Unmask Big Threats in the Big Apple: Lessons From the NewYork-Presbyterian SOC Team

When it comes to security, there are few industries where the stakes are higher than healthcare. A breach can not only damage an organization’s reputation, but open it up to fines and regulatory scrutiny. Keeping track of all the vulnerabilities in one hospital is a huge challenge. Now imagine the responsibility of securing ten hospitals, two medical schools, a physician services network, ambulatory care and community health care initiatives serving one of the world’s largest metropolitan areas and you have NewYork-Presbyterian (NYP). 

With more than 4,000 beds, 47,000 employees and affiliated doctors, NYP consists of ten campuses, including community hospitals spread across the Greater New York area, and is the only hospital in the nation affiliated with two top-ranked medical schools, Columbia University Vagelos College of Physicians and Surgeons and Weill Cornell Medicine.

With more than 600 unique application systems and several electronic health record systems, NYP presents many opportunities for bad actors to mask their digital identity. Add shared workstations, logins and mobile devices to the mix, along with collaboration utilities and the controlled chaos of clinical care facilities and NYP faces challenges hardly common to every vertical.

John Frushour, NYP’s Deputy Chief Information Security Officer, sees firsthand the enormity of the problem. Pinpointing when a specific nurse, let’s call her Nurse Sally, modified a patient's record can often come down to an educated guess, especially when Nurses Sally, Timmy, Suzy, and Sammy were all attending to the same patient at the same time.

Furthermore, the approval process and wait times associated with fielding biomedical and clinical devices/software often mean mission-critical clinical systems are several years behind when they’re finally deployed, lacking the capability of privileged account management suites, network identity solutions, strong authentication and remote access or even things as simple as complex passwords.

All of these factors combined raise the stakes even higher should their network be compromised.

Defending Against a Wide Variety of Threats

In the face of these threats one of the most important missions for the NYP Security Operations Center (SOC) is defending the network. From identifying potential bad actors masquerading as service accounts or unprivileged identities to pinpointing their entrance to the NYP network, a SOC team’s work is never done. They can even identify a physical location using circuit and path identification to correlate any and all available data sources to narrow behavioral patterns and application activity, the SOC team clearly has a lot on their hands.

Should the SOC fail at this task, a bad actor could “set up shop” and pick any portion of the kill chain to thwart. They might exfiltrate information, create a backdoor or detonate malware, all under the perceived safety of anonymity. The “left of boom” actions would otherwise go unnoticed.

It’s vital for the SOC team to make sense of proxy history, timeclock data, multi-factor authentication patterns, access and privacy logs, network traces, endpoint activity, data loss prevention reports and application installation history. It’s all data, and it’s all in Splunk where teams can gain insights to easily take action. 

Unlock Analytics-Driven Security

Remember Nurse Sally? NYP is ultra-vigilant about ensuring that Nurse Sally is not really Mr. Robot in disguise. In particular, narrowing down that a user logged in, viewed records, if they visited the internet, clocked-in or out, uploaded a file, and any other activities, which can be very complicated.

To get visibility into the complicated landscape, NYP’s SOC is constantly dashboarding, correlating, indexing, refining and pinpointing her activities to look for reported or detected anomalies. If Nurse Sally claims to not have worked on Monday and there is suspicion of nefarious activity, the NYP SOC can string together session videos of Nurse Sally’s thin-client-streamed desktop, authentication history, multi-factor location history and proxy logs and compare them to her previous history, anomalous behavior in her VDI profile’s endpoint agent and even physical security information such as RFID interrogation history and security cameras.

If Sally really was working that day, the SOC team will know right away. And they’ll also know if she wasn’t. In other words, Splunk will help them instantly and automatically determine if the behavior indicates business as usual, or a business-critical security crisis.

“We have all the data and data sources we need to pin down and build a full picture of Nurse Sally’s activities,” Frushour said. “We can see everything that’s happening. And with every new data that’s out there, the beauty of Splunk is that you just add the data to [the platform].”

To find out more about how NYP uses Splunk to safeguard their networks, check out these talks from .conf19.

----------------------------------------------------
Thanks!
Jade Catalano