Cyberattacks on healthcare systems are on the rise globally. Amid the widespread disruption of the pandemic, cybercriminals have launched complex and coordinated attacks – from financial threats to those targeting privacy.
The agile nature of attackers, ease of reconnaissance, and a general lack of collaboration and trust among defending organizations renders effective defense more difficult. For healthcare systems, the rapid adoption of digital solutions has only expanded the attack surface, while insider breaches are much more common and easier to launch.
“There is no silver bullet for the growing global cybersecurity challenges that we face today,” argues Dr. Ahmed Elmagarmid, founding executive director of Qatar Computing Research Institute (QCRI), which operates under the umbrella of Hamad Bin Khalifa University (HBKU) and is steered operationally by Qatar Foundation’s Research, Development, and Innovation (RDI) division. He expressed this sentiment during the World Innovation Summit for Health 2020 in November and added: “Instead, we must analyze the unique challenges facing healthcare systems and adapt existing solutions or develop new ones to address each of them. To a certain degree, cybersecurity is becoming more of a data analytics problem.”
The health sector has unique vulnerabilities, providing very large attack surfaces because of the number of diverse interacting entities, the fast adoption of the Internet of Things (IoT), and remote connectivity. Insider breaches and compromised credentials also pose very real threats, as different entities access electronic medical records, often with conflicting interests.
Dr. Elmagarmid supports the zero-trust model adopted by Qatar, a holistic approach to cybersecurity involving several technologies and processes through which access to all resources can be authenticated and verified. The approach combines a ‘least privilege model’ and access control, with logging and inspecting all activities performed using security analytics. Qatar has also launched the National Security Operations Center (NSOC), which logs and inspects activities, as well as applying regular authentication and security solutions.
But as defense capabilities are elevated, sophisticated perpetrators are innovating with stealthy attack techniques by crafting breaches with low profiles that stay under the radar of even the most advanced traditional defenses. While health systems have historically been run over firewalled, enterprise-grade secure networks, with digital transformation now increasingly enabling health systems and medical technology, the industry faces a new paradigm.
Qatar’s cybersecurity entities have been taking a proactive data analytics approach to collecting enterprise data, including that of healthcare organizations. Through collaboration with researchers, the data is used to build in-house capabilities for monitoring abnormal system/user behavior, issuing early warnings and facilitating incident response.
Predictive capabilities – the ability to monitor and collect real-time cyber traces from the healthcare system – are enabled by advances in big data analytics and machine learning technologies. In addition to all the traditional prevention and detection solutions, predictive capabilities foresee the threats and vulnerabilities and nullify them before they are activated.
The wealth of data available from devices and apps, combined with artificial intelligence (AI), helps in building models that can accurately profile the normal behavior of the different players in the healthcare system, both humans and machines. Such models are then able to magnify low attack signals and provide actionable detection and blocking. Careful correlation and association of known threat vectors with the cyber infrastructure used by perpetrators leads to the prediction of unknown threat vectors.
Dr. Elmagarmid explained the significance: “Regulation and laws can only go so far. We need to advance the way we do attack attribution. We need to be more proactive and continue using AI to do predictive analysis of logs to anticipate problems before they occur.”
Dr. Issa M. Khalil, principal scientist, QCRI, added: “I agree that the solution to solving the problem of attack attribution is technical, but novel technical solutions have to go hand in hand with stakeholder collaborations, both nationally and internationally.”
Collecting sensitive real-time data also means complying with stringent privacy requirements and regulations, such as the General Data Protection Regulation (GDPR), which mandates strict rules regarding the storage and exchange of personally identifiable data and data concerning health.
Among these novel solutions, according to Dr. Khalil, are private data sharing and analytics. Federated learning, searching encrypted data, and content-agnostic detection of indicators of compromise (IoCs), combined with big data curation and advanced machine learning algorithms, can enable real-time monitoring, logging, and correlation of logs across different vantage points. Such a combined effort could help in connecting the dots and tracing attack actions to the infrastructure exploited, an important step towards attribution.
The advantage created by federated learning, for instance, is enabling devices to learn collaboratively from a shared machine learning model rather than data uploaded onto a centralized server, which needs world-class security. The technique makes it possible to collectively train models without leaking any entity’s data.
Dr. Elmagarmid added: “Cybersecurity is a very dynamic domain, a kind of cat-and-mouse game, where attackers learn to bypass new technologies to fight attacks. Traditional ways of detecting indicators of compromise are no longer very effective. So, we have started thinking outside the box. To predict an intention with high probability of a dangerous attack, QCRI goes deeper into the infrastructure used to deploy the attack.”
An example is QCRI’s ‘guilt-by-association’ tool used to identify suspicious domains or predict malicious attacks by analyzing the previous movements of the domain address.
Having successfully commercialized several of its predictive analysis solutions, a new startup is currently being established based on technology for which QCRI recently secured a licensing agreement with a European company. According to Dr. Khalil: “This technology tackles the challenging problem of predicting suspicious attack vectors such as phishing URLs and malware download sites before being activated. Such capabilities elevate the protection against the one-time hit-and-run attack vectors (sometimes called disposable attack vectors), which render current aftermath detection technologies useless.”
QCRI has also built another tool to utilize enterprise data logs to identify dormant attackers and amplify low attack signals within the enterprise network. A third invention offers actionable recommendations to take down attack sources based on the type of hosting infrastructure, while minimizing the collateral damage to benign providers and customers. A fourth tool developed offers a new technology that identifies unwanted emails solely from their headers and enterprise communication patterns. The solution is valuable when end-to-end email encryption is used, which restricts access to the full email content to the sender and receiver alone.
Through its ongoing project, SIHA (System for Integrated Health Analytics), in collaboration with Hamad Medical Corporation, Sidra Medicine, and others, QCRI is confronting many of the challenges facing the next generation of health solutions. SIHA (health in Arabic) combines data from wearables, smart health IoT devices, and medical devices with other sources to deliver predictive analytics using machine learning.
Dr. Faisal Farooq, principal scientist and head of the Center for Digital Health and Precision Medicine, QCRI, compared SIHA with typical enterprise health systems: “Systems like SIHA are connected to consumer devices over potentially multiple heterogeneous and open networks, making them vulnerable to cyberattacks and exposing protected health information (PHI) in the public domain. To safeguard against this, QCRI deploys data encryption techniques, multilevel authentication mechanisms, and adherence to the stringent security standards of the health domain.”
Dr. Elmagarmid concluded: “Ecosystems like those driving SIHA present unique security and privacy challenges that require further research and standardization of protocols to instill trust in users – consumers and healthcare providers.
“Like other domains, it is impossible to ensure security attacks never happen in healthcare systems. What’s important is how we respond to such attacks. Healthcare systems need to be constantly monitored, so attacks can be detected on time and their impact mitigated.”