Indicators of compromise (IOC) are pieces of evidence that help to identify the occurrence of a cybersecurity breach. Think of things like unusual traffic or suspicious log entries. These activities are worth further investigation as an indication that a malicious actor might have infiltrated your network.
In this blog post, part of our Internet of Medical Things (IoMT) series, we discuss examples of indicators of compromise in healthcare cybersecurity and the importance of early threat intelligence to minimize the impact of a breach.
For 12 consecutive years, healthcare is the industry with the highest average cost of a data breach, according to an IBM report. As we discussed in chapter 6, patient data — whether it’s medical, personal, or financial information — is an attractive target for cybercriminals.
Keeping an eye out for indications of compromise in your hospital network can help detect the earliest stages of a cyberattack lifecycle, when bad actors have just breached your network but have not established full control of your environment yet. By preventing attack escalation, in which the intruder moves deeper into the network to access sensitive data and systems, hospitals can minimize further risks to operational continuity and patient care.
To help detect an attack earlier, the Federal Bureau of Investigation (FBI) often releases flash reports detailing indicators of compromise associated with ransomware. The report on the RagnarLocker ransomware, for example, describes the malware’s logic for encryption and the IP associated with this attack.
This type of threat intelligence helps information security professionals to uncover and stop future attacks more quickly. No wonder 72% of the respondents of a Cyber Risk Alliance survey indicated their organizations use indicators of compromise as a source of threat data collection.
When watching out for indications that your environment might have been compromised, here is a list of top red flags:
In order to flag any unusual activity in your environment, your security solution needs to:
Looking for new ways to spot risks and threats in healthcare? Watch our webinar showcasing the benefits of unified asset intelligence.
With its Collective Asset Intelligence Engine, Armis tracks over 3 billion assets. Armis uses this vast knowledge base, artificial intelligence (AI), and machine learning (ML) processing to identify when a device behaves abnormally. For example, Armis detects configuration changes, device utilization, and traffic patterns all without a learning period. These anomalies are often indicators of attack (IOA) or compromise (IOC).
The Armis platform leverages this information to produce anomaly alerts, orchestrate quarantine, and apply automated enforcement of network segmentation based on policy. That way, you can minimize time-to-response and limit the impact of a breach.
For example, you can get visibility to understand that an infusion pump is communicating with an unsanctioned IP address associated with malicious activity. Since it’s a device that touches patients, the risk associated with a device compromise is higher than if it was a compromised television in the waiting room.
By understanding context, Armis makes it easier for security teams to prioritize their remediation efforts based on risks to patient care.
Clinical teams can also benefit from a forensics-level view of medical devices. Let’s say your clinic is open from 7 am to 7 pm, but there’s an alert of a drug dispenser operating around midnight. It could be a misconfiguration but also an indicator of drug theft – a serious issue in medical facilities across the nation.
And there’s much more you can do with Armis. Curious about our other cybersecurity and asset management use cases?
Request a custom demo and we’ll walk you through our asset intelligence and security platform and show you how to spot indicators of compromise in healthcare — before it’s too late.
An indicator of attack (IOA) demonstrates that an attacker has tried to infiltrate
your network, while an indicator of compromise (IOC) is evidence that a breach might have
occurred.
While IOA helps to understand the intention of an attack, IOC gives insights into the
attack, such as threat signatures.
Examples of indicators of attack include unusual network traffic.
Phishing
emails, for example, might be an indication that you are a target of a social engineering campaign. An
increase in invalid login attempts or multiple access requests might be a sign that an attacker is trying to
guess your credentials in a brute force attack.
No, Armis does not affect medical device performance. Our platform uses agentless passive technology to identify and track devices. Since Armis doesn’t install security agents or perform disruptive scans, there’s no risk of devices crashing, which could pose serious risks to patient care.
Armis detects unusual behavior by leveraging artificial intelligence, machine learning, and the vast knowledge base of our Collective Asset Intelligence Engine, which tracks more than 3 billion assets. Armis is able to baseline information for specific devices and then detect when an asset deviates from its expected behavior.
Download our solution brief to learn more about the Armis Platform.
Read all IoMT Playbook Chapters:
Sign up to receive the latest news