Modernizing Information Security for Healthcare

I had the pleasure of speaking at the Boston Security Meetup last night, which was held at Google’s Cambridge offices (thanks, guys!). Roy Wattanasin presented on some of the trends and changes we’ve experienced over the past year in the healthcare information security space, and Jen Andre walked through a great set of points on how to think about and ensure security when using Docker; both were fantastic looks at how the security landscape is rapidly evolving.

I also talked about about how healthcare organizations can (read: must) modernize their security practices. The slides (“Modernizing Healthcare Information Security“) are available online, but I wanted to underscore a few points that generated some especially interesting questions from the audience, and also go a bit deeper into how to put the suggestions I covered into practice.

Healthcare information security breaches are on the rise.

One of the first points that came up was that the healthcare information security space is increasingly important on the basis of data breach statistics alone:


As of June 30 2015, the vast majority of data breaches that have been reported on have been in the healthcare space; compared to 2014’s statistics, this is approximately a 2x growth in PHI theft in a 12 month period. Much of this comes from the Anthem, Premera, and CareFirst breaches, which we’ve written about previously, and we believe it represents the beginning of a trend.

You can’t prevent breaches by reading log files.

We’re living in a moment when we have tremendous capabilities around log file aggregation and analysis; SIEM solutions (e.g., Splunk) make it easy for IT and IS teams to pull together their log file data from across their entire organization and view in through many different lenses, including security.

This is a good thing, and yes, you should be considering how to integrate a tool like this into your infrastructure. However, log file analysis is by definition reactive; prevention is proactive. We know from the 2015 DBIR that there is a serious breach detection deficit in the cybersecurity space (that is, an attacker can typically penetrate a network in less then 24 hours, but it takes more than a week to detect these attacks):


Forensic analysis and monitoring is essential, but it cannot address this problem; what’s needed is earlier-stage breach detection.

Early stage breach detection means seeing and stopping spear phishing and anomalous authentication events.

Consider the DNA of a typical attack:


Most attackers today begin their breach attempts by launching large-scale spear phishing campaigns, backed by significant technical infrastructure. Research shows by sending just 10 emails to an organization, the chances of a successful account compromise rise by 90%; simply educating users is insufficient if your goal is to find and prevent these kinds of attacks.

Likewise, savvy attackers know that information security professionals are drowning in logs and data; waiting just 72 hours from account compromise to privilege escalation significantly reduces the likelihood that their efforts will be automatically detected. Anomalous authentication and authorization events often get overlooked, because most security teams are ill-equipped to “quantify normal” and know what an anomaly actually looks like.

Bridging this gap is a hard problem, but it’s also the exact problem that we’re solving with GreatHorn. Our machine learning infrastructure detects the earliest stages of attacks, and helps organizations see both spear phishing and anomalous user account behavior in realtime, dramatically reducing the time it takes to see and stop intrusions BEFORE they result in data loss.

GreatHorn is designed to meet the needs of small and mid-sized healthcare organizations looking to prevent data loss; if protecting PHI is a priority for your team, give us a shout and we’d be happy to set up a trial of the platform.