Machine Learning in Healthcare Cybersecurity – Current Applications

Niccolo Mejia

Niccolo is a content writer and Junior Analyst at Emerj, developing both web content and helping with quantitative research. He holds a bachelor's degree in Writing, Literature, and Publishing from Emerson College.

Machine Learning in Healthcare Cybersecurity - Current Applications

The healthcare industry holds perhaps the most responsibility of any industry when it comes to ensuring data privacy. A breach in electronic medical records (EMRs) could tarnish a healthcare company’s reputation, put undue stress on patients, and render the company in violation of regulations.

In this article, we cover how machine learning software could help healthcare companies protect their patients’ data as well as their network of computers across their enterprise. We discuss how the typical machine learning approaches to fraud detection, anomaly detection and predictive analytics, may help detect malware and other cybersecurity threats. Specifically, this article considers the following use-cases for machine learning for cybersecurity in healthcare:

  • Anomaly Detection for General Cybersecurity: How anomaly detection software could detect where cyber attacks come from and what kind of attacks they are. The software monitors users of all computers within the healthcare network, or “endpoints,” for any unusual behavior. This could result in the discovery of malware in the network.
  • Predictive Analytics for Malware Detection: These applications could detect the presence of malware in a healthcare company’s network and prevent malicious files from opening. This might help healthcare companies discover new forms of malware as well.
  • Visualizing Cybersecurity Threats in a User Interface: Some cybersecurity solutions place more emphasis on visualizing the threats to discerning the nature of each one. We cover what a solution like this might look like and offer Tufts Medical Center’s purported success as an example.

We begin our exploration of machine learning-based cybersecurity applications for the healthcare industry by detailing how anomaly detection could be used to detect attacks on cybersecurity systems as opposed to typical fraud methods.

Anomaly Detection for Cybersecurity

Healthcare companies might protect their patient data and other sensitive information using anomaly detection software. This works similarly to how a business would implement an artificial intelligence/machine learning solution for more typical fraud detection uses such as checking payments and insurance claims for fraud.

Adoption Challenges and Integration Considerations

The software would need to be installed into the healthcare company’s greater network in order to protect all computers through which a hacker could access sensitive data. These computers are called “endpoints,” because they are where all enterprise data moves to become accessible to employees and thus are the “end” of the data’s path.

In order to prepare a machine learning model to detect cybersecurity threats, it will need to be installed within the client healthcare company’s network and allowed to analyze network activity in real time. For example, EMRs are typically stored within a healthcare company’s database and accessed remotely from an examination room computer during an appointment. The doctor updates the EMR according to what happened with the patient during the appointment, and the document updates in the database when saved.

Once the client healthcare company installs the software into their network, the software can begin scanning for activity across the network and track where all users navigate within the network and any connected databases. These databases may contain data including:

  • Patient data from EMRs
  • Resource utilization information
  • Tax and other financial data
  • Personal information of employees or other important people within the network

As the machine learning model analyzes this activity in real time, it develops and awareness of what normal network activity looks like and use this as a baseline to discern the likelihood of suspicious activity.

If user activity deviates too far from the software’s established norm, it will flag that activity as fraud. Some solutions will also shut the fraudulent user out of the network at this point. If the software flags an activity that the client company sees as normal, they can reject the notification, and the software will factor that type of activity into its decision-making going forward.

Anomaly Detection as a Network’s Immune System

Darktrace is one example of a machine learning vendor offering anomaly detection for cybersecurity threats to healthcare companies. They developed a solution that they claim prioritizes responding to system breaches as opposed to keeping them out. This is because new security breaching methods are always being developed, but fraudsters will all need to navigate the same network directories to find the data they want.

Darktrace often explains how their solution, Enterprise Immune System, works by comparing it to the human body’s immune system. The company claims the two are similar in that their software responds to potentially harmful anomalies as they reveal themselves in real time just as the body would upon contact with bacteria. Nicole Eagan, CEO of Darktrace, explains this comparison in more depth in this video about the software’s capabilities:

Eagan discusses how fast ransomware can act and how human employees do not have many options in terms of responding directly to it during an attack. She claims Darktrace’s software is able to slow down ransomware to give human employees “a fighting chance,” however it is unclear how the software does this.

Most likely, the company’s Enterprise Immune System shuts down the endpoint where the ransomware got into the network. This may allow human employees a greater window of time to diagnose the issue and respond to it promptly.

While this example illustrates how the software works to counteract cyberattacks, hackers have many other methods of navigating databases. We spoke with Justin Fier, Director for Cyber Intelligence and Analytics at Darktrace about this and how fraud methods advance parallel to security. When we asked for example of what navigating a network is like, what malicious activity looks like, and how a malicious actor may try to steal important information, Fier said:

So I would first say, regardless of the size of the networks—at the end of the day, all your network is is a massive data set; where it gets really complex is your data set is constantly changing…that’s really where Darktrace, for example, got the idea of building what we call the “enterprise immune system”. We wanted to approach security from the immune system approach because we realize every network is different, it acts as a living organism. So the challenge with a lot of networks is just monitoring all those different pieces…and the question is, how do I monitor all of them (end points), how do I decide if they’re acting in a normal way…

…a malicious actor is going to try and exploit something to do something on his behalf, and most of the time it’s going to stand out amongst other devices on the network, and it’s finding those subtleties…it’s gotten much harder to find those anomalies, it truly is a needle in a haystack…

Fier sees the ever-expanding range of cyber threats increasingly challenging to handle. This is because hackers use malware, bots, and other indirect ways of manipulating the database. Additionally, they improve on these tools to keep up with cybersecurity technology and continue stealing data. As a result, not every A-based cybersecurity solution will able to detect every type of fraud method initially.

Protect Healthcare Network Databases

According to one of Darktrace’s case studies, they helped Human Longevity, a healthcare and clinical database company, protect their sensitive patient data and intellectual property. Before moving forward with full integration of the Enterprise Immune System solution, Human Longevity had a four week trial period which saw some promising results.

During this period, the software detected a large amount of malware on the company’s guest network that they would not have discovered without the software. Additionally, Human Longevity was able to investigate the threat and proactively monitor all endpoints for activity similar to the breach.

The case study states that the client company was able to “gain overall visibility of all its network activity.” We can infer this means they were able to monitor how each endpoint in their network is being used where they could not before.

Predictive Analytics for Malware Detection

Healthcare companies may also protect their network from malware using predictive analytics applications. Machine learning models for this type of software are trained on a large sequence of labeled network activities that indicate the exact action taking place. Each action is also labeled according to whether the client thinks it should be considered “normal” or not.

This way, the algorithm learns to discern which network actions have the highest likelihood of fraud. The software will then be able to detect abnormalities in network activity when it is deployed and it is able to track actions in real time.

The software would also need to be trained to recognize if a human user or a malware bot is accessing the database. While a hacker will have to directly interface with a healthcare company’s cybersecurity system on some level to deliver the malware, there are actions that only a bot could take once inside the database. One example would be transferring data directly from the company database to a digital location the network has never communicated with.

Predictive analytics solutions for malware detection may also have the potential of recognizing new types of malware as hackers continue to create new ways to get through cybersecurity systems. This is because the client company’s subject-matter experts give the system direct instructions on which actions are fraudulent or not. This way the system eventually makes the distinction on its own and might be able to recognize more granular aspects of network behavior that can serve as fraud indicators.

Many predictive analytics solutions for both fraud detection and cybersecurity will come pre-trained, such as that of the AI vendor FireEye. In this case, the software vendor has trained the machine learning algorithm on suspicious network activity and malware. This way, healthcare companies need only integrate the software into their existing cybersecurity system. This integration could still require significant resources and may require the client company to employ some data scientists to facilitate setup.

A typical predictive analytics solution may be able to effectively manage malware for healthcare companies, but new versions of these attacks are being developed each day. This may still be a challenge for companies that have adopted one of these solutions because the software’s ability to detect new fraud methods may not be able to keep up with the constant innovation of fraudsters.

We spoke to Eli David, CTO and co-founder of Deep Instinct, an international cybersecurity vendor about emerging malware attacks. He covered how deep learning, or the use of multiple layers of neural networks, may be necessary. When asked why this might work in the cybersecurity space, David said,

Let’s look at this problem that we’re trying to solve and deal with in cybersecurity. There are huge amounts of new malwares created every single day; actually the conservative estimate is about one million new malwares every single day and it is probably much more than that, but when we look at these new malwares we see the vast majority of them are simple and small mutations over previously existing malware and that then those brand families … are far from being brand new. On average, a so-called completely brand new family of malware is between 10, 20, at most 30 percent different  from previously existing code and malicious content.

We can infer from David’s insight that new malware is usually incremental improvements on the same core malware design. David refers to these incremental improvements as “mutations,” or small changes that may give malware the chance to bypass a cybersecurity system that has not experienced it yet.

A single iteration on a malware program could have thousands of lines of code possibly containing these small mutations. It follows that multiple layers of neural networks may be useful because it may allow the machine learning model to recognize mutations faster and at a more granular level.

FireEye currently offers predictive analytics-based cybersecurity software to healthcare companies. Their software as a service platform focuses on malware analysis and investigating each threat according to the distinct processes of each of their four main solutions. We have listed these solutions below along with their main purposes:

  • NX: Defends against web-based attacks such as internet-related holes in cybersecurity or attempts to command the system remotely.
  • EX: Made to protect the network from “spearfishing” emails, or emails containing malware used to infiltrate a healthcare company.
  • HX: Offers endpoint security by monitoring activity and usage of all endpoints within a network.
  • PX: Helps the client healthcare company respond to network intrusions by capturing data on the intruder that may be helpful in getting them out.

FireEye’s short video below shows how these technologies work together to help their clients. In the video, FireEye details their “investigation lifecycle,” or the steps to take using their platform in order to get the most out of each new threat detection:

According to a case study from FireEye’s website, the company was able to help Kelsey-Seybold detect and manage malware within their network using their machine learning platform. The client healthcare company was still experiencing malware in their network despite their multi-layered security system and wanted a solution that could fill the gaps in their defenses.

They went through with a proof of value trial period during which the software discovered malware types that their other tools had not yet discovered. One employee purportedly clicked on a malicious link while browsing the company network. The software blocked it before the malware could get through.

The case study states that in one month their software generated 23 alerts of malware that Kelsey-Seybold’s other defenses missed. 17 of those alerts purportedly required no human action as the software automatically blocked them and prevented any harm.

Visualizing Cybersecurity Threats in a User Interface

Some machine learning-based cybersecurity solutions come in the form of predictive analytics software combined with an in-depth user interface. This may allow human employees to investigate individual cyber attack more thoroughly. This type of application would display all information relating to the attack as a single “event,” or instance of an active threat. This includes information on the endpoints accessed for the attack and what type of malware was able to breach the system.

The AI vendor Cylance claims to offer a predictive analytics solution that works similarly. Their predictive analytics solution is called Cylance PROTECT, and their user interface product is called Cylance OPTICS. The latter is made for the cybersecurity team to gain more information concerning recent attacks and diagnose exactly where the attack came from and how.

Cylance OPTICS can purportedly create incident reports for each detected threat and contain the threat while the rest of Cylance’s machine learning platform works on stopping it completely. The software then analyzes the malicious activity to discern where the attack came from and how the breach happened. The company states that their OPTICS software can then review those suspicious activities and compare them to historical data regarding past security breaches.

This purportedly allows users to find new patterns showing indicators of compromised security. If the system discovers any weak points in the client’s cybersecurity, the client can train the machine learning model again on all instances of this suspicious activity. Otherwise, it may also be able to alert users of a database infrastructure problem that a subject-matter expert may be able to fix.

The company claims to have made various improvements to Cylance OPTICS solution, which includes an API that facilitates integrating the software to existing cybersecurity systems. Additionally, users can partially lock down certain devices and endpoints while checking them for suspicious activity. This has the potential to block a hacker in the middle of their attempt to breach the client’s database.

Below is a video demonstration on how Cylance OPTICS detects malware in an executable fixed the user tries to run. The user can then view detailed data regarding the recent attack on the cybersecurity system and search for suspicious files within the network. Finally, the user demonstrates how their system was able to handle the “WannaCry” ransomware virus and prevent the theft of their clients’ important data:

Cylance published a case study to their website in which they claim to have helped Tufts Medical Center secure 10,000 endpoints along with detect new malicious files in their network. The case study states Tufts initially integrated both Cylance PROTECT and Cylance OPTICS into 60 computers, and gradually added it to more of their network. Tufts Medical Center is a member of Wellforce, a collaborative project between healthcare providers to bring academic medicine and community care to the patients of Massachusetts.

The client purportedly saw the results they were looking for in the ability to recognize more malicious files in their network and protect their large number of endpoints. Cylance provides the insight of Taylor Lehmann, CISO of Wellforce, regarding the importance of establishing secure endpoints:

Endpoints and endpoint security are where all the action is … It’s the things that happen on those devices that need the most amount of focus if you want to disrupt an attack, even a sophisticated attack. Looking at the tools we were using in this space and looking at the tools that others use and have had success with, we came to a few conclusions: Signature-based antivirus can’t keep up with emerging attacks we see and antivirus software that needs to be online and networked to receive updates will fail. These facts create issues that prevent these solutions from performing well with attacks and never before seen threats.

It is apparent that Lehmann understands the need to protect network endpoints as much as catalog differences in types of malware or web-based cyberattack. He claims that most cyber attacks can be traced back to a single breached endpoint, which is likely why he and his company claim to have found success with Cylance’s solutions.

Cylance claims the integration of their machine learning platform did not result in any recorded downtime for Tufts medical center or their network. Though exactly how they were able to accomplish this level of smooth integration is unclear.


Header Image Credit: