A healthcare organization in the United States faced serious regulatory and security challenges after a recent IT review. Although the organization had well-defined security tiers (segmenting DMZ, application, database, and storage) and strong entitlement and authorization policies, auditing all of the devices was an overwhelming task. Many of their medical systems and devices could not run agents or had operating systems without access to log data. Further, attacks on embedded systems throughout the world had the security team concerned that these seemingly hardened systems were actually a blind spot for security attacks. Eventually the team set up an entire office dedicated to onsite auditors.
Meanwhile, news agencies carried ominous headlines as a SANS-Norse report on cyber attacks at healthcare organizations was released. According to the report, 375 healthcare organizations were currently compromised, with more expected as hackers targeted the growing amount of patient information from federal and state healthcare exchanges.
- Avoid never-ending onsite audits
- Easily detect attacks or data leakage that the security policies miss.
- Verify effectiveness of the existing security infrastructure, firewall rules, and compliance measures.
A healthcare organization in the United States faced serious regulatory and security challenges after a recent IT review. Although the organization had well-defined security tiers (segmenting DMZ, application, database, and storage) and strong entitlement and authorization policies, auditing all of the devices was an overwhelming task.
The network administrators suggested using the ExtraHop platform and its wire data capabilities to solve the auditing, detection, and data leakage issues. The security team immediately grasped the significance of having wire data to back up the existing tiers of defenses in their security infrastructure.
For the initial rollout of the ExtraHop platform, the team monitored a spike in internally generated, failed authorization events that could signal a brute-force attempt to authenticate. One of the team's greatest concerns had been the possibility of a compromised host being the staging ground for attacks from the inside. An ExtraHop authentication dashboard provided real-time insight. Because the ExtraHop platform automatically learns normal activity and can support rule-based parameters and alerts for anomalous events such as excessive failed network logins, the security team had a new weapon with which to detect attacks at the wire level.
Next, they tackled the devices. Medical devices such as radiological imaging systems, medication management systems, and electrocardiogram systems had always presented a huge challenge. To maintain FDA certification, such systems cannot have third-party software, including monitoring agents, installed on them post-ship. Because the ExtraHop platform can passively monitor any devices on the network, including MDDS, it did not require FDA certification or any agents to be deployed. Using a dashboard to show current versus historical traffic, the security team now had a real-time view into the behavior of the medical devices. Also, the ExtraHop platform's ability to add new protocols using Universal Payload Analysis allowed the security team to chart the actual messages passed by some of the devices.
Finally, they looked at their firewall configuration. Using an ExtraHop Application Inspection Trigger, the organization saw connections to data sharing and sites that were supposed to be blocked. Empowered by this new information, the IT team modified the firewall configuration and confirmed that the changes worked.
With a comprehensive and real-time view into the network, the security team was able to create a more manageable workload for themselves and the auditors, and ultimately eliminated the need for a dedicated onsite auditing office.