To improve the security of patient health data, it seems only natural that a healthcare organization would choose security software modeled after the human immune system.
Darktrace Enterprise Immune System, powered by AI and machine learning algorithms, "watches your network from the inside out," said Justin Fier, Darktrace's director of cyberintelligence and analysis. Following installation, Darktrace gathers a baseline of behavior for a network and all the individual devices.
Darktrace "installs in the heart of your network," Fier said. "Much like the human immune system," he said, "it's getting a sense of self for the network." Darktrace alerts you to anomalous happenings on the network. "We're looking for unusual events, we're not looking for bad or malicious events. By looking for the difference between normal and abnormal, I cast a much wider net, meaning I can capture insider threat, misconfiguration, commodity malware."
A rules- and signature-based approach to securing patient health data, Fier said, looks for a much smaller set of traffic on a network. "We're looking for a whole lot more by looking for anomalies as opposed to malicious behavior."
A last line of defense
Penn Highlands Healthcare adopted Darktrace as a last line of defense, said Tom Johnson, CIO of the four-hospital health system in DuBois, Pa. "We had all our point solutions in place and thought we were pretty well-protected." But while running an initial inventory and analysis of the Penn Highlands network, Darktrace found about a dozen instances of malware "residing on machines that we didn't know existed." Darktrace also identified problems with how the network firewall was configured.
Darktrace goes beyond point solutions, Johnson said, giving his security team 100% visibility of their network. "It's capturing behaviors [of devices on the network] and monitoring that behavior. Where it is particularly valuable for us is protecting patient data, especially in the IoT space. Traditionally, it's much harder to protect [IoT] devices because they are not on a PC with a Windows OS, something I can put antivirus software on."
Darktrace monitors "all traffic that traverses our network," Johnson said. "Most of our network is patient data. Most of our employees are clinical people providing direct patient care, so it's protecting the devices they are using from harm." For example, he said, if an employee clicks on an email promoting a free gift or trip and it turns out to be malware, "Darktrace can see the bad behavior [of the malware] and stop it immediately."
Antigena: 'The antibody'
Johnson said "it takes a number of months for [Darktrace] to truly understand your network, inventory all your devices and capture a baseline behavior. Then you introduce Antigena about five to six months into the process and use it with human intervention."
Tom JohnsonCIO, Penn Highlands Healthcare
Think of Antigena, Fier said, "as the antibody. You get infected with a virus, you give it a medicine, you attack the virus. That's what Antigena is. It's an automated response. The Enterprise Immune System says, 'Look over here; there is something odd happening.' Antigena can kick in and take a number of different responses."
Antigena can be configured in one of two modes. In human confirmation mode, Antigena recommends responses: for example, blocking a connection or quarantining a device. A security administrator approves the action before it's taken. In active mode, Antigena is fully autonomous and operates based on its evolving understanding of what is normal behavior for the network.
As organizations trust Antigena more and more, Johnson said, "you keep giving it more control until you give it full control. That's where we are at. We let it have full control to do what it thinks best. We still know about it; it sends us alarms and alerts. But if some anomalous behavior happens in the middle of the night, it's going to take care of it for us."
It has taken Johnson and his patient health data security team a little more than a year to become that comfortable with Darktrace. Initially, Johnson said, Darktrace "was very mysterious to us because we had never used an AI tool before. It's a very powerful tool; it's also very complex. ... It would be way over your head if your full-time role wasn't security." Johnson said he and his team worked "hand in hand with [Darktrace] engineers to really learn how the product works."
Humans can't do it all
Now that his team is "a year through it," Johnson said, "we're pretty comfortable with the technology and the autonomous tools."
Johnson believes that healthcare systems, prime targets for cyber hackers in search of valuable patient health data, "need tools like this to protect their organizations, especially [because] you can't rely on humans to do it all.
"It's great to have people who can monitor consoles when they have time and try to pay attention to what's going on, but you need some type of machine learning, artificial intelligence running in the background that's trained specifically for bad behaviors and to block them automatically."
As a CIO, Johnson said, "I sleep a lot better at night knowing I have those AI tools running and they are programmed to protect our organization and the patient information."