Why healthcare organisations must examine their network visibility - ExtraHop
Article by ExtraHop Asia Pacific vice president Albert Kuo
Does your healthcare organisation have a bird’s eye view of the network or is its activity viewed ‘through a glass darkly’?
For many Australian healthcare providers, it’s the latter and that can be to their detriment.
Historically, a visible environment has been the safest and most efficient sort to have, both for network administrators looking to optimise network traffic and systems performance, and cybersecurity specialists seeking to keep high-tech infiltrators at bay.
The latter is no easy task.
Worth $152 billion a year, according to Ibisworld, healthcare is one of the country’s biggest industries and one that continues to grow at a healthy clip.
But it’s the sick man of the Australian industry, when it comes to cybersecurity.
The sector accounted for 58 of the 215 notifiable data breaches in the January to March quarter of 2019, according to the Office of the Australian Information Commissioner’s Notifiable Data Breaches Quarterly Statistics Report.
Hackers and cybercriminals place a high value on the patient data healthcare providers have in their records – it’s typically detailed and personal and can fetch healthy prices on the dark web.
Lack of visibility is the key security challenge faced by organisations of all stripes, according to recent research from SDxCentral.
Breaches such as the suspected ransomware attack on Victoria’s Melbourne Heart Group in early 2019, which resulted in the compromise of 15,000 patient records, highlight its importance.
But is resolving to increase the visibility of traffic the key to improved security, or is the situation somewhat more complex?
Evolving information exchange protocols appear to have made it so.
It could be argued the enterprise computing world is heading towards a situation in which privacy, rather than security, is the predominant focus, courtesy of the advent of Perfect Forward Security (PFS) protocols and the potential fading of time-tested RSA keys.
PFS handshakes make deep analysis of transaction-level details tricky for security teams.
If the team was formerly using an out-of-line, passive approach to decrypt internal traffic for inspection, that approach likely won't work anymore.
This could create a permanent blind spot or force a costly rearchitecting of their decryption technology.
Worse still, it could push more organisations toward in-line, or "man-in-the-middle" decryption schemes, which research has shown to introduce more security risk than they mitigate.
In a PFS system, unique session keys are generated for each and every session, which means even if a key were to fall into the wrong hands, it could not be used to decrypt any prior or future sessions–it is limited to the single session for which the key was created.
Conversely, under the legacy RSA key exchange system, an individual key would be used across many sessions over an extended period of time.
If one such key is lost or compromised, it can potentially provide unauthorised access to a wealth of sensitive information.
Cybersecurity professionals and IT operations staff are likely to have differing views on the merits of the two approaches.
Under a PFS-driven regime, attackers may not be able to decrypt data but, on the other hand, the IT team can also effectively be locked out – a problem if they’re seeking to identify anomalies and ensure the smooth running of the network.
IT industry heavyweights appear to have voted with their feet on this issue.
Google, Twitter, WhatsApp and Facebook Messenger have all been offering PFS for several years now and Apple Store recently mandated PFS supporting protocols for all its apps.
Where the big players lead, others follow, which means it’s highly likely the industry’s new norm is already being bedded down.
Back in 2014, the Internet Engineering Task Force elected to get rid of RSA keys for Transportation Layer Security (TLS) 1.3 and maintained only PFS supporting protocols would be supported in later iterations.
Technology may well hold the key to achieving the optimum balance between privacy and security in the PFS-driven future.
In fact, the technology now exists to decrypt PFS traffic out-of-line, without compromising performance or taking the risks introduced by in-line solutions.
This is a new capability, not offered by many vendors, but it provides the ideal solution to the security challenges introduced by PFS.
Down the track, security staff can reasonably expect to find themselves in the position where decrypting everything is no longer necessary or desirable.
Only that traffic which presents as suspicious will require unlocking and analysing.
Targeted, out-of-band decryption of PFS traffic for security analysis is a possibility today and is being adopted rapidly by forward-thinking organisations.
Neither open-to-the-world visibility nor encrypted opacity entire – the optimum solution to this security conundrum may well be somewhere midway between the two.
Cyber-threats are real and rising and Australian healthcare providers are likely to remain firmly in the sights of hackers and cyber-criminals keen to exploit the sensitive and valuable data in their keeping.
To further muddy the water, Australia's enacted new, controversial laws around encryption in 2018, compelling businesses to provide the government with access to decrypted messages. This may prompt many businesses to reconsider their overall stance and technology decisions around decryption.
In any case, staying abreast of network security developments and striving to achieve a workable visibility/privacy balance will see them better placed to provide the robust and reliable cyber protection patients expect and demand in 2019 and beyond.