Now

HTN Now: Best practices with healthcare security and Network Detection and Response

For a recent HTN Now webinar, we were joined by Chad Holmes, security evangelist at Cynerio, who shared advice and best practices around how NHS trusts and health organisations can better secure their environments with Network Detection and Response (NDR).

Chad started out by looking at the risks around cyber attacks on healthcare organisations and health systems, focusing-in on impacts such as increased mortality during ransomware attacks and the financial implications of having to pay a ransom to unlock systems or get back online.

“To protect our patients, we need to start investing more into the security of our environments, or these attacks will continue to happen,” he said.

Selecting an NDR for healthcare environments

Explaining the basics of NDR, Chad told us “you’re monitoring network traffic, you’re looking for attacks, and you’re responding to those attacks quickly and efficiently”. The goal, he says, “is to detect and stop attacks”.

Although it would be great to prevent attacks altogether, he continued, “we need to acknowledge that every now and then someone’s going to click on a phishing email, or something is going to be misconfigured”.

Selecting an NDR solution designed for healthcare is important, “as an NDR product built for protecting retail or investment banks does not operate the same as it would in a healthcare environment. For example, if you’re monitoring traffic flow from an infusion pump to a nurse’s station, that analysis is very different to what it might look like in a warehouse where you’re monitoring things that are getting shipped.”

Another thing to consider is resources, Chad went on, “as I’ve never spoken to a hospital which claims to have enough IT people, so we need to be sure we’re delivering technologies tailored to healthcare environments and their resource constraints – we need to offer some kind of management alongside that.”

Whilst trusts might have other technologies in place to detect unusual or malicious network traffic, those aren’t sufficient to secure their environment, Chad shared, “and they tend to have incredibly high false positive rates that require people to wade through lots of logs to find the needle in the haystack of attacks, and in hospitals that just isn’t realistic”.

The goal is “not to replace all of your systems with the one thing that solves all of your problems,” according to Chad, “but to take the environments and protections you already have, and extend them wherever possible to maximise the security you have with the least resources possible”.

Implementing an effective NDR

What has emerged from this is a raft of detection and response technologies, which are all reactive, but “provide that first line of defence once something has got in”, Chad told us. “Ideally you only get a couple of alerts from them, and it’s not uncommon for our customers only to hear from us once or twice a year, because we only publish attacks, we don’t publish high levels of false positives.”

Gaps remain within existing technologies such as endpoint detection response, which is based on physical devices “but doesn’t extend to medical devices – when you deploy those technologies it puts those devices at risk,  because you can’t have those devices restarting in the middle of care”.

It’s important to also consider what would happen in the event of a failure in endpoint technologies like the CrowdStrike outage. “The goal of NDR technologies is to compliment those endpoint protections, whilst informing and enabling other detection response, like extended detection response, or managed detection response where you have a third party managing your environment.”

Chad went on to outline six core components that Cynerio focuses on for NDR: raw traffic capture and analysis, machine learning baseline and anomaly detection to identify malicious traffic; alert aggregation to group many alerts by individual attacks; automated insights on things like the types of malware detected; false positive reduction, with a live research team looking into potential issues to identify and filter false positive alerts; and integration and data sharing to feed into existing systems.

Built on top of that technology and data flow is more in-depth functionality, Chad shared, “where we’re able to detect and contain post-breach activity. In one case we saw a microbial detection unit in a lab had been infected, and we were able to quarantine that and investigate it. We’re also able to monitor network traffic, investigate unusual activity, report behavioural anomalies, and inform automated responses.”

When an attack is identified, Chad said that the Cynerio team will automatically start looking at a response that should be implemented, and provide guidance with human support available for teams as needed.

Chad pointed our audience toward Cynerio’s NDR Buyer’s Guide for more information.

Ways to improve NDR adoption in healthcare

When it comes to improving NDR adoption in healthcare, Chad shared six areas of focus, including understanding that “we can’t use old protections against the new threats we’re seeing”; determining the best way NDR can fit into healthcare environments; defining goals and “good-ness” of NDRs; ensuring effectiveness for the environment; and overcoming barriers to adoption.

Chad also highlighted barriers to adoption that require consideration when looking at improving adoption, including a lack of internal cybersecurity culture, issues with leadership buy-in, workforce gaps in expertise required for successful adoption, and missing in-house expertise.

“We need to make sure it’s effective at assessing risk; because if everything is an emergency, then nothing is an emergency,” Chad told us, “and we need to make sure what’s being recorded and the way it’s being recorded is useful, as well as that you’ve got response playbooks offering clear guidance to remediate.”

We’d like to thank Chad for his time in sharing his insight with us on this topic.