How IOC Sharing Will Help Us Build a More Secure Healthcare Sector

At Trend Micro we work hard every day to reduce the risk posed by cyber attacks from hacktavists, transnational cybercriminals, and cyber espionage groups. Nowhere is this more pertinent than in the healthcare industry, where everything from data breaches to ransomware attacks impacting medical devices could have a serious impact on patient care. This is why we’re a committed partner of the Health Information Trust Alliance (HITRUST), which is an organization dedicated to improving cybersecurity in the healthcare industry.

The HITRUST Cyber Threat XChange (CTX) is a program Trend Micro has been invested from the start, and we’re delighted to see that our Deep Discovery Inspector appliance is already making countless healthcare organizations (HCOs) more resilient to threats. In fact, new data suggests it generated more than 5,700 IOCs in the month of May alone, including seeing the WannaCry indicators two weeks before the NHS incident.

Lessons learned

The WannaCry ransomware epidemic last month taught us a valuable lesson: that organizations the world over still aren’t following cybersecurity industry best practices, such as those recommended in the HITRUST CSF. Many healthcare institutions were impacted, forcing IT systems and medical devices offline, which in turn led to cancelled operations, chemotherapy treatments and other urgent appointments. As our recent report on the industry illustrates, healthcare organizations are struggling to cope with an increasingly sophisticated and wide-ranging variety of threats. Many CISOs and their teams in the sector have a thankless task trying to make their hybrid infrastructure more resilient with minimal resources. Embedded third party applications powering critical medical devices make prompt patching a challenge, while the move to industrial IoT and cloud services expands the HCO’s attack surface ever further.

The nature of today’s threat landscape makes cybersecurity particularly challenging. The variety and volume of online threats is simply unprecedented. The Trend Micro Smart Protection Network (SPN) alone blocked almost 82 billion threats in 2016; a year which saw a 752 percent increase in new ransomware families. From compromised legitimate websites to malware-laden phishing emails, zero day attacks, information stealers, and ransomware, the list of threats is growing all the time. What’s more, attacks are frequently multi-staged and multi-vector, further complicating detection efforts.

IOC sharing

That’s where HITRUST and its Cyber Threat Exchange (CTX) comes in. HITRUST CTX is designed to accelerate threat detection and response.  It does so by automating the collection and analysis of known and unknown threats and then distributes their respective indicators of compromise (IOCs) in minutes rather than days and weeks. Participating organizations are able to prevent attacks through a hi-tech low-touch strategy that enables machine-to-machine threat information sharing.

CTX reduces the risk of a breach or compromise by sharing intelligence during all stages of an attack as is evident from the May 12th WannaCry outbreak. The HITRUST CTX had detected and shared indicators of that attack several weeks in advance to the participating members, which resulted in immediate protection from a ransomware breach.

From the very start, Trend Micro’s Deep Discovery Inspector appliance has been the primary means for participating CTX organizations to collect, analyze and share IOC information, providing a highly effective cyber threat early warning system for all. The appliance offers:

  • Unrivalled visibility, with analysis on any port and more than 100 protocols
  • Monitoring of east/west traffic which many products miss, but is vital to spotting sophisticated targeted attacks and more while utilizing numerous detection techniques
  • Custom sandboxing for optimal detection, zero-day detections and low false-positive rates

Thanks to the DDI appliance, the HITRUST CTX can detect advanced threats across the many stages and attack vectors of modern threats, while automating the sharing of intelligence amongst participants so that they are instantly protected from an attack. Ransomware attacks like WannaCry, for example, are thwarted before the initial compromise can even occur.

Observations made by the Enhanced CTX when measuring IOCs seen first by HITRUST participants were on average 16 days in advance of other commercial/community and open source feeds. At last, IT security professionals in the healthcare industry can begin to move from reactive fire-fighting to proactive cyber defense.

Trend Micro is committed to its partnership with HITRUST, including expansion of the Enhanced IOC program and closer collaboration to speed the analysis of cyber threat information to ensure actionable information is available sooner.

Leave a Reply