Hospital cyber attacks cost $60K/hour. Here’s how AI has changed the math

Medical facilities were not as vulnerable as they now are. Hackers had an unwritten policy to avoid targeting institutions or services that could put people’s lives in danger.

But that’s no longer the case: Ransomware-as-a-service has proliferated and stolen medical information has become highly monetizable, spurring threat actors to attack hospitals at unprecedented levels.

Alberta Health Services (AHS), a medical system, is not going to be left vulnerable. It has bolstered its defenses using AI.

Deploying AI reinforced cyber ops through cybersecurity platform Securonix has reduced the average response time for high-priority incidents from more than 30%. It has also reduced false-positive alerts by 90%, and workloads by two to three hours per day. This has resulted in hundreds of thousands in savings. Richard Henderson, AHS executive Director and CISO told VentureBeat that many hospital networks were easy targets. “I don’t get much sleep because I’m afraid of getting a phone call at 2 am saying that our entire environment has been down due to ransomware.”

AHS is North America’s second largest hospital network and has the world’s biggest single instance of Epic, the electronic health records platform. Henderson explained

that he and the team are responsible for cybersecurity at 106 hospitals, 80 clinics, 20,000 physicians, and 150,000 employees serving 4.5-5 million Albertans. He described AHS’s on-premises organization as “massive,” with all facilities connected to the Epic installation. Henderson said that “if it’s down, it’s down for everyone.”

I’m not exaggerating when I say that it could have a significant impact on the life of a patient if it goes offline.

A complete Epic outage, regardless of whether or not it is ransomware related, could easily cost Alberta anywhere between $500,000 and $600,000.

In order to avoid such situations, AHS deployed the “full-spread” of the Securonix Platform within its environment. This includes the cybersecurity firm’s threat detection and investigation and response (TDIR), through its AI powered security information and event (SIEM), platform. This package combines log management, behavioral analysis and a security information data lake.

Henderson explained the medical network consumes Terabytes of Data into its SIEM, and relies on Securonix’s cloud-native Architecture to handle data standardization and routing. Snowflake is a major part of the backend.

AHS’ detection strategies are heavily reliant on behavioral analytics. Securonix’s platform is constantly learning what normal looks like, Henderson explained. This helps his team catch “the subtle stuff,” like a trusted user behaving “just a little off,” said Henderson. “You could hire 1,000 security analysts, but you wouldn’t be able sift all the telemetry that modern digital enterprises consume.”

AHS reduces time to resolution and improves response times

. For example, AHS’ AI tools learn how normal network behavior appears across its hospitals. It flags anything unusual, such as a device suddenly contacting an external server that it has never contacted. This can lead security teams towards a misconfigured device that could have been exploited had it not been flagged. Henderson said that “these types of misconfigurations led to catastrophic ransomware attacks in other hospital networks.” Henderson pointed out that

a payload could be flagged as potentially suspicious but obfuscated. This means humans would have to try and figure out what it is, and what it does. They can now ask the platform to deobfuscate payloads and determine what attackers were trying to do. It does this in “literally seconds”.

He said that the ability to speak to a computer as if it were a human has changed how people view AI. “Natural Language Processing has been around for many years, but never at this level. It continues to amaze me just how good it really is.”

AWS was able to reduce the time it takes to resolve incidents and improve its response time. Henderson said that the average response time to high-priority issues is down by more than a quarter compared to last years. Henderson said that AI is helping analysts to understand what’s happening and what the attacker is trying achieve. AI is now a critical component of modern cybersecurity. It’s used for network detection, email filtering, endpoint protection and other cybersecurity functions. “My people save hours a day by using AI tools,” said he.

Securonix’s platform has helped reduce noise, with AHS experiencing a substantial reduction in false positives that reach its junior analysts. This “really helps focus and prevents burnout,” stated Henderson.

Henderson noted that AI is often discussed as a replacement for lower-tier security operations. From his perspective, AI won’t replace junior staff. What it will do is help them to learn faster, do better jobs and protect the enterprise environment.

Education is critical in the face of increased attacks

Because AHS is so large and has many facilities across the province, Henderson’s team must track where the most incidents occur. This will help them determine if a specific geographic region is being targeted. Henderson (19659028) pointed out that Calgary, Edmonton, and other major cities in Alberta are the most populous. It is only natural to assume they would be the target of many attacks. It’s not always true. Smaller rural hospitals are often targeted by threat actors who assume that their defenses are weaker.

AI enables him and his team keep a running dashboard to track where incidents occur in order to plan additional outreach, if necessary. Henderson spends considerable time on the human aspect of security. He teaches AHS’ nurses and physicians about previous attack campaigns to help them understand what to look out for.

If we see an increase in attacks on our rural hospitals, then I will definitely build an educational campaign to say that they are targeting rural hospitals as they believe you’re a more easy target. He explained that these are the kinds of things to look for.