Healthcare (OT) - Module User Guide

HC: Admin Password Modified

1568

Observes for an admin/privileged user password modification

Security : Suspicious

60

No

Medium

Low-High

Use case:
An adversary has gained access to an admin account on a hospital network and changes the credentials of another admin account to gain access to other systems, applications, databases, and/or data

Configuration:
Population of the HC: Privileged Users list is required and, to maintain accuracy, a quarterly review of this list is recommended

Optional configuration:
To exclude system accounts from this alarm, add an exclude filter for an Origin Login or Account which matches this regular expression: \$$

HC: Crit Application Config Change

1569

Observes for changes to critical application configurations

Audit : Configuration

1

Medium

Low-Low

Use case:
Monitor for planned/unplanned configuration changes to critical healthcare applications to prevent potential application downtime

Configuration:
Include Filters should be added to the rule block for critical hosts and/or applications/processes that are in scope for the analytic

HC: Crit Backup Failure

1570

Observes for failed critical backup events

Operations : Critical

1

Yes

Medium

Low-Low

Use case:
Monitor for failed backup events to critical healthcare applications/systems to prevent potential data loss and downtime

Configuration:
Include Filters should be added to the rule block for critical backup hosts that are in scope for the analytic

HC: Crit Database Config Change

1571

Observes for changes to critical database configurations

Audit : Configuration

1

Yes

Medium

Low-Low

Use case:
Monitor for changes to critical database systems to prevent potential disruption to clinical, laboratory, and research data

Configuration:
Include Filters should be added to the rule block for critical hosts and/or database objects that are in scope for the analytic

HC: Crit Net Access Config Change

1572

Observes for changes to critical network access configurations

Audit : Configuration

1

Yes

Medium

Low-Low

Use case:
Monitor for changes to network access configurations to prevent potential disruption of network connectivity for critical applications and systems, such as patient remote monitoring

Configuration:
Include Filters should be added to the rule block for critical hosts and/or network segments that are in scope for the analytic

HC: Crit Service Stopped

1573

Observes for critical service stop events that are not followed by service start events

Operations : Critical

5

Yes

Medium

Medium-Medium

Use case:
An employee has opened a document containing malware that has killed all active services on a medication administration system

Configuration:
Include Filters should be added to the rule block for critical log sources and services that are in scope for the analytic

HC: Crit System Config Change

1574

Audit : Configuration

1

Yes

Medium

Low-Low

Use case:
A healthcare systems administrator implements a system configuration change that results in critical system downtime

Configuration:
Include Filters should be added to the rule block for critical hosts that are in scope for the analytic

HC: Data Copy To Removable Device

1576

Observes for data transfer to a removable device (e.g., USB drive)

Audit : Access Success

1

No

None

Medium-Medium

Use case:
A malicious employee accesses a patient records database and downloads PHI details to a USB drive with the intent of selling the details on the Dark Web

Configuration:
Data Loss Defender (DLD) feature should be enabled for the endpoints in scope with this analytic (see https://docs.logrhythm.com/lrsiem/7.14.0/data-loss-defender-dld)

HC: Default Or Weak Password

1577

Observes for a default or weak password

Security : Vulnerability

60

No

None

Medium-Medium

Use case:

An adversary uses the hard-coded or default password of a medical device to force unscheduled downtime of the device

HC: Device Modified

1578

Observes for device modifications

Audit : Access Success

1

No

None

Medium-Medium

Use case:

A hospital systems administrator creates a new medical device network profile or moves a medical device to a new network group

HC: Device Sent Plaintext Credentials

Observes for device transmission of a plaintext password

Security : Vulnerability

60

No

None

Medium-Medium

Use case:

An adversary conducting a man-in-the-middle attack on a hospital network obtains the password for a medical device

HC: Device Software Vulnerability

1580

Observes for device software vulnerabilities

Security : Vulnerability

60

No

None

Medium-Medium

Use case:

A healthcare systems administrator has a requirement to identify medical devices affected by industry-specific recalls or security alerts

HC: Door Access Granted

1581

Observes for successful door authentications

Audit : Access Success

30

No

None

Low-Low

Use case:

An individual successfully accesses a restricted room, office, elevator, etc. of a hospital via badge or biometric device

HC: Expired Certificate

1582

Observes for an expired TLS certificate

Operations : Warning

60

No

None

Medium-Medium

Use case:

A certificate for a critical cloud-based service that provides ongoing instructions to a ventilator system expires while fetching patient data to determine next course of action treatment

HC: File Deletion Activity

1583

Observes for file deletions

Security : Suspicious

1

No

None

Medium-Medium

Use case:
An adversary with compromised credentials accesses and deletes files within a biomedical research database

Configuration:
File Integrity Monitoring enablement required

HC: Firmware Change

1584

Observes for device firmware changes

Operations : Information

60

No

None

Medium-Medium

Use case:

An adversary with knowledge of a patient monitor hard-coded credentials vulnerability installs unauthorized firmware for malicious purposes

HC: Malicious IP

1585

Observes for device communication with a destination IP flagged as potentially malicious

Security : Other Security

1

No

None

Medium-Medium

Use case:

A healthcare systems administrator requires insight into medical devices that are communicating with potentially malicious IP addresses

HC: Multiple Account Lockouts

1586

Observes for an account locked out multiple times (>=3) per hour

Audit : Access Revoked

60

No

Low

Medium-Medium

Use case:
An adversary conducts a brute force password attack attempting to access a system containing confidential patient clinical notes

Configuration:
The volume and rate of events required to trigger this rule should be adjusted to meet organizational requirements

HC: Multiple Door Access Failures

1587

Observes for multiple failed door authentications

Audit : Access Failure

60

No

None

Medium-Medium

Use case:

An individual has failed multiple times at accessing a restricted room, office, elevator, etc. of a hospital via badge or biometric device

HC: New Hardware Detected

Observes for connection of a new external device (e.g., USB drive, keyboard, mouse) to a system

Operations : Information

60

No

None

Medium-Medium

Use case:

An employee or adversary adds a new hardware device, such as a USB drive, keyboard, or mouse to a system

HC: New Medical Device

1589

Observes for a newly discovered medical device (e.g., infusion pump)

Operations : Information

60

No

None

Medium-Medium

Use case:

A healthcare systems administrator adds a new infusion pump device to a hospital network

HC: Sensor Connected/Disconnected

1590

Observes for sensor connections/disconnections

Operations : Information

1

No

None

Medium-Medium

Use case:

A healthcare organization requires constant real-time visibility into the health status of all network-connected medical devices

HC: SMBv1 Communication

1591

Observes for device communication over SMBv1

Operations : Network Traffic

1

No

None

Medium-Medium

Use case:

An adversary gains access to medical device and attempts to pivot to a network file server by creating an SMB session

HC: Software Install/Update Failure

1592

Observes for failed software installations/updates

Operations : Warning

1

No

None

Medium-Medium

Use case:

A healthcare systems administrator requires visibility into unsuccessful system software installations/updates

HC: Software Installed/Updated

Observes for successful software installations/updates

Audit : Configuration

60

No

None

Medium-Medium

Use case:

A healthcare systems administrator implements a successful medical device or system software installation/update

HC: System Time Changed

1594

Observes for system time changes

Audit : Other Audit Success

60

No

None

Medium-Medium

Use case:

An adversary successfully compromises a system and then modifies the system time (via manual or automated malware actions) to obfuscate the timing of further activities

HC: User Account Created

1595

Observes for creation of a new user account

Audit : Account Created

60

No

Low

Use case:

An adversary has created a local, domain, or cloud account on a hospital network to access specific services or establish secondary or admin/privileged user group accounts

1596

Observes for vulnerability scans

Operations : Information

60

No

None

Medium-Medium

Use case:

A healthcare systems administrator requires visibility into potential vulnerabilities of networked medical devices