Jan 17, 2023

Chapter 8: How to spot the top indicators of compromise in healthcare

Ch 8 - Top indicators of compromise in healthcare

Indicators of compromise (IOC) are pieces of evidence that help to identify the occurrence of a cybersecurity breach. Think of things like unusual traffic or suspicious log entries. These activities are worth further investigation as an indication that a malicious actor might have infiltrated your network.

In this blog post, part of our Internet of Medical Things (IoMT) series, we discuss examples of indicators of compromise in healthcare cybersecurity and the importance of early threat intelligence to minimize the impact of a breach.

The importance of indicators of compromise in cybersecurity

For 12 consecutive years, healthcare is the industry with the highest average cost of a data breach, according to an IBM report. As we discussed in chapter 6, patient data — whether it’s medical, personal, or financial information — is an attractive target for cybercriminals.

Keeping an eye out for indications of compromise in your hospital network can help detect the earliest stages of a cyberattack lifecycle, when bad actors have just breached your network but have not established full control of your environment yet. By preventing attack escalation, in which the intruder moves deeper into the network to access sensitive data and systems, hospitals can minimize further risks to operational continuity and patient care.

To help detect an attack earlier, the Federal Bureau of Investigation (FBI) often releases flash reports detailing indicators of compromise associated with ransomware. The report on the RagnarLocker ransomware, for example, describes the malware’s logic for encryption and the IP associated with this attack.

This type of threat intelligence helps information security professionals to uncover and stop future attacks more quickly. No wonder 72% of the respondents of a Cyber Risk Alliance survey indicated their organizations use indicators of compromise as a source of threat data collection.

CyberRisk Alliance survey results on the most used threat intelligence sources
Source: CyberRisk Alliance’s Threat Intelligence report

Top examples of indicators of compromise

When watching out for indications that your environment might have been compromised, here is a list of top red flags:

  • Unusual outbound network traffic, such as medical devices sending data to IP addresses associated with botnets. 
  • Outbound and inbound network traffic peaks at unusual hours or from and to countries and regions where your organization does not have a presence.
  • Unusual login access, which could be an indication of compromised credentials — the most common initial attack vector in 2022, responsible for 19% of data breaches in the IBM report.
  • Login anomalies such as unusual accesses coming from a privileged user account. An attacker might have breached the network and is now leveraging privileged accounts to move deeper into your environment.
  • Increase in database read volume, which could be an indication that there’s a malicious actor accessing and stealing your data. 
  • Unusual domain name server (DNS) requests, registry or system file changes, unauthorized settings, and mobile device profile changes can all indicate an attack. Intruders might be inside your network, trying to hide their presence and expand their reach.

How to identify indicators of compromise

In order to flag any unusual activity in your environment, your security solution needs to:

  • Maintain comprehensive asset visibility. One of the basics of cybersecurity is that you can’t protect what you can’t see. In healthcare, asset inventory and continuous monitoring are more challenging because many devices are unmanaged and cannot accommodate security agents. Per Ponemon research, only 36% of healthcare organizations say they know where all their medical devices are.
  • Understand context. Tracking all your assets is not enough for cybersecurity if you are unable to understand how your devices, systems, and users are supposed to behave. Indicators of compromise tools need contextual information to identify unusual activities that could indicate a compromise, such as abnormal communication or configuration. 
  • Leverage automation. Having an automated process to collect data, triage, and respond to IOC can enable quicker remediation. Equally important is to combine early detection with automated measures to trigger incident response. Network segmentation, for example, can minimize potential breaches because it helps to prevent intruders from moving laterally in your environment.

Looking for new ways to spot risks and threats in healthcare? Watch our webinar showcasing the benefits of unified asset intelligence.

Detect abnormal device and network behavior with Armis

With its Collective Asset Intelligence Engine, Armis tracks over 3 billion assets. Armis uses this vast knowledge base, artificial intelligence (AI), and machine learning (ML) processing to identify when a device behaves abnormally. For example, Armis detects configuration changes, device utilization, and traffic patterns all without a learning period. These anomalies are often indicators of attack (IOA) or compromise (IOC).

The Armis platform leverages this information to produce anomaly alerts, orchestrate quarantine, and apply automated enforcement of network segmentation based on policy. That way, you can minimize time-to-response and limit the impact of a breach.

For example, you can get visibility to understand that an infusion pump is communicating with an unsanctioned IP address associated with malicious activity. Since it’s a device that touches patients, the risk associated with a device compromise is higher than if it was a compromised television in the waiting room.

By understanding context, Armis makes it easier for security teams to prioritize their remediation efforts based on risks to patient care.

Image of the Armis platform shows a security alert issued to a medical device

Clinical teams can also benefit from a forensics-level view of medical devices. Let’s say your clinic is open from 7 am to 7 pm, but there’s an alert of a drug dispenser operating around midnight. It could be a misconfiguration but also an indicator of drug theft – a serious issue in medical facilities across the nation.

And there’s much more you can do with Armis. Curious about our other cybersecurity and asset management use cases?

Request a custom demo and we’ll walk you through our asset intelligence and security platform and show you how to spot indicators of compromise in healthcare — before it’s too late.

Frequently Asked Questions

Indicator of attack vs indicator of compromise: What is the difference?

An indicator of attack (IOA) demonstrates that an attacker has tried to infiltrate your network, while an indicator of compromise (IOC) is evidence that a breach might have occurred.

While IOA helps to understand the intention of an attack, IOC gives insights into the attack, such as threat signatures.

What are examples of indicators of attack?

Examples of indicators of attack include unusual network traffic.

Phishing emails, for example, might be an indication that you are a target of a social engineering campaign. An increase in invalid login attempts or multiple access requests might be a sign that an attacker is trying to guess your credentials in a brute force attack.

Does the Armis platform affect medical device performance?

No, Armis does not affect medical device performance. Our platform uses agentless passive technology to identify and track devices. Since Armis doesn’t install security agents or perform disruptive scans, there’s no risk of devices crashing, which could pose serious risks to patient care.

How does Armis detect unusual asset behavior?

Armis detects unusual behavior by leveraging artificial intelligence, machine learning, and the vast knowledge base of our Collective Asset Intelligence Engine, which tracks more than 3 billion assets. Armis is able to baseline information for specific devices and then detect when an asset deviates from its expected behavior.

Download our solution brief to learn more about the Armis Platform.

Read all IoMT Playbook Chapters:

  1. Chapter 1 – How to innovate in healthcare with IoMT devices without exposing the expanding cyber attack surface
  2. Chapter 2 – The Hurdles of Internet of Medical Things Security
  3. Chapter 3 – A history of medical device hacking
  4. Chapter 4 – How to mitigate ransomware in healthcare
  5. Chapter 5 – How to minimize the clinical risks of unsecured healthcare devices
  6. Chapter 6 – How to improve patient data security
  7. Chapter 7 – Why healthcare IT security can’t protect against IoMT vulnerabilities
  8. Chapter 8 – How to spot the top indicators of compromise in healthcare 👈 you are here
  9. Chapter 9 – The fundamentals of medical device cybersecurity 

Get Updates!

Sign up to receive the latest news

path-12-path-12-path-12-mask