Chapter 8: How to spot the top indicators of compromise in healthcare

Indicators of compromise (IOC) are pieces of evidence that help to identify the occurrence of a cybersecurity breach. Think of things like unusual traffic or suspicious log entries. These activities are worth further investigation as an indication that a malicious actor might have infiltrated your network.

In this blog post, part of our Internet of Medical Things (IoMT) series, we discuss examples of indicators of compromise in healthcare cybersecurity and the importance of early threat intelligence to minimize the impact of a breach.

The importance of indicators of compromise in cybersecurity

For 12 consecutive years, healthcare is the industry with the highest average cost of a data breach, according to an IBM report. As we discussed in chapter 6, patient data — whether it’s medical, personal, or financial information — is an attractive target for cybercriminals.

Keeping an eye out for indications of compromise in your hospital network can help detect the earliest stages of a cyberattack lifecycle, when bad actors have just breached your network but have not established full control of your environment yet. By preventing attack escalation, in which the intruder moves deeper into the network to access sensitive data and systems, hospitals can minimize further risks to operational continuity and patient care.

To help detect an attack earlier, the Federal Bureau of Investigation (FBI) often releases flash reports detailing indicators of compromise associated with ransomware. The report on the RagnarLocker ransomware, for example, describes the malware’s logic for encryption and the IP associated with this attack.

This type of threat intelligence helps information security professionals to uncover and stop future attacks more quickly. No wonder 72% of the respondents of a Cyber Risk Alliance survey indicated their organizations use indicators of compromise as a source of threat data collection.

Top examples of indicators of compromise

When watching out for indications that your environment might have been compromised, here is a list of top red flags:

• Unusual outbound network traffic, such as medical devices sending data to IP addresses associated with botnets. 
• Outbound and inbound network traffic peaks at unusual hours or from and to countries and regions where your organization does not have a presence.
• Unusual login access, which could be an indication of compromised credentials — the most common initial attack vector in 2022, responsible for 19% of data breaches in the IBM report.
• Login anomalies such as unusual accesses coming from a privileged user account. An attacker might have breached the network and is now leveraging privileged accounts to move deeper into your environment.
• Increase in database read volume, which could be an indication that there’s a malicious actor accessing and stealing your data. 
• Unusual domain name server (DNS) requests, registry or system file changes, unauthorized settings, and mobile device profile changes can all indicate an attack. Intruders might be inside your network, trying to hide their presence and expand their reach.

How to identify indicators of compromise

In order to flag any unusual activity in your environment, your security solution needs to:

• Maintain comprehensive asset visibility. One of the basics of cybersecurity is that you can’t protect what you can’t see. In healthcare, asset inventory and continuous monitoring are more challenging because many devices are unmanaged and cannot accommodate security agents. Per Ponemon research, only 36% of healthcare organizations say they know where all their medical devices are.

• Understand context. Tracking all your assets is not enough for cybersecurity if you are unable to understand how your devices, systems, and users are supposed to behave. Indicators of compromise tools need contextual information to identify unusual activities that could indicate a compromise, such as abnormal communication or configuration. 
• Leverage automation. Having an automated process to collect data, triage, and respond to IOC can enable quicker remediation. Equally important is to combine early detection with automated measures to trigger incident response. Network segmentation, for example, can minimize potential breaches because it helps to prevent intruders from moving laterally in your environment.

Looking for new ways to spot risks and threats in healthcare? Watch our webinar showcasing the benefits of unified asset intelligence.

Detect abnormal device and network behavior with Armis

With its Collective Asset Intelligence Engine, Armis tracks over 3 billion assets. Armis uses this vast knowledge base, artificial intelligence (AI), and machine learning (ML) processing to identify when a device behaves abnormally. For example, Armis detects configuration changes, device utilization, and traffic patterns all without a learning period. These anomalies are often indicators of attack (IOA) or compromise (IOC).

The Armis platform leverages this information to produce anomaly alerts, orchestrate quarantine, and apply automated enforcement of network segmentation based on policy. That way, you can minimize time-to-response and limit the impact of a breach.

For example, you can get visibility to understand that an infusion pump is communicating with an unsanctioned IP address associated with malicious activity. Since it’s a device that touches patients, the risk associated with a device compromise is higher than if it was a compromised television in the waiting room.

By understanding context, Armis makes it easier for security teams to prioritize their remediation efforts based on risks to patient care.

Clinical teams can also benefit from a forensics-level view of medical devices. Let’s say your clinic is open from 7 am to 7 pm, but there’s an alert of a drug dispenser operating around midnight. It could be a misconfiguration but also an indicator of drug theft – a serious issue in medical facilities across the nation.

And there’s much more you can do with Armis. Curious about our other cybersecurity and asset management use cases?

Request a custom demo and we’ll walk you through our asset intelligence and security platform and show you how to spot indicators of compromise in healthcare — before it’s too late.

Frequently Asked Questions

Download our solution brief to learn more about the Armis Platform.

Read all IoMT Playbook Chapters:

1. Chapter 1 – How to innovate in healthcare with IoMT devices without exposing the expanding cyber attack surface
2. Chapter 2 – The Hurdles of Internet of Medical Things Security
3. Chapter 3 – A history of medical device hacking
4. Chapter 4 – How to mitigate ransomware in healthcare
5. Chapter 5 – How to minimize the clinical risks of unsecured healthcare devices
6. Chapter 6 – How to improve patient data security
7. Chapter 7 – Why healthcare IT security can’t protect against IoMT vulnerabilities
8. Chapter 8 – How to spot the top indicators of compromise in healthcare 👈 you are here
9. Chapter 9 – The fundamentals of medical device cybersecurity 
10. Chapter 10: Which role can you play in strengthening cybersecurity in healthcare moving forward?