Meticulous forensic analysis has always been crucial for healthcare delivery organizations to hone data security processes and policies. But forensic analysis is now becoming especially vital as healthcare providers deploy—and then scale—Internet of Medical Things (IoMT) devices. Healthcare is the top industry target for cyberattacks, and systematic forensic analysis enables a healthcare organization’s security teams to learn and recognize exactly where to bolster their security posture in the aftermath of incidents.
Proactive monitoring that assembles evidence to reconstruct security anomalies can be highly instructive, revealing attackers’ exact tactics for exploiting vulnerabilities and infiltrating IoMT devices and networks. With IoMT device volume growing quickly across healthcare organizations, here’s how teams can position forensic analysis strategies to be most effective.
“Healthcare is the top industry target for cyberattacks, and systematic forensic analysis enables a healthcare organization’s security teams to learn and recognize exactly where to bolster their security posture in the aftermath of incidents.”-Shankar Somasundaram
Forensic Analysis for Data-Driven Security Policies
While threat detection involves responding to immediate situations, forensic analysis is a retrospective process required to understand the root cause of the security problem. It’s an important distinction. Forensic analysis involves specific stages—such as data collection, interpretation, and drawing data-driven conclusions—that inform critical policy suggestions.
In addition to any major breach specifics, initial incident data reporting must include any IoMT device malfunctions or unexpected behaviors. Teams conducting forensic analysis should come equipped with strong data analysts, be positioned to utilize resources across departments as necessary, and also be ready to tap external partners such as IoMT device manufacturers.
Data collection itself should be automated and should incorporate IoMT devices, mobile devices, servers, network monitoring data, and application logs. Forensic analysis works best with precise data that has tracked the connectivity and behavior of all devices and data relevant to an incident.
As a best practice, teams should run all analysis on data copies rather than the original data, and use strong access controls to guarantee data integrity. Document all data collection procedures and tooling. If the forensic analysis process calls for removing devices from the network to secure systems and capture evidence, be mindful of how that activity impacts the healthcare organization.
Have an effective data collection apparatus at the ready before beginning this process, complete with backup storage, chain-of-custody forms, and everything else required. Also, be prepared to part with data storage hardware in case an investigation ultimately involves law enforcement.
It’s also worth noting that IoMT (and, more broadly, IoT) device data storage is especially challenging and necessitates a thoughtful strategy. Traditional data collection doesn’t work for these devices, since there aren’t going to be enough logs. So, ensuring you don’t lose valuable information about the attack means that you must collect data on the network at the time of the incident.
Assess Attacks Through Formal Investigations
Any major security incident should trigger the launch of a formal investigation that employs forensic analysis to determine the incident’s cause and then identifies opportunities for improvements to your security posture and post-incident recovery. From the starting point of a compromised device or employee account, the investigation should include a broad search to discover additional points of compromise.
The first detected intrusion is likely not the attacker’s actual point of entry or first activity on your network. A broad and thorough investigation will reveal the initial point of attack and point to a more secure response. For example, if the source of an incident is traced to an employee who clicked on a phishing email, more effective employee training and access controls can make a key difference to future security outcomes.
Additionally, building network traps allows investigators to understand the potential root cause of the attack. Also crucial at this stage: understanding exactly how far the attack reached by leveraging device and network traffic data to fill in the whole picture of the incident (and extract as much instructional knowledge as is available).
Produce Insightful Post-Incident Reports
Post-incident reports enable healthcare organizations to take the lemon of a cyberattack and turn it into the lemonade of more secure practices. Closely examine any procedures that failed to prevent the attack, which should uncover potential policy improvements going forward. Carefully document all findings, along with any uncertainties or alternative explanations for observed behaviors.
The final steps are creating and executing an action plan informed by the post-incident report’s findings. Any dangerous vulnerabilities identified by forensic analysis should be addressed. Employee retraining and new policies may be appropriate if employee behavior contributed to the incident. Healthcare organizations lacking continuous monitoring capabilities might address that need with additional third-party tooling. Tightened access controls and new data storage policies might also be on the table.
Healthcare organizations can also put their practices to the test by conducting pen tests and attack simulations and participating in events like Cyber Storm where government agencies assist with realistic tabletop exercises and threat scenarios. All learnings should then inform new action plans to revise organizational, network, and IoMT device policies appropriately.
Treat Forensic Analysis as a Process
Forensic analysis yields the best results when implemented not as a single step or a mere checkbox, but as a continuing process of investigation, data evaluation, post-incident reporting, and decisive follow-up action plans.
By committing to this process of evolving and improving security policies and capabilities to defend systems and devices along more attack vectors—particularly as IoMT devices continue to accelerate—healthcare organizations can achieve more robust security postures that make them far less susceptible to future threats.