Data Exfiltration

After a security incident, it is vital to assess whether data has actually been taken from the business – data loss is known as exfiltration – taking it outside the network

Sensitive files might include the database of the patient management system, databases of imaging systems, word or pdf documents which identify patients.

Ransomware attacks are usually crude and do not attempt to exfiltrate data.  Nevertheless, it is important to have evidence that no exfiltration has occurred.

Exfiltration can occur via many different protocols for example http, https, ftp, tftp, smtp, pop, scp, sftp or any of these protocols within a tunnel such as ssh

A Next Generation Firewall gives the opportunity for some granular control over this.  A policy might, for example prevent the server hosting the sensitive data to contact the internet at all except for windows update.  The policy can log data traffic volume so you can be sure that a 1Gb file has not been sent from the server.   The NGFW can prevent the above protocols going out from the server and individual files can be fingerprinted or watermarked.

Having  these measures in place gives support to asserting that no data was lost and can justify not reporting a ransomware infection to the regulatory authorities.

Data Breach

One of the reasons we want to secure our network is to prevent the theft of data.  The data we are most anxious about losing is the health or identification information of our patients.   There are rules in Australia about when a data breach has occurred and what needs to be done.

Guidance is provided here .

The rules in the USA are more strict.  Guidance is here .

Now most ransomware attacks are not motivated by theft of data but rather the extortion of a ransom.  Even so, in the event of a security compromise, a framework must be used to determine whether a breach has occurred.