How Northfield Hospital uses AI to minimize risk from cyberattacks

Like all healthcare providers, US-based Northfield Hospital has a big responsibility when it comes to cybersecurity as sensitive data and the lives of patients could be at stake. A study by Proofpoint and the Ponemon Institute released in September 2022 found that patient mortality rates increased across more than 20% of healthcare organizations that suffered the most common types of attacks.

“If that healthcare organization is down and the patient doesn’t have access to health care that delays their care and can increase mortality, especially if you’re talking about a stroke victim or a heart attack where time is important. And when you don’t have automation to move that patient through your system and get them the care they need, that can increase the risk of mortality,” Vern Lougheed, Northfield Hospital’s security information officer, tells CSO.

Northfield Hospital

Established in 1910 as a 12-bed facility in Minnesota, Northfield Hospital has grown into a 37-bed facility with a 40-bed long-term care center, seven clinical locations, and more than 65 healthcare providers that services the local rural community, including the town ambulance service. With healthcare providers always a target of cybercriminals, the hospital has been constantly updating its cybersecurity stack to ensure staff is always able to provide the best care patients need.

“Foetal heart monitoring is something that we do here and … when a mother is in labor and you’re monitoring the heartbeat of the baby you don’t want that the go away during an event,” says Lougheed.

Legacy cybersecurity systems replaced by AI-enabled protection

What the Northfield Hospital first had in place was a traditional cybersecurity stack with basic firewalls, intrusion protection and detection systems, internet security gateway, e-mail spam and virus filtering. When AI-enabled products started to emerge, the hospital moved to an AI-based endpoint protection system, the first step into artificial intelligence tools in cybersecurity.

“But nothing was integrated; nothing really talked with each other,” Lougheed tells. “They were all islands of information, all islands of managing those devices. It was difficult to really understand and have that visibility that we desperately wanted into our network to understand what our threats were, what’s occurring, and that’s why we started looking for a tool set that allowed us to get that visibility.” It was hard to sort flyby attempts from targeted ones, he explains.

The first AI-enabled product was just the first step as soon Lougheed found out that it provided a narrow scope of telemetry data coming from the network. He knew then that these were the type of products that would provide the visibility needed, but he needed to look for one that was able to cover the whole enterprise and not just an endpoint.

Advancing Northfield Hospital’s protection

Increasing concerns around the risks to healthcare and the needs of Northfield Hospital saw them doing a proof of concept with Darktrace pre-COVID-19. The vendor was still fairly new then, Lougheed says, but their maturity was increasing.

“That proof of concept really proved to us the visibility that this AI engine can provide us, not only from just a client, but from a user, from a protocol, from an IP to a source to a destination to a myriad of different areas of telemetry that we can get that we never had access to before. It was really eye opening.” Having the ability to understand what was normal and what was anomalous was what the hospital needed, he says.

Another approach was also to simplify the cybersecurity stack, rather than having multiple products overlapping just in case one didn’t catch something, the hospital is reducing the cybersecurity stack while keeping things that for now still work separately including firewalls and internet security gateways.

Preparing Northfield Hospital for future risks

Phishing emails have become increasingly convincing and that is one of Lougheed’s concerns, especially those that may ask a doctor or a nurse for help concerning health issues, which are happening more often. He says that Darktrace is also helping identify and understand those.

The other concern is the security of medical devices as they become more software driven. Patients and caregivers rely on such devices to be online and available. “And they have very unique workflows that are that are hard to protect, and you can’t just easily shut off somebody’s heart monitor just because there’s a cybersecurity attack to protect that device. You have to keep that device going,” Lougheed says.

This is even more a concern to him as he explains that these medical devices are going off the network and into patients’ homes. Once that they are at a patient’s home, the risk increases and makes it harder to keep them protected.

A recent event has also made that a very real threat. A few months ago, a hospital employee was sent home with a new device so this person was able to work from home. Not long after the device was connected to the employee’s private network, a telemetry report from the Darktrace C sensor installed in that computer showed that the employee’s home network was compromised by a Russia-based IP that was trying to connect to the device.

While Lougheed’s team consists of him and another staff member, they rely on the autonomous action within the product, which acted by taking that computer offline. Later, the employee was informed of the reasons and actions that should be taken and the device was quarantined. “It was just a matter of minutes after the device was connected that we had the alert and the device was offline.”

Due to how quick the issue was solved, Lougheed explains that it is hard to know what the intent of that might have been. Even the IP location could be incorrect as it is easy to spoof IP’s coming from different locations.

Cybersecurity training and continuous stack update for staff and patient safety

A ransomware attack is Lougheed’s biggest worry, an event that could bring the hospital down would be devastating, he says. To counter this yearly training is provided to all staff and to new ones before they join in. This training is updated with information collected throughout the year on threats and events. Phishing exercises are also done automatically via Darktrace, which sends report to Lougheed.

Tools that can run things like phishing exercises are particularly important to smaller enterprises such as those in healthcare and even more so when the IT teams are even smaller.

On the technology side, Lougheed plans to continue to reduce the number of vendors in the hospital’s cybersecurity stack as complex environments can increase risk, he tells. He also wants to reduce the complexity of monitoring and managing the hospital defense systems. “This needs to be completed carefully and in a way that doesn’t increase risk, but rather decreases risk.”

AI-based systems are how this will continue to happen as threat actors are “already coming after us with AI-based threats and we need to be prepared,” Lougheed says. “We’re not a large enterprise, but we need the same level of protection afforded to those who are much larger than us and we need to manage that with less resources 24 hours a day, seven days a week. The need for patient care never stops. We’ll continue to look at ways to protect more our most critical asset and that is our patients. This will include bringing in the healthcare medical devices into the protection umbrella of Darktrace.”