Monitoring Packets is Contact Tracing for Cybersecurity

Cyberattacks have a significant negative impact on system availability, which is critical for patient care. No single security solution will prevent attacks, so a layered approach is needed. One tool that is overlooked is packet monitoring which can be used to detect attacks early, find infrastructure vulnerabilities, and improve availability.

Availability not Uptime

In healthcare, one of the most important IT metrics is availability – the % of time that your systems are available when and where clinicians or other users need to access them. Availability is different than uptime which only measures whether a piece of infrastructure (a server, a database, a device) is running and responding to a basic ping.

Availability means that the application running on top of that hardware is functioning such that users can access the critical information inside. Availability, not uptime is what IT departments strive for.

There are many things that impact availability, but one of the biggest threats is cyberattacks.

Cyberattacks Threaten Availability

Healthcare systems are vital to patient care. Patient data in the EHR is critical, but so too is the internal clinician communication system, the alarm monitoring system, the claims processing application, and the payroll platform. If any of these systems are not available, care becomes extremely difficult to deliver.

In recent years cybercriminals have put healthcare in their crosshairs with ransomware. This is partly because healthcare data is valuable on the dark web and because the industry has proven to be a soft target that is more willing to pay the ransom compared to other industries like finance and telecommunications. A report released earlier this year by the US Department of Health and Human Services and the Office of Information Security, highlighted the increase in ransomware:

 

Triple-Extortion Attacks

Cybercriminals are becoming more sophisticated in their attacks. They are now combining:

  • Ransomware
  • Denial of service
  • Data theft

…in a new form of triple-extortion attack.

Healthcare IT Today, sat down with Ken Czekaj CISSP, Problem Solver at NETSCOUT to find out more about this new type of attack and to learn what healthcare organizations can do to protect themselves.

“In this type of attack, adversaries have already penetrated the perimeters of the hospital’s system,” explained Czekaj. “Once inside, these adversaries can get to valuable data and extract it. Then they post a sample of it online to show the organization that they have indeed been compromised. The adversaries then demand payment or they will release the data.”

At the same time, the adversaries post a specific date and time that they will launch a denial of service attack should the payment not go through.

Layered Approach

To protect themselves, Czekaj strongly recommends that healthcare organizations adopt the current best practice of “defense-in-depth” – a multi-layered approach to cybersecurity that blends multiple tools and processes.

“The more tools, the more controls you have, the harder you make it for an adversary to get through,” said Czekaj.

This layered approach includes, but is not limited to:

  • Developing and aggressively maintaining enterprise asset inventory
  • Prompt upgrades and maintenance on operating systems and applications
  • General cybersecurity training for staff and specialized training for IT teams
  • Test and maintain recovery plans
  • Invest in the necessary cybersecurity hardware & software

Packet Monitoring Is Effective

One effective tool for healthcare organizations is monitoring application network traffic (aka packets).

“This is what we’re doing at NETSCOUT to complement other cybersecurity controls,” said Czekaj. “We can track and monitor network traffic. We can see data as it comes in and where it goes. We record everything in our database so that when you’ve been compromised we can see where the attackers came in and where they went.”

In a way, packet monitoring makes it possible to perform contact tracing from a cybersecurity perspective. Using the metadata from the packets and other information, NETSCOUT makes it possible to reconstruct the vector of attack, thus revealing the vulnerabilities that are present.

Packet monitoring can also help organizations identify cybersecurity issues. Czekaj explained how: “Users can quickly look at a dashboard and say: ‘Hmmm, I’m in Ohio, why is my organization talking to North Korea today’. That’s not a good thing. With the tools, you can quickly drill into that and see exactly who it is and you can put the proper blocks and countermeasures in place.”

Watch the full interview with Ken Czekaj to learn:

  • Why “lateral movement” is so hard to track yet so critical to identifying vulnerabilities
  • The three steps healthcare CIOs can take right away to improve their defenses
  • How availability can be measured

Learn more about NETSCOUT: https://www.netscout.com/

Listen and subscribe to the Healthcare IT Today Interviews Podcast to hear all the latest insights from experts in healthcare IT.

And for an exclusive look at our top stories, subscribe to our newsletter.

NETSCOUT iis a proud sponsor of Healthcare Scene.

Transcript

[00:00:09] Colin Hung: Hello and welcome to Healthcare IT Today where we explore the latest in healthcare technology trends and discover valuable insights in health IT. I’m Colin Hung and joining me today is my friend Ken Czekaj, problem-solver and CISSP at NETSCOUT. Ken. welcome back to the program.

[00:00:27] Ken Czekaj: Thank you, Colin. Appreciate you having me back again.

[00:00:31] Colin Hung: Ken, since the last time you and I spoke, you have added a designation. You’ve achieved that certification, the CISSP. Can you explain what that is?

[00:00:41] Ken Czekaj: I did. I did. I call it a “nerd cert” in my family because nobody knows what I do anyway. A CISSP is a Certified Information System Security Professional certification from the ISC organization.

[00:00:53] Colin Hung: That’s actually pretty appropriate, given what you and I are going to talk about today. I think that’s going to be directly related to that certification.

[00:01:01] Ken Czekaj: I think it’ll probably help. I really do. All this study had to come into play somewhere.

[00:01:07] Colin Hung: Okay, so what I want to talk to you about today is…well, right now we’re emerging from the pandemic. We’re starting to see people starting to come back to healthcare, but there’s still this giant backlog of patients that we’re trying to work our way through. And there’s still this group of patients out there who are still a little bit nervous coming back to the healthcare system, or they’ve maybe just gone without care for so long they’re like, “oh, maybe I don’t need it.”

So healthcare is really trying to work very hard to bring people back in. And my operating theory is: when you’re trying to bring people back in and in some cases regain their trust. The last thing you want is your systems not to be available or not to be up because if I’m going to try and book something online and I can’t do that, or if the doctor is saying that they can’t access the medical record because of some system issue, then you’re just basically eroding all the trust that you’re trying to build up with your patients.

[00:02:05] Ken Czekaj: So true. So true. Patient experience is everything.

[00:02:10] Colin Hung: You and I were talking before Ken and you corrected me on something. I was saying that uptime is what we really want for our systems and you’re like, no, no, no Colin. That’s not actually what you want. Can you maybe explain to the audience what you meant by that correction?

[00:02:26] Ken Czekaj: That’s a good point. Especially coming from a network background, people think from an IT perspective, that uptime, means well, is the device up? Is the server up? Is the application up? And again, up is good. That’s certainly a good metric, but really the one that’s more conducive towards measuring for patients would be availability.

And the example I would use is because, especially in today’s world where you’ve got multi-tiered applications, you’ve got hybrid cloud applications working in your data center with database, with patient care. The idea of availability is actually more important because I can ping a router, switch or server and is it up? I pinged it and did it come back to me? It did. That’s fantastic. That’s great. Is it working though?

Think of your infrastructure pieces: routers, switches, servers, those are more important. It’s a good measurement for uptime. But availability, think of the applications that ride on that infrastructure. What I need to know is not only, number one, are they up? That’s like the first metric, which is great, but the second is probably more important is availability.

And the reason for that is: that when the patient logs into the website, I need to know that not only that the web server is up, I need to know that it’s available and answering the calls.

We’ve all gotten on our browser, typed in a URL and gotten a 404 error and said “oh my goodness, the URL is not available” but in that case, the server was actually up, but the URL is not available.

So availability of the applications, the database, the middleware, and the medical devices that all plays into it. Availability is what we find to be more difficult to track. It’s one thing to do a typical ping – okay pinging the router or pinging the switch – yes it’s up, it’s working, it’s great. Or an agent that says, Hey, I’m answering. We’re good.

But to know that it’s not working well. That the performance is degraded. That is where it gets a little bit grey. That’s where we spend most of our time.

[00:04:16] Colin Hung: Ken, how do you measure availability? Is that done through special tooling? Is that done through special software? How is that done?

[00:04:24] Ken Czekaj: I think everybody does it a little bit differently. I mean, obviously everybody can, can leverage an SLA especially if you have third-party vendors. They’ll have specific SLA’s on specific things like response time from point A to point B…not only on layer two, but getting through the actual network and the wire, but then also responses back from the server and the application. Where we typically get involved on our side of availability is measuring between the web server, the application server, the database server, and the network all together and even with the cloud as well.

It’s not just what we would call “layer two” latency, which is from point A to point B just raw – how long does it take to get a packet from here to there? That’s the first part of it. But on the availability side, not just how long that packet took, but I really need to know is whether that web server is talking to the application server and the database server – and no one is spitting out errors because if they’re spitting out errors, they’re not doing what they’re designed to do.

That affects the caregiver and, like you brought up, actually can affect the patient experience even more. We’ve actually had to help customers with challenges like that.

[00:05:35] Colin Hung: What sort of things can really impact availability? You’ve done a lot of work in healthcare, are there some common things that really impact the availability of certain systems?

[00:05:47] Ken Czekaj: Again, it’s going to depend a little bit on each customer’s environment – the type of gear they use, Windows versus Linux, different router platforms/vendor platforms. But basically, uptime from a network perspective is going to be more “is this device up?”…that type of thing.

But once you get into the layer on top of the actual infrastructure, that’s actually the patient-facing application and that can be a big environment. It could be a storage array. It could be a bunch of virtualized servers. It could be in the cloud. There’s lots of different variables. That’s why I believe it’s so much harder to get to the availability metric and how to measure it when it’s out of bounds. I want to know when I’m spinning so many errors out.

hen my patient logs into a website. If it’s actually spitting errors about it. I want to know about that right away. But different platforms, different way software’s written…there’s just different ways that it is measured and…from my experience there has been some continuity between health systems and applications, but they’re all just a little bit different from each other.

[00:06:54] Colin Hung: I’m not a cybersecurity expert or anything like that, but in my mind, it seems to me that one factor would be not patching and not updating the systems that you’re using, frequently enough. And therefore, having outdated systems and compatibilities can lead to some of these errors that you’re talking about. Is that a true statement?

[00:07:15] Ken Czekaj: Absolutely could be a true statement. I mean, patching and vulnerabilities is a big deal. And the adversaries, the bad guys, they change their tactics every day. That’s part of their job and they’re good at it. So the cybersecurity teams, a lot of the healthcare organizations really have a big challenge because it’s a never ending battle. It’s always going to be like this. You can never just relax and get a cup of coffee. It’s always running.

Vulnerability is certainly a piece to it, change control process, testing patches ahead of that. We’ve seen things where again, you think of the raw infrastructure and how things work and that’s fine, it’s up, it’s available, everybody’s happy. But then you’ll see things that are maybe an underlying the architecture. Something like IPAM systems. So DHCP and DNS, if they don’t work well, or they’ve been misconfigured or on a DHCP server if the scope…if you’re an a on a hospital floor leveraging, special badges that get on the network via IP, and they keep that IP address. Well, whose fault is that? Well, it’s not really fault. The bottom line is: I want to know when it’s not working, where I’m going to have a technical issue, so I don’t affect the patient care.

Sometimes those are misconfigurations. We’ve seen cyber issues that sometimes appear as an attack, but actually were just a misconfiguration or a change in configuration setting that maybe shouldn’t have been.

But again, we want to get to…the first question when we get to that type of situation, whether it be war room or anything to deal with patient care – is this network? is this application? is this cyber? And then we start peeling the onion down and start diving into the actual layers of it. But there are so many things that can affect availability. I don’t think I could talk about them in one interview.

[00:08:55] Colin Hung: Well you brought it up. I won’t say it’s the bear in the room because it’s a big, pretty big bear and we’re all aware of it. And that is of course you called it the bad actors, right? Are you seeing an increase? Are you seeing any trends in ransomware in healthcare?

[00:09:13] Ken Czekaj: We are seeing lots of trends and lots of increases in this one.

A lot of times when you’re going to launch a ransomware attack as an adversary, you’re going to do a “look over here while I go over there”. So a lot of times we’ll see a multi-vector attack. We’ll see a denial of service of some form. And a lot of times we think of that as “Hey, I’m shooting you a whole bunch of traffic…that I compromised a bunch of PCs and robots and IOT devices across the world and I’m just gonna turn around and amplify and shoot you traffic to try to knock you over. While your cyber team is dealing with that, then of course, what I’m going to do…I would never do this…but what the adversaries would do is go to a diversion attack and then try to penetrate the perimeter of the systems.

Then they’re going to do some recon, do some scanning then pullback. Then they’re going to look at what they have available to them and go: “okay, now that I see that I’ve got some vulnerable systems” – especially old medical devices can be really bad target because they have old operating systems. Once I discerned that, now that’s my plan of attack. I’m going to launch a denial service over here, and while that’s going on, I’m going to penetrate the perimeter, find this operating system and compromise it.

That’s certainly one way to do it. We are seeing a giant uptick, not only in healthcare – at our company, we see because of what we do for a living. We see it in government. We see it utilities. We see it in the enterprise customers, But healthcare. It’s just a very, very sad thing for people to go after healthcare organizations for ransomware knowing full well that there’s patients’ lives in the background of that. It’s just a very sad thing to me. Always will be.

[00:10:48] Colin Hung: You know, healthcare has been criticized for being a little bit behind on the cybersecurity maturity level. But I’m encouraged by you saying that healthcare is not the only vulnerable industry here. There’s lots of others that are being attacked.

[00:11:07] Ken Czekaj: It really has. We’re seeing it across the board. Across industries. Part of what our company does is denial of service mitigation. We have a very unique view into the threats on those types of things, but we are seeing it across the board. It’s crazy how much is going on.

[00:11:24] Colin Hung: And you were explaining to me before we got on air that there’s a new form of a attack. You called it an extortion attack. Can you explain to me what that is?

[00:11:33] Ken Czekaj: It’s very similar to a ransomware attack. So a ransomware attack just by definition, typically…Colin you’re a hospital. I come into you, Colin and I get into your systems and I just encrypt. As soon as I encrypt things, I basically lock it. I have the key to that. You don’t. You can’t access your files or your systems. Now you pay me or you’re just gonna melt. Your hospital’s not going to be able to do anything. You’ll not be able to access your systems.

What we’ve been seeing over the last year, year-and-a-half, is what we call an extortion attack. Still the same type of adversaries. Typically I have already penetrated the perimeters of your system. And I can get to your files, I can get to a database and I’m going to get some of your data. I can go in, pull the data back and then post it somewhere so that I show you: “Hey, Colin, you’ve been compromised and you need to pay me”. So it’s more of an extortion.

And then the other thing we’ll do is also launch a denial of service attack at you saying: “Hey, Colin, by the way, we’re going to attack you tomorrow at four”. At four o’clock sure enough, here comes a denial of service. You need to pay us. That’s more of an extortion attack.

Once you get into those you typically get into three letter organizations that are going to get involved here because they’re pretty serious and they have a tremendous impact on health care.

[00:13:02] Colin Hung: So I think ransomware is being written up a lot. Cybersecurity, obviously written up a lot. The theory is that you have to take a layered approach, right? There’s no silver bullet that’s going to protect you or maybe it’s a silver shield that’s going to protect you from all attacks. So what are some of the newer layers or more interesting technologies that you can put into this layered security?

[00:13:28] Ken Czekaj: Oh, great question. So the whole, the whole concept of that.. and you said it very eloquently…is called defense-in-depth. It’s fundamental. Basically the whole concept is there is no one tool that’s going to protect you. That’s just common sense now.

So the more tools, the more controls, the harder you make it for an adversary to get through, obviously the better. What we’re doing at NETSCOUT is really focusing on how we can compliment existing cybersecurity controls and other platforms and really integrate with them.

We’ve got a unique view of the application network traffic. We can see it as it comes in. We can see inside of the encryption in some cases, with the right deployment. We can see inside the cloud. What we’re doing with that data is use it for what we’ve called service triage, which is a fancy name for troubleshooting. Service triage…healthcare organizations understand the word triage…when you get into a cybersecurity incident and you’re looking at controls and those types of things in defense-in-depth, you’re looking at where can I add more value. Where can I can put tough hurdles and controls up for these adversaries? Because we see traffic, we can really compliment some of the threat feeds that we pull in our solution. We’ve got the conversations.

It’s a little nerdy, but when I see Source A IP address, talking to destination IP address….Not only do we actually have that traffic [and we record that into our database, which is huge for trying to determine your attack surface], but also when you’ve been compromised, we have the packet.

So we actually have the bits and bytes that are recorded that we can see: “oh, not only did they come in through this particular avenue, here’s the tactic they used.” There’s a lot of other frameworks that people are tying into like MITRE and things like that.

But also once they’ve compromised the perimeter, the first thing they’re going to do is they’re going to lateral movemen – where can I get to next? And that is very, very difficult to track. We do that. That’s part of what we do. There’s a thing in the world called an IOC – an indicator of compromised. You mentioned vulnerabilities, tons of great tools out there. Tons of great threat feeds out there. What we do, we take our smart metadata that’s got all this conversation and protocol as well as packet information – we’re taking those indicators of compromise and pulling that into our system.

So I can quickly look at a dashboard, not only geographically to say: I’m in Ohio, why is my organization talking to North Korea today? Which is really a bad thing and we can very quickly just drill right into that and go “okay, I see exactly who it is. I see what it is now I can put proper blocks and countermeasures up into my tool sets.”

Complimentary is the way to go. Integration with these other solutions is the way to go. But really, when you’re trying to promote a defense in-depth strategy, which everybody is, having these types of solutions where we can see application and IOC and vulnerabilities really is a way to evaluate your controls.

By being able to see, how did they get in, it’s really attack reconstruction in some cases. I can go back in time. So when I have a zero day event, like we had Log4j, which was a real popular one a couple of months ago. Well, the threat feeds, it was zero day, so they didn’t have that. They didn’t have the information about what does this look like? What are the threat feeds?

So what we can do now is take that threat feed and then play it into our solution and actually go look at data we’ve already collected to see that “oh yeah, we did see that.” It’s really great for attack surface monitoring, which is really what we’re kind of focused on.

It’s really about complimenting the other solutions that are out there for most of these organizations.

[00:17:13] Colin Hung: So it sounds like, in lay terms for me, like the tools and the capability that NETSCOUT has is almost like contact tracing, right? You’re able to go back and say: “Hey, this is how they got in.” So now next time I can now put in these controls and these barriers to close off that avenue.” Whereas before it might’ve been hidden from you. You may not have seen that was a vulnerability.

[00:17:37] Ken Czekaj: That’s a hundred percent accurate. I take the word “contact tracing” a little lightly because coming off the pandemic, some customers are like, please don’t say that again. But in the cybersecurity world that’s called lateral movement. That’s the more conducive term really in the cyber world. And that’s really difficult to track across systems.

You gotta remember once a once an adversary gets in…let’s say they get in via something silly…we’ll call it a remote desktop protocol or telnet or something silly like that. Once they’re in now, they’re going to see what else they can get to. And now they’re going to change protocols and go this way over here.

And those are very difficult to track. It’s almost like, okay. I come in, I’m speaking English when I get in, and then I’m going to speak Spanish and I’m going to speak Portuguese and I speak French and you’re all over the place. Very difficult to track that, but you make a great point. We call it contact tracing at NETSCOUT, but lateral movement is really what it is.

[00:18:38] Colin Hung: I know I asked you this last time we were together, but is there anything I can do if I was a CIO listening to this and is there anything I can really do to really kick my security up a notch given all this stuff that’s going on right now as a CIO of a hospital?

[00:19:05] Ken Czekaj: That’s a great question. It’s a very difficult thing to go after right now. But the one thing that I know that can be done…there are a lot of great tools and solutions out there. There’s end points. There’s next generation firewalls. There’s load balancers. There all the IDS, IPS, there’s all types of solutions here for detection and protection from intrusions.

What I want to do as a CIO, number one, I want my teams to work together. Number two, I want every bit of value of all the tool sets, all the solutions that I have at my disposal. I want value from them. I don’t want vendor speak. I want value from them.

And to me, that’s where you’re really serious about it versus “Hey, I went to a vendor thing and I heard something”. What I want to do is I want to leverage the tool sets and actually have an architecture that can promote defense-in-depth. And I want these things to work together.

I want APIs. If that were me, what I would probably do is try to pull those things together, because if I’ve got application integration, if I can make them work together towards the purpose of trying to keep everything up and available, which is the beginning of our discussion, I want to do that and I want to be out and I want to have an architecture for it.

So I want to leverage every piece of value out of those solutions. That’s what we preach to our customers. Preach is probably a bad word, but that’s what we think because we’ve got such a unique view into networks and applications. While yes, I can help you troubleshoot your things, I can also help you with cybersecurity things. Let’s work more together.

There’s been…I’ll say in the past years, in some organizations…there have been challenges with the network teams, application teams and cybersecurity teams closely working together. Sometimes it’s been a bit of “this is my territory, that is yours”. I’m going to throw you under the bus. You’re throwing me under the bus. That’s that really has to stop because as an organization, when you say a ransomware incident for a hospital, is there anything that’s going to be more business or patient impacting than that? I can’t think of any.

And at that point, if I’m the CIO, do I really care if it’s a server issue, a cyber issue or a network issue? Nope. Just fix it. That’s the bottom line. So if I’ve got tools and solutions that can really work together and actually really deliver value and tangible value, that’s what I’m going to focus my time.

[00:21:38] Colin Hung: I like how you tied all that together so nicel Ken, you saved me from having to do the summary. We started talking about availability and the importance of that from a patient standpoint. And especially in healthcare right now, trying to rebuild trust with patients. And then we got to talking about ransomware and the impact that can have on availability. And now what you’re saying is we all got to work together because at the end, it’s not about network, it’s not about availability, it’s not about the cyber threat. It is about taking care of our patients. And when you don’t have access to your systems, you can’t take care of patients no matter what the cause of that lack of access is.

[00:22:15] Ken Czekaj: That is a very, very strong point. And that’s a scary thing about today. I mean, not only the applications and networks and even the cyber platform so complex, because there’s so much to look at so much widespace so having visibility to all that, it’s really a challenge because it’s very difficult to see what I can’t fix, what I can’t see. It’s very difficult and that plays for networks, applications, and cyber security. And that’s what we’re trying to attack at NETSCOUT right now.

[00:22:45] Colin Hung: So Ken before we end, where can people go to find out more information about NETSCOUT?

[00:22:50] Ken Czekaj: I appreciate you asking. So obviously we’ve got quite a bit of material at www.netscout.com. There is actually something called Threat Horizon, where you can actually see live, what denial of service attacks are flying across the globe. It’s absolutely nuts to watch and you’re like, is this real? But you can see actually by industry. It’s a free resource and highly recommended to anybody in cybersecurity.

Really take a look at that. It’s really cool. Arbor Networks as part of NetScout as well, so they’re the denial of service experts and they’re part of our team now, which is fantastic. They’ve got some threat reports that they deliver that are also free, Twice a year that are, are freely available. I highly recommend somebody take a look at as well.

[00:23:40] Colin Hung: Well Ken as always, you’ve shared so much amazing information here. It’s going to take me a little while to unpack all of it, but thank you so much for sharing it. And thank you so much for your time.

[00:23:49] Ken Czekaj: My pleasure. Thanks for having me.

About the author

Colin Hung

Colin Hung is the co-founder of the #hcldr (healthcare leadership) tweetchat one of the most popular and active healthcare social media communities on Twitter. Colin speaks, tweets and blogs regularly about healthcare, technology, marketing and leadership. He is currently an independent marketing consultant working with leading healthIT companies. Colin is a member of #TheWalkingGallery. His Twitter handle is: @Colin_Hung.

   

Categories