Nebraska Medicine repels ransomware, DDOS, and other cyberthreats with Elastic deployed on Microsoft Azure

Cyberattacks targeting healthcare organizations are on the rise. Ransomware incidents more than doubled between 2016 to 2021 disrupting medical services and exposing patients’ protected health information (PHI). The risk is becoming even greater as more medical devices connect to hospital networks, potentially exposing equipment to hackers and putting patients in jeopardy.

Nebraska Medicine is proactively working to stave off the increasing number of cybercrime threats. The organization, recently featured in the top 50 of Newsweek’s World’s Best Hospitals, consists of two hospitals: The Nebraska Medical Center and Bellevue Medical Center. Nebraska Medicine also partners with the University of Nebraska Medical Center (UNMC), which is the academic and research arm of the enterprise. Responsibility for protecting the organization’s data and IT networks falls to Gary Roth, Senior IT Security Engineer at Nebraska Medicine, and his colleagues in the enterprise security team. In all, they must secure 70,000 endpoints including servers, workstations, laptops, connected medical devices, and printers from hospitals, research departments, and various clinics across the state.

When Roth joined the organization in 2020, it lacked a single view of data from these environments. Instead, the team had to log onto multiple tools and run the same related searches. “These tools worked independently, but it was inefficient and burdened the team,” he says.

Nebraska Medicine set up a proof of concept, which led to the deployment of Elastic Cloud on Microsoft Azure.

“Elastic is the first and only platform that Nebraska Medicine uses for centralized logging, enabling us to ingest logs from across our entire IT infrastructure,” says Roth.

Log ingestion for O365 and Azure was previously using standalone Filebeat modules. More recently, Nebraska Medicine has moved to Elastic Agent with out-of-the-box integrations to collect endpoint and cloud logs.

Elastic Security also has a positive impact on the organization’s Identity Lifecycle Management (ILM) strategy. Today, Nebraska Medicine keeps newer indices in hot storage for two days before moving to cold and then ultimately frozen storage. “Elastic allows us to easily customize our log storage and retention to meet our needs,” says Roth.

Nebraska Medicine is also taking advantage of Elastic Security to build security rules and detect signs of threatening behavior.

Elastic Security reduces the burden on the organization’s security analysts. They can work through alert investigations more quickly now that logs are consolidated in one easy-to-search location.

Nebraska Medicine is also enjoying benefits from workflow automation within Elastic Security. Roth and his team connected centralized security alerting in Elastic to the organization’s ServiceNow ticketing system, which allows them to make further use of ServiceNow’s security incident response playbooks.

Nebraska Medicine makes extensive use of Kibana dashboards to visualize data and respond to alerts. This includes out-of-the-box Windows event dashboards for user logons, user and group management, and PowerShell usage. Server administrators use these interfaces to detect changes to accounts, inappropriate admin account use, and other anomalies.

Several teams have created dashboards tailored to their specific requirements. “The consolidation of disparate wireless SSIDs that we’ve accumulated over the years is a good example,” says Roth. “Our network security engineers configured a dashboard that identifies devices trying to connect to decommissioned networks.”

Roth stresses the extent to which Elastic Security enables his team to support the wider strategic goals of the business.

In the future, Roth expects to use additional Elastic Security tools and build out more dashboards for custom data sources. He plans to create alerts for performance metrics and is looking at the potential deployment of Endpoint Security integration in detect mode alongside current endpoint security agents. These steps help Nebraska Medicine prepare for the future of healthcare where online patient appointments, robotics, remote devices, and AI diagnosis play a growing role.