Join an event that enterprise leaders have been trusted for nearly 20 years. VB Transform brings together people who build real enterprise AI strategies. learn more
Over the past few years, medical facilities have not been as vulnerable as they are now. Hackers had unwritten rules that disruption would not target institutions or services where it could put people at physical risk.
But that’s not the case anymore: ransomware as a service is multiplying, stolen medical information is highly profitable, spurring threat actors attacking hospitals at unprecedented levels.
Alberta Health Services (AHS) is not going to leave themselves vulnerable. The healthcare system is strengthening its defenses with AI.
Deploy AI-Reinforced Cyber Ops from Cyber Security Platform SecuronixAHS has reduced the average time to respond to high-priority incidents by more than 30%. It also reduced false positive alerts by 90%, reduced workloads by 2-3 hours a day, saving hundreds of thousands of dollars.
“Many hospital networks are big fat and easy targets,” Richard Henderson, executive director and CISO, AHS, told VentureBeat. “I don’t sleep much because I got that call at 2am and said the entire environment was reduced due to ransomware.”
Working as 1,000 (or quite a lot) SOC analysts
AHS is the second largest hospital network in North America and the world’s largest single instance of Electronic Healthcare Records (EHR) Platform Epic.
Henderson explained that he and his team are responsible for cybersecurity for 45-5 million Albertans, with 106 hospitals, 800 clinics, 20,000 doctors and 150,000 staff. He describes AHS as a “large on-prem organization” with all facilities connected to the same spectacular installation.
So, Henderson said, “If it goes down, it falls for everyone. And it’s not an exaggeration to me to say that if it goes down, it can have a very good impact on the life of a patient.”
And it’s not an exaggeration to say that a total halt of a grand outage, whether it’s ransomware-related or not, could easily cost Alberta in the $500,000 to $600,000 an hour.
To avoid this situation, AHS deployed a “full spread” of the Securonix platform within its environment. This includes cybersecurity company threat detection, investigation, and response (TDIR) capabilities through an AI-powered security information and event management (SIEM) platform. This provides log management, behavioral analysis and security data lakes in one package.
Henderson explained that healthcare networks consume terabytes of data into SIEM and rely on Securonix’s cloud-native architecture to handle data normalization and routing. Snowflakes drive most of its backend.
Behavioral analysis is an important part of AHS detection strategies. SecuroNix’s platform is constantly learning how users, endpoints and systems look like normal, Henderson explained.
“We’re looking for patterns and sewing things together,” Henderson said. “We can hire 1,000 security analysts, but there’s probably not enough people to sift through all the telemetry that modern digital companies are consuming.”
AHS reduces resolution times and improves response times
For example, AHS’ AI-driven tools learn how normal network behavior looks like across hospitals. When something unusual happens – as if the device is suddenly talking to an external server, it has never contacted before – it flags it immediately. This allows security teams to lead them to misunderstood tools that could have been exploited without realizing them.
“These types of false mining have caused catastrophic ransomware outbreaks in other hospital networks in the past,” Henderson said.
Or, as another example, the payload may come up as potentially suspicious, but it is obfuscated. So humans have to try and figure out exactly what it is and what it is doing, Henderson pointed out. Now they can ask the platform to rule out the payload and decide what the attacker is trying to do, and they can do all the work in “literally seconds”.
“In the past few years, being able to talk to a computer like you’re talking to people has just changed what people think about AI,” he said. “Natural language processing has been around for a long time, but it continues to blow me away at this level and how good it is.”
As a result, AWS was able to significantly reduce resolution time and improve its ability to respond faster. Henderson said the average time to respond to high-priority incidents has decreased by more than a third compared to last year.
This is to help AI do heavy industry and understand what is happening and what attackers are trying to achieve, Henderson pointed out. With modern cybersecurity, AI has become extremely important for network detection, endpoint protection, email filtering, and other cybersecurity features. “My people use AI tools to save time a day,” he said.
Securonix’s platform also helped reduce AHS by seeing a significant drop in false positives reaching junior analysts, “focusing and avoiding burnout.”
He said there was a lot of debate about AI and there would be debate that would replace the underlayers of security operations. But from his point of view, “AI is not going to replace junior staff. What it is trying to do is help them learn faster, get better at work and protect the enterprise environment.”
With the increase in attacks, education becomes important
With the AHS being so large and many facilities spanning the state, Henderson’s team needs to track where the biggest incidents are occurring. This helps infer whether one particular geographical area is more targeted than another.
Henderson pointed out that Calgary and Edmonton are the two biggest cities in Alberta, so naturally they’d think they’ll bear a considerable brunt of the attack volume. But that’s not always the case. Small rural hospitals are often targeted as threat actors assume weak defenses.
AI allows him and his team to maintain a running dashboard where the incident occurs, in order to plan additional outreach if necessary. He said Henderson is spending quite a bit of time on the human side of security.
“So if you’re seeing an increase in rural hospitals, you’re definitely going to build an education campaign that says, ‘They’re targeting rural hospitals because they think you’re an easier target. These are the kind of things you should be looking for,'” he explained.
