potential to help healthcare cybersecurity leaders, who are overwhelmed by cybersecurity threats but unable to hire enough staffers to adequately respond, healthcare cybersecurity experts say.

Cyberattacks have steadily increased in the past few years, with HHS reporting 106 hacking incidents in 2016, nearly double the year before and over 20 times more attacks than were discovered in 2010. Hackers are hungry for personal information like addresses, Social Security numbers and credit card numbers. They also want medical records, which are immensely valuable because they allow identity thieves to create a more convincing profile of a stolen identity.

Providers spend millions of dollars on cybersecurity products and labor each year. Many are now hoping that intelligent cybersecurity tools, if developed and implemented correctly, will allow their staff to protect their networks more efficiently and thoroughly.

“They are a response to the sheer volume of attacks,” said Phyllis Teater, chief information officer the Ohio State University Wexner Medical Center. “There are huge volumes every day of various attempts to penetrate our organization. You can't hire enough people to look at all the attempts.”

Protective technologies entering the market work through algorithms. Artificial intelligence generally refers to the ability of computers to perform tasks that normally require human intelligence, often involving the autonomous use of algorithms by a computer to analyze activity. Predictive analytics software feeds available data through algorithms and modeling to make predictions about what may occur to a network. Machine learning is the ability of computers to improve their analytical accuracy and capabilities by learning from data and activity.

Vendors like Armonk, N.Y.-based IBM Corp. and Moscow-based Kaspersky Lab are harnessing these technologies to create cybersecurity platforms that make sense of unusual activities, bring them to the attention of cybersecurity professionals and help them triage the threats. Some systems can be programmed to automatically block those threats.

Kaspersky Lab is a popular, global cybersecurity vendor that was founded by CEO Eugene Kaspersky in 1997, and its Woburn, Mass.-based North American business was founded in 2004. Kaspersky is a former software engineer for the Russian military and studied at the Institute of Cryptography, Telecommunications and Computer Science, which is sponsored by the Russian government's intelligence service. The company, which is operated by a holding company in the U.K., has been accused of having close ties to the Russian government.

Because initial defenses like firewalls and antivirus or malware software are sometimes deceived or bypassed by hackers, leaders at IBM and Kaspersky say it's crucial that providers have tools that can alert them to the activity of malicious actors who may have broken through their defenses.

“It's impossible to create a single layer of protection either way that will prevent 100% of the hacks,” said Andrey Pozhogin, a cybersecurity expert with Kaspersky Lab North America.

The algorithms in the systems are designed to notice anomalies that signal infiltrations such as ransomware attacks—when hackers break into a network and encrypt an organization's files, demanding ransom in exchange for a decryption key.

Ransomware attacks are on the rise and are becoming a front-burner concern at healthcare organizations. In one high-profile case, a Southern California hospital paid $17,000 in bitcoins to get its data back. London-based Beazley, which offers cybersecurity insurance and breach response services, says it handled 88 ransomware incidents at healthcare organizations in 2016, more than seven times the number it handled the year before. Healthcare organizations represented more than 40% of the 203 ransomware incidents Beazley handled across all industries in 2016. Not all of those incidents required HHS notification.

Software like Kaspersky's relies on threat-intelligence data such as hackers' known IP addresses to monitor for suspicious activity. IBM wants to take that a step further. The computer giant is hoping to harness the power of its Watson cognitive computing platform to not only compile structured data like those IP addresses but also to parse blog posts, research papers and other natural-language documents for information about potential threats.

For example, Watson can understand reports issued by a manufacturer or the Food and Drug Administration when a web-connected device is found to be vulnerable to attacks. It's not only extracting statistics embedded in these documents but also interpreting the prose written by humans that offers anecdotal details of weaknesses or hacker activity. By combining this evidence with structured data sets from cyberintelligence services, Watson is expected to be able notice patterns and other insights.

IBM hopes Watson will build a knowledge base that not only informs cybersecurity professionals but also feeds up-to-date information to software about potential threats that should be monitored. The product is in beta at organizations in various industries, including the University of Rochester (N.Y.) Medical Center.

IBM has been pushing Watson in the healthcare space for several years, making several major acquisitions with the aim of using Watson to support clinical decisionmaking and help providers derive insights from population health data. The company has also deployed Watson for supply chain management through a joint venture with UPMC.

Cybersecurity professionals read countless reports on risks as a part of their day-to-day activities, but there's far too much information to take in, said Diana Kelley, executive security adviser at IBM. Eighty percent of security intelligence is described in natural language, according to IBM. The company estimates that each month brings more than 75,000 documented software vulnerability reports, 10,000 security research papers and 60,000 security blogs. “It's about them being able to understand the data more quickly,” Kelley said.

Cognitive computing could help fill in the gaps in a healthcare cybersecurity workforce that is notoriously understaffed, in part because professionals are paid significantly less than their counterparts in industries like retail and finance. Most hospitals and medical groups simply don't have the budget to compete with other industries for the talent.

With most current systems, a human still needs to evaluate whether an alert requires action and then decide what action to take, said Tareva Palmer, chief information security officer at WVU Medicine, the Morgantown, W.Va.-based health system affiliated with West Virginia University. But these technologies could help them do their jobs better and more efficiently.

Providers were reluctant to say exactly how much they pay for these tools, with some simply saying they spend millions of dollars on protection. Costs vary based on the size and scope of a provider. Palmer noted that providers can sometimes save money on predictive analytics tools by outsourcing some or all their cybersecurity to a managed security service provider.

WVU Medicine has seen a reduction in hacking incidents after implementing predictive analytics software, and the tools have brought vulnerabilities to their attention that they may not have otherwise discovered before they could be exploited. Ultimately, leaders weigh defense costs with the cost of a breach, and the costs are high. The Ponemon Institute estimated that healthcare breaches are more expensive than hacks in any other industry, with a cost of $402 per record.

Palmer said predictive analytics software used at WVU Medicine frees up her staff for crucial tasks that only humans can carry out, such as teaching employees how to identify phishing emails and protect their devices and data.

“(The tools) are crucial, because of that ability to be able to take the massive amount of information that individuals would not be able to parse through on their own,” Palmer said. “You can use these tools to streamline processes so that your resources can focus on those top strategic items.”

The tools also help providers prioritize the most serious threats, said Matthew Snyder, chief information security officer at Penn State Hershey (Pa.) Medical Center. Just like clinicians can suffer “alarm fatigue”—dangerous desensitization to the many alarm-equipped devices in a hospital—cybersecurity professionals can become overwhelmed by threat alerts.

“The most important thing is to be able to delineate between what's the most relevant stuff I need to act on and what is just noise,” Snyder said.

If cash-strapped healthcare providers are already struggling to offer competitive wages for cybersecurity workers, will they be able to afford these sophisticated tools? Some providers are doubtful.

“They're expensive,” said Kris Kistler, chief information security officer at Centennial, Colo.-based Centura Health. “I don't think that they're affordable. The level we have is not going to be affordable to a small practice. They'd have to rely on some other things.”

Kaspersky Lab declined to discuss pricing, noting that costs vary widely depending on client need. IBM said it's too early to comment on its yet-to-be-released Watson for cybersecurity platform.

These computer-driven screening technologies were not affordable for 19% of respondents to a Modern Healthcare survey conducted for this special report. Just over a third of 52 provider respondents said they didn't know enough about predictive analytics, machine learning or artificial intelligence to make installation a priority.

Centura, a 17-hospital system, spends millions of dollars on security and provides protection services to a network of nearly 200 smaller physician offices across Colorado and western Kansas. Centura's cybersecurity software protects these networks and monitors them for malicious activity.

Kistler expressed doubt that those physician offices would have had the same level of protection if left to fend for themselves. Medical groups and hospitals often consider cybersecurity costs when discussing the benefits of consolidation or affiliation. “We typically find those smaller practices and smaller hospitals are definitely lacking compared to some of the larger organizations,” he said.

Small practices and hospitals are responsible for protecting patient data just like their larger counterparts, but they struggle to afford tools beyond the minimal protection outlined by industry and federal standards.

But software developers would be foolish to price out smaller providers, since the tools depend on de-identified intelligence gained from threats found in other users' systems, said Arya Choudhury, chief information officer at Rockville, Md.-based Shady Grove Fertility, which has 35 physicians and 25 offices.

“With every single false positive or negative, they're learning, and this learning benefits everybody,” Choudhury said.

No matter how much the machines are learning, AI-based systems and other advanced technologies aren't going to supplant the need for human intelligence in the battle against healthcare cyberthreats—at least not any time soon.

“Will Watson replace people? Very strong no. It's going to help people who are drowning in data,” Kelley, the IBM adviser, said. “In healthcare, the risks get higher. Do we want the machines to make the decisions? Not yet.”

Pozhogin, the Kaspersky Lab expert, said healthcare organizations will always need people to acquire and manage the many different layers of security from different vendors. But the future, he said, will be more and more automated. “There will be less of a need for humans.”