Keeping Geisinger Health System’s Network Safe from Predators
The news that the electronic healthcare records of a Los Angeles organization were held for cyber-ransom in February wasn’t a surprise to those who follow such attacks. An article in Modern Healthcare quoted an expert from the Rand Corporation as saying that “healthcare organizations, along with small businesses and schools, make good targets for ransomware attacks because they don't typically have the sophisticated backup systems and other resilience measures that are typical at large corporations.” The article also cited two smaller healthcare organizations that had been hit by ransomware attacks in 2012 and 2014.
Ransomware is just one way that healthcare and other industries are targeted by cybercriminals. Another common tactic for cybercriminals is data exfiltration; that is, the theft of confidential data for nefarious purposes. (For a look at a number of the issues health care IT executives face, see this report from the firm Independent Security Evaluators.)
One healthcare organization that has less reason to worry about these issues is Geisinger Health System, serving more than 2.6 million residents in central and northeastern Pennsylvania. Geisinger deployed a solution based on patented Infoblox Grid™ technology that includes Infoblox DDI, Reporting, DNS Firewall, and DHCP Fingerprinting. Because of our proximity to the fundamentals of the network, Infoblox can provide context on security alerts – for example, identifying compromised devices by their IP addresses and providing a history of their activity through DHCP logs.
Rich Quinlan, one of three technical analysts responsible for DNS and DHCP services at Geisinger and its affiliates, reports that the Infoblox technology found a security issue almost immediately. “We were doing an evaluation of DNS Firewall, and during that evaluation—even though we have incident detection and prevention systems and firewall logging—we detected a ultrasound machine that was attempting to communicate with a known (malicious) command-and-control server,” Quinlan said in a recent case study.
DNS Firewall detected the outbound communication, and Infoblox DHCP fingerprinting—which captures the device type for an assigned IP address issued as part of the DHCP process—enabled Quinlan’s team to quickly and accurately identify the offending device so that the threat could be contained before it spread across the network.
Quinlan underscores the seriousness of this kind of threat. “In spite of all the conventional steps we take to protect our internal network, patient care could still be affected. We could have an entire hospital full of useless ultrasound devices because one was brought in with a virus and we have no control over them. And if it was able to exfiltrate data, we would have a Health Insurance and Portability Accountability Act (HIPAA) compliance issue.”
Equally important for the health care industry, Quinlan adds, the Infoblox technology “has been one of the most reliable systems that we have in the entire organization. We have had zero unexpected downtime in the three years that it’s been in place, and that's very rare in this day and age. I can sleep better at night knowing that we are not going to have a system failure.”
To read the full case study, click here. And you can watch Rich Quinlan talk about his experience with Infoblox here: