A New Study Looks at the Hidden Threats Within Network Traffic | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

A New Study Looks at the Hidden Threats Within Network Traffic

August 30, 2016
by Mark Hagland
| Reprints
The Ponemon Institute and A10 Networks have released a new survey-based study that looks at a range of network traffic-related threats to data security in healthcare and other industries

On Aug. 29, the Traverse City, Mich.-based Ponemon Institute and the San Diego-based A10 Networks released a study, “Uncovering Hidden Threats Within Network Traffic,” produced for the Ponemon Institute by A10 Networks. The authors of the study have found that “The risk to financial services, healthcare and other industries stems from growing reliance on encryption technology.” Among the study’s key findings: 80 percent off organizations were victims of cyber attacks during past year; nearly half of cyber attacks used malware hidden in encrypted traffic to evade detection; and 75 percent of IT experts surveyed admit malware could steal employee credentials from their networks.

The two organizations surveyed 1,023 “IT and IT security practitioners in North America and Europe, highlighting the overwhelming challenges these professionals face in preventing and detecting attacks on encrypted traffic in and out of their organizations’ networks.”

Key statements from the survey’s summary include the following:

>  “Half of all known cyberattacks used SSL encryption to evade detection in the last 12 months.”

>  “The inability to inspect encrypted traffic will compromise capacity to meet existing and future compliance requirements.”


Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of...

>  “Most don’t believe their organization can properly inspect SLL traffic.”

>  “Encryption of inbound and outbound web traffic will continue to increase.”

>  “Use of SSL encryption to mask malicious activity will parallel this growth.”

>  “Three common barriers to implementing proper SSL inspection are a lack of security tools, insufficient resources, and performance degradation.”

>  “SSL bandwidth requirements diminish the effectiveness of existing security controls.”

Meanwhile, the report notes, “More than half of all respondents (62 percent) admit that their organization does not currently decrypt Web traffic. Why?” For 45 percent, the reason is a lack of insufficient resources; another 45 percent cited performance degradation. Still, among the 62 percent of respondents who said that their organization does not currently decrypt Web traffic, 51 percent said they planned to do so within the next 12 months.

Another challenge cited by respondents from across industries, is around inspection strategies. The survey found that “For organizations that are inspecting decrypted traffic, most haven’t found a seamless or cost-effective manner of implementing the process. Many,” the report noted, “are using a blend of commercial-grade solutions, in-house technology, and labor-intensive manual inspection.”

The survey found that, among those organizations that are inspecting decrypted traffic:

>  53 percent are making use of a commercial solution with Deep Packet Inspection (DPI)

>  44 percent are using a commercial solution that utilizes big data

>  35 percent are engaged in homegrown traffic monitoring

>  28 percent are resorting to manual inspection

What are IT and IT security leaders looking for in potential solutions? The survey found that they want the following:

> 79 percent are looking for SSL certificate management

>  68 percent want scalability

>  63 percent are looking for compliance requirements

>  62 percent want uptime, performance and security

>  54 percent desire multi-vendor security integration

Most significantly, the report found, “Although 75 percent of survey respondents say their networks are at risk from malware hidden inside encrypted traffic, roughly two-thirds admit that their company is unprepared to detect malicious SSL traffic, leaving them vulnerable to costly data breaches and the loss of intellectual property. Among the IT professionals responding to the survey, the largest percentage work in financial services, followed by healthcare and the public sector — three industries most in need of protecting sensitive data. Moreover, the threat is expected to get worse as the volume of encrypted data traffic continues to grow, with the majority of respondents expecting network attackers to increase their use of encryption over the coming year to evade detection and bypass controls. Many companies may be caught off guard, as their security solutions collapse under the weight of tremendous SSL vulnerabilities.”

Indeed, alarmingly, 80 percent of survey respondents said that their organization had already been victims of a cyberattack within the past 12 months, with nearly half reporting that the attack had leveraged SSL traffic to evade detection, while another 15 percent were unsure about that fact.

The survey, conducted online, with online and phone-based responses, encompassed all industries, with the largest group of respondents working in the banking and financial services industry, and with 11 percent each coming from healthcare and from government.

Shortly after the study was released online, Chase Cunningham, Ph.D., director of cyberthreat operations at A10 Networks, spoke with HCI Editor-in-Chief Mark Hagland regarding the results of the survey and the study’s broader implications, especially for healthcare.

Looking at a key result of the survey underlying the study—32 percent of respondents reported being “very concerned,” 36 percent were “concerned,” 22 percent were “somewhat concerned,” and only 9 percent were “not concerned,” that encrypted communications would leave their network vulnerable to hidden threats, how do you read that result?

The interesting point is that nearly half of the people who responded said that yes, we know there are bad things taking place using encrypted channels, and three-quarters of individuals don’t know exactly what’s going on. So they concede that there’s some sort of sickness, but most don’t know what it is, and that’s not good.

What is behind that gap?

There are two things going on there. On the one hand, business organizations have spent a lot of time and money putting in external defenses to keep the bad guys out. On the other hand, it’s likely that they have things already inside their environment, some kind of infection inside their network. And if you can’t look at encrypted traffic, you are missing anywhere from 30-40 percent of the traffic bouncing around your network. And how secure are you not knowing about almost half of the traffic taking place in your network? And interestingly, if you ask people why they’re not inspecting SSL traffic, it’s not that they don’t realize it’s important; it’s that they don’t’ have the technical capability to do it at scale or at speed.

What should we know about existing web-based attacks, and the ability of inspection of decrypted traffic, to figure out where the problems are?

Well, it used to be that web-based attacks used to be things that people did to say, “I can do this.” But the reality is that web traffic is of dominant importance, and if your organization can’t focus on the web-based application side of things, you’re missing a huge set of threats. Most organizations still use SSL Version 1, an old, outdated security protocol, though it’s better than nothing. You need to be able to look at SSL-encrypted traffic. So given that most enterprises’ websites have SSL traffic on them, but can’t analyze their traffic, how operationally functional are you?

The bad news is that healthcare is probably 10-15 years behind the power curve, compared to other industries, in this context. Government and financial services organizations have put together a pretty robust security portfolio, because they’ve been getting hammered for the past decade. Healthcare is just now getting to the point where they understand that they have to fix the security problems. But there’s a learning curve there, and it’s going to take a decade or more to catch up to banking and government.

Why do you believe that the healthcare industry is a full decade behind the financial services industry and government?

If you look at how fast technology is developing and is being deployed in healthcare space, healthcare IT leaders have to catch up there first, and then they have to understand that finance and government have been doing it and have been getting beaten up since 2000. So it will take at least six to eight years to play catch up.

What steps do healthcare IT leaders need to take to catch up, then?

The number-one thing is to start now. They can’t sit back and wait for requirements to come from the federal government. They should understand that this is paramount to the security of their business and how they take care of their patients. So they should start now and not wait. The second part of this is that you have to address your security relative to how the threat addresses you. You could spend a billion dollars on this, but if you don’t do it systematically in the right ways, with the right technologies, that actually stop threat actors, you won’t be successful. I often use the following metaphor: I talk about the zombie marathon, where I don’t have to outrun the zombies, I just have to run faster than the guy next to me, so that I don’t get eaten.

That’s a pretty colorful metaphor to use here.

Well, the reality is that if the bad guys go somewhere else, I’ve won. I don’t have to be the super-security emperor of the universe, I just have to make sure they go somewhere else.

So what are the first steps that healthcare IT leaders should be taking in all this?

Begin by understanding what’s bouncing around in your environment. You wouldn’t get on an airplane and expect it to fly if you only knew 70 percent of it was functional, right? And not only can you not throw solutions onto a problem, you also have to integrate services with what you have.

So you have to mesh your internal operations with outside consultant and vendor services and products?

Yes, that’s exactly right.

Do the IT leaders at healthcare organizations need to make use of security operations centers, or SOCs?

Yes; they need to go outside for SOC-type services; it’s not necessary, or even valuable, to try to create those services full-time, in-house. They should turn to a managed security services provider, an outsourced security provider. But most organizations don’t need to go off and staff up a security operations center; they need one from a consultant company.

One of the key problems in all this remains the vulnerability that patient care organizations face because of their countless number of end-users, and because of phishing strategies on the part of hackers, correct?

Yes; end-users will always be a pretty massive problem for any organization to manage. But it’s interesting that companies and organizations are trying to technically fix their way out of a problem that originates with humans. So if they’re not doing training of their workforce, they’re missing something very important.

Do you see anything unique about the end-user vulnerability in healthcare?

I think that it speaks to how far behind healthcare is, and the fact that medical people are concerned with helping patients. So the power curve is extremely vertical.

How can we combat the rise of ransomware?

The simplest way is to train your workforce to understand what you’re clicking on, because you could literally be the person who brings down your corporate network.

So it really comes down to basic, continual training of end-users, then?

I’m retired military, and in the military, we had a saying: train how you fight and fight how you train. So if you train your people to understand those threats, that’s very important.

Could you offer a few pieces of explicit advice around this to CIOs, CISOs, and other healthcare IT leaders?

Yes, work with the providers giving you technology to make sure that it addresses an actual threat space, and not just to plug a hole. You may not necessarily need the latest whiz-bang coordinated threat intelligence platform; you may really need something that helps you analyze your web traffic. And the most important thing is to move forward now. The worst possible thing is to sit back and assume that legislation will push them forward. It’s only going to get worse.

What will happen in the next five years in healthcare, around this subject?

I think that healthcare organizations will continue to get pummeled for years, and there will be growing problems before they catch up. And medical devices are a whole new area of threat. I’m waiting for the day when somebody gets the wrong dosage from a pump or that their pacemaker’s settings are wrongly set; it’s coming. Unfortunately, pain is the biggest teacher, and things will happen.

So you believe that some hackers could purposely try to maliciously harm patients, through the manipulation of medical devices?

Well, if somebody wanted to make something bad happen, my guess is that you could end up causing real physical harm to people, and that would be a really bad thing.

Is there anything you’d like to add?

Just that CISOs and others, if they are not able to look at SSL traffic and encrypted traffic bouncing around their network, they’re missing almost half of the traffic on their network. And why would you let that go when you don’t know what half of it is?



The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


Florida Provider Pays $500K to Settle Potential HIPAA Violations

December 12, 2018
by Heather Landi, Associate Editor
| Reprints

Florida-based Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 to the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) to settle potential HIPAA compliance failures, including sharing protected health information with an unknown vendor without a business associate agreement.

ACH provides contracted internal medicine physicians to hospitals and nursing homes in west central Florida. ACH provided services to more than 20,000 patients annually and employed between 39 and 46 individuals during the relevant timeframe, according to OCR officials.

Between November 2011 and June 2012, ACH engaged the services of an individual that claimed to be a representative of a company named Doctor’s First Choice Billings, Inc. (First Choice). The individual provided medical billing services to ACH using First Choice’s name and website, but allegedly without the knowledge or permission of First Choice’s owner, according to OCR officials in a press release published last week.

A local hospital contacted ACH on February 11, 2014 and notified the organization that patient information was viewable on the First Choice website, including names, dates of birth and social security numbers. In response, ACH was able to identify at least 400 affected individuals and asked First Choice to remove the protected health information from its website. ACH filed a breach notification report with OCR on April 11, 2014, stating that 400 individuals were affected; however, after further investigation, ACH filed a supplemental breach report stating that an additional 8,855 patients could have been affected.

According to OCR’s investigation, ACH never entered into a business associate agreement with the individual providing medical billing services to ACH, as required by the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, and failed to adopt any policy requiring business associate agreements until April 2014. 

“Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014. The HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an entity’s electronic protected health information,” OCR officials stated in a press release.

In a statement, OCR Director Roger Severino said, “This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the internet after it failed to follow basic security requirements under HIPAA.”

In addition to the monetary settlement, ACH will undertake a robust corrective action plan that includes the adoption of business associate agreements, a complete enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules. 

In a separate case announced this week, a Colorado-based hospital, Pagosa Springs Medical Center, will pay OCR $111,400 to settle potential HIPAA violations after the hospital failed to terminate a former employee’s access to electronic protected health information (PHI).

Pagosa Springs Medical Center (PSMC) is a critical access hospital, that at the time of OCR’s investigation, provided more than 17,000 hospital and clinic visits annually and employs more than 175 individuals.

The settlement resolves a complaint alleging that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic protected health information (ePHI), after separation of employment, according to OCR.

OCR’s investigation revealed that PSMC impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a HIPAA required business associate agreement in place. 

The hospital also agreed to adopt a substantial corrective action plan as part of the settlement, and, as part of that plan, PSMC has agreed to update its security management and business associate agreement, policies and procedures, and train its workforce members regarding the same.

“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” Severino said in a statement. “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

Covered entities that do not have or follow procedures to terminate information access privileges upon employee separation risk a HIPAA enforcement action. Covered entities must also evaluate relationships with vendors to ensure that business associate agreements are in place with all business associates before disclosing protected health information. 


More From Healthcare Informatics


Eye Center in California Switches EHR Vendor Following Ransomware Incident

December 11, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

Redwood Eye Center, an ophthalmology practice in Vallejo, Calif., has notified more than 16,000 patients that its EHR (electronic health record) hosting vendor experienced a ransomware attack in September.

In the notification to the impacted patients, the center’s officials explained that the third-party vendor that hosts and stores Redwood’s electronic patient records, Illinois-based IT Lighthouse, experienced a data security incident which affected records pertaining to Redwood patients. Officials also said that IT Lighthouse hired a computer forensics company to help them after the ransomware attack, and Redwood worked with the vendor to restore access to our patient information.

Redwood’s investigation determined that the incident may have involved patient information, including patient names, addresses, dates of birth, health insurance information, and medical treatment information.

Notably, Redwood will be changing its EMR hosting vendor, according to its officials. Per the notice, “Redwood has taken affirmative steps to prevent a similar situation from arising in the future. These steps include changing medical records hosting vendors and enhancing the security of patient information.”

Ransomware attacks in the healthcare sector continue to be a problem, but at the same time, they have diminished substantially compared to the same time period last year, as cyber attackers move on to more profitable activities, such as cryptojacking, according to a recent report from cybersecurity firm Cryptonite.

Related Insights For: Cybersecurity


Report: 30 Percent of Healthcare Databases Exposed Online

December 10, 2018
by Heather Landi, Associate Editor
| Reprints

Hackers are using the Dark Web to buy and sell personally identifiable information (PII) stolen from healthcare organizations, and exposed databases are a vulnerable attack surface for healthcare organizations, according to a new cybersecurity research report.

A research report from IntSights, “Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry,” gives an account of how hackers are tracking down healthcare personally identifiable information (PII) data on the Dark Web and where in the attack surface healthcare organizations are most vulnerable.

The report explores a key area of the healthcare attack surface, which is often the easiest to avoid—exposed databases. It’s not only old or outdated databases that get breached, but also newly established platforms that are vulnerable due to misconfiguration and/or open access, the report authors note.

Healthcare organizations have been increasingly targeted by threat actors over the past few years and their most sought-after asset is their data. As healthcare organizations attempt to move data online and increase accessibility for authorized users, they’ve dramatically increased their attack surface, providing cybercriminals with new vectors to steal personally identifiable information (PII), according to the report. Yet, these organizations have not prioritized investments in cybersecurity tools or procedures.

Healthcare budgets are tight, the report authors note, and if there’s an opportunity to purchase a new MRI machine versus make a new IT or cybersecurity hire, the new MRI machine often wins out. Healthcare organizations need to carefully balance accessibility and protection.

In this report, cyber researchers set out to show that the healthcare industry as a whole is vulnerable, not due to a specific product or system, but due to lack of process, training and cybersecurity best practices. “While many other industries suffer from similar deficiencies, healthcare organizations are particularly at risk because of the sensitivity of PII and medical data,” the report states.

The researchers chose a couple of popular technologies for handling medical records, including known and widely used commercial databases, legacy services still in use today, and new sites or protocols that try to mitigate some of the vulnerabilities of past methods. The purpose of the research was to demonstrate that hackers can easily find access to sensitive data in each state: at rest, in transit or in use.

The researchers note that the tactics used were pretty simple: Google searches, reading technical documentation of the aforementioned technologies, subdomain enumeration, and some educated guessing about the combination of sites, systems and data. “All of the examples presented here were freely accessible, and required no intrusive methods to obtain. Simply knowing where to look (like the IP address, name or protocol of the service used) was often enough to access the data,” the report authors wrote.

The researchers spent 90 hours researching and evaluated 50 database. Among the findings outlined in the report, 15 databases were found exposed, so the researchers estimate about 30 percent of databases are exposed. The researchers found 1.5 million patient records exposed, at a rate of about 16,687 medical records discovered per hour.

The estimated black-market price per medical record is $1 per record. The researchers concluded that hackers can find a large number of records in just a few hours of work, and this data can be used to make money in a variety of ways. If a hacker can find records at a rate of 16,687 per hour and works 40 hours a week, that hacker can make an annual salary of $33 million, according to the researchers.

“It’s also important to note that PII and medical data is harder to make money with compared to other data, like credit card info. Cybercriminals tend to be lazy, and it’s much quicker to try using a stolen credit card to make a fraudulent purchase than to buy PII data and run a phishing or extortion campaign. This may lessen the value of PII data in the eyes of some cybercriminals; however, PII data has a longer shelf-life and can be used for more sophisticated and more successful campaigns,” IntSights security researcher and report author Ariel Ainhoren wrote.

The researchers used an example of hospital using a FTP server. “FTP is a very old and known way to share files across the Internet. It is also a scarcely protected protocol that has no encryption built in, and only asks you for a username and password combination, which can be brute forced or sniffed

by network scanners very easily,” Ainhoren wrote. “Here we found a hospital in the U.S. that has its FTP server exposed. FTP’s usually hold records and backup data, and are kept open to enable backup to a remote site. It could be a neglected backup procedure left open by IT that the hospital doesn’t even know exists.”

According to the report, hackers have three main motivations for targeting healthcare organizations and medical data:

  • State-Sponsored APTs Targeting Critical Infrastructure: APTs are more sophisticated and are usually more difficult to stop. They will attempt to infiltrate a network to test tools and techniques to set the stage for a larger, future attack, or to obtain information on a specific individual’s medical condition.
  • Attackers Seeking Personal Data: Attackers seeking personal data can use it in multiple ways. They can create and sell PII lists, they can blackmail individuals or organizations in exchange for the data, or they can use it as a basis for further fraud, like phishing, Smishing, or scam calls.
  • Attackers Taking Control of Medical Devices for Ransom: Attackers targeting vulnerable infrastructure won’t usually target healthcare databases, but will target medical IT equipment and infrastructure to spread malware that exploits specific vulnerabilities and demands a ransom to release the infected devices. Since medical devices tend to be updated infrequently (or not at all), this provides a relatively easy target for hackers to take control.

The report also offers a few general best practices for evaluating if a healthcare organization’s data is exposed and/or at risk:

  • Use Multi-Factor Authentication for Web Applications: If you’re using a system that only needs a username and password to login, you’re making it significantly easier to access. Make sure you have MFA setup to reduce unauthorized access.
  • Tighter Access Control to Resources: Limit the number of credentials to each party accessing the database. Additionally, limit specific parties’ access to only the information they need. This will minimize your chance of being exploited through a 3rd party, and if you are, will limit the damage of that breach.
  • Monitor for Big or Unusual Database Reads: These may be an indication that a hacker or unauthorized party is stealing information. It’s a good idea to setup limits on database reads and make sure requests for big database reads involve some sort of manual review or confirmation.
  • Limit Database Access to Specific IP Ranges: Mapping out the organizations that need access to your data is not an easy task. But it will give you tighter control on who’s accessing your data and enable you to track and identify anomalous activity. You can even tie specific credentials to specific IP ranges to further limit access and track strange behavior more closely.


See more on Cybersecurity

betebet sohbet hattı betebet bahis siteleringsbahis