In years past, medical facilities weren’t as vulnerable as they are now; hackers had an unwritten rule not to target institutions or services where a disruption could put people in physical danger.
But that’s no longer the case: Ransomware-as-a-service has proliferated and stolen medical information has become highly monetizable, spurring threat actors to attack hospitals at unprecedented levels.
Alberta Health Services (AHS) doesn’t intend to leave itself vulnerable — the medical system is bolstering its defenses with AI.
Deploying AI-reinforced cyber ops from cybersecurity platform Securonix, AHS has cut its average time to respond to high-priority incidents by more than 30%. It has also reduced false positive alerts by 90% and workloads by 2 to 3 hours per day, resulting in hundreds of thousands of dollars in savings.
“Many hospital networks are big fat, easy targets,” Richard Henderson, AHS executive director and CISO, told VentureBeat. “I don’t sleep very much because I’m just terrified of getting that phone call at 2 a.m. saying the entirety of our environment has gone down due to ransomware.”
Doing the work of 1,000 (or substantially more) SOC analysts
AHS is the second-largest hospital network in North America and the world’s largest single instance of the electronic healthcare records (EHR) platform Epic.
Henderson explained that he and his team are responsible for cybersecurity for 106 hospitals, 800 clinics, 20,000 doctors and 150,000 staff serving 4.5 to 5 million Albertans. He described AHS as a “massive on-prem organization,” with every facility connected to the same Epic install.
So, Henderson noted, “if it goes down, it goes down for everybody. And, it’s not hyperbole for me to say that if it goes down, it could very well have an impact on a patient’s life.”
It’s also not an exaggeration to say that a complete outage of Epic — regardless of whether it’s ransomware-related or not — could easily cost the province of Alberta anywhere from $500,000 to $600,000 an hour, he said.
To avoid such situations, AHS has deployed the “full spread” of the Securonix platform inside its environment. This includes the cybersecurity company’s threat detection, investigation and response (TDIR) capabilities through its AI–powered security information and event management (SIEM) platform. This provides log management, behavioral analytics and a security data lake in one package.
Henderson explained that the medical network consumes terabytes of data into its SIEM and relies on Securonix’s cloud-native architecture to handle data normalization and routing. Snowflake powers a big part of that backend.
Behavioral analytics is a critical part of AHS’ detection strategy. Securonix’s platform constantly learns what normal looks like for its users, endpoints and systems, Henderson explained, which helps his team catch “the subtle stuff,” like a trusted account behaving “just a little bit off.”
“It’s looking for patterns and stitching things together,” said Henderson. “You can hire 1,000 security analysts and you still wouldn’t have enough people to be able to sift through all the telemetry modern digital enterprises are consuming.”
AHS is cutting time to resolution, improving response times
For instance, AHS’ AI-driven tools learn what normal network behavior looks like across its hospitals. When something unusual happens — like a device suddenly talking to an external server it’s never contacted before — it flags it right away. That can lead security teams to a misconfigured tool that may have been exploited if it had otherwise gone unnoticed.
“Those types of misconfigurations have led to catastrophic ransomware outbreaks in other hospital networks in the past,” said Henderson.
Or, as another example, a payload might come up as potentially suspicious, but it’s obfuscated, meaning humans have to try to figure out exactly what it is and what it does, Henderson noted. Now, they can ask the platform to deobfuscate the payload and determine what the attacker was trying to do, and in “literally seconds” it does all the work.
“These past couple years of being able to talk to a computer like you’re talking to a person has just changed how people think about AI,” he said. “Natural language processing has been around for a long time, but not at this level, and it continues to blow me away just how good it is.”
As a result, AWS has been able to substantially cut time to resolution and improve its ability to respond faster. Henderson said the average time to respond to high-priority incidents is down more than a third compared to last year.
This is because AI is doing the heavy lifting, helping analysts understand what is happening and what an attacker is trying to achieve, Henderson pointed out. In modern cybersecurity, AI has become critically important for network detection, endpoint protection, email filtering and other cybersecurity functions. “My people are saving hours a day using AI tools,” he said.
Securonix’s platform has also helped cut down on noise, with AHS seeing a substantial drop in false positives reaching its junior analysts, which “really helps with focus and avoids burnout,” said Henderson.
He noted that there is a lot of discussion around AI replacing the lower tiers of security operations. But from his perspective, “AI isn’t going to replace junior staff. What it is going to do is help them learn faster, do their jobs better and protect the enterprise environment.”
Increased attacks make education critical
With AHS being so large, having many facilities spanning the province, Henderson’s team needs to track where the greatest volume of incidents are occurring. This can help them infer whether one specific geographical region is being targeted over another.
Henderson pointed out that Calgary and Edmonton are the two biggest cities in Alberta, so naturally, one would think they would bear a substantial brunt of attack volume. But that’s not always the case; smaller rural hospitals are often targeted because threat actors assume their defenses are weaker.
AI allows him and his team to keep a running dashboard of where incidents occur to plan additional outreach if necessary. Henderson spends a significant amount of time on the human side of security, he said, educating AHS’ nurses and doctors on previous attack campaigns so they understand what to look for.
“So, if we’re seeing an uptick in our rural hospitals, I will absolutely build an education campaign to say, ‘They’re targeting rural hospitals because they think you’re an easier target. These are the types of things you should be looking for,’” he explained.
The post Hospital cyber attacks cost $600K/hour. Here’s how AI is changing the math appeared first on Venture Beat.
