Across the healthcare sector, ransomware is reportedly no longer the most prevalent security threat, according to new research from Vectra that found attacks decreased during the second half of 2018.
The Vectra 2019 Spotlight Report on Healthcare found that internal human error and misuse occur much more frequently than hacking. In addition, a growing number of errors are the result of unmanaged devices and lateral movement of device-to-device communication.
Based on data from the Attacker Behavior Industry Report (2019 RSA Conference Edition), researchers also observed network behaviors from a sampling of 354 opt-in enterprise organizations in healthcare and eight other industries.
Among the findings, the report noted that attackers hide command-and-control communications in healthcare networks using HTTPS tunnels. “Hidden HTTPS tunnels are the most common behavior detected in healthcare. This traffic represents external communication involving multiple sessions over long periods of time that appear to be normal encrypted web traffic. When attackers hide their command-and-control communications in HTTPS tunnels, it often looks like service provider traffic,” the report said.
Researchers also found that hidden domain name system (DNS) tunnels were commonly used to mask data exfiltration behaviors, as these behaviors can also be caused by IT and security tools that use DNS communication.
The second most-common behavior consistent with data exfiltration in healthcare, according to the research, is the smash and grab. “This occurs when a large volume of data is sent to an external destination not commonly in use, in a short period of time.”
Security cameras are able to quickly send mass volumes of data to a hosted cloud site, but smash-and-grab behaviors can appear to be normal operation for an IoT device. As a result, low and slow attackers are able to use it for obfuscation.
“Healthcare organizations struggle with managing legacy systems and medical devices that traditionally have weak security controls, yet both provide critical access to patient health information,” said Chris Morales, head of security analytics at Vectra. “Improving visibility into network behavior enables healthcare organizations to manage risk of legacy systems and new technology they embrace.”