Cerner

Healthcare Applications

Cerner - Healthcare IT solutions for EHR management and patient care.

Detection Rules for Cerner
These detection rules will focus on various aspects of Cerner such as healthcare IT solutions for EHR management & patient care.

Provider: Cerner

App : Cerner MITRE Tactic MITRE Technique Criticality
Unauthorized Access to EHR Records Credential Access T1078: Valid Accounts High
Investigation Actions (APIs) Verify user identity and access history using EHR Access API.
Use IP reputation APIs to check for malicious or unusual IP addresses.
Incident Creation Criteria Create incident if repeated unauthorized access to sensitive EHR records is detected.
Suspicious Login Attempts Initial Access T1071: Application Layer Protocol High
Investigation Actions (APIs) Perform GeoIP lookup on login attempts from unusual regions.
Check login frequency against baselines.
Incident Creation Criteria Create incident if login attempts are from unusual regions or multiple failed logins are detected from the same user.
Unusual Access Outside Working Hours Persistence T1078.003: Local Accounts Medium
Investigation Actions (APIs) Use User Activity API to review access patterns during odd hours.
Investigate specific users for persistent access outside working hours.
Incident Creation Criteria Create incident if consistent, unusual access outside working hours is detected for sensitive patient data.
Large Volume Data Exports Exfiltration T1041: Exfiltration Over C2 Channel Critical
Investigation Actions (APIs) Investigate export activity with File Export Logs API.
Validate if data export reason aligns with user role and purpose.
Incident Creation Criteria Incident if export size exceeds defined threshold and data export frequency is unusual for user or department.
Modifications to Critical EHR Records Impact T1485: Data Destruction High
Investigation Actions (APIs) Check modification history with EHR Modification API.
Use behavioral analytics to identify deviations from typical modification actions.
Incident Creation Criteria Incident if high-sensitivity EHR fields are modified by unauthorized roles or patterns deviate from baselines.
Unusual Activity in Privileged Accounts Privilege Escalation T1078.004: Cloud Accounts High
Investigation Actions (APIs) Query privileged account actions with Account Activity API.
Use anomaly detection for unusual actions in privileged sessions.
Incident Creation Criteria Create incident if privileged account actions deviate significantly from baseline or involve critical patient data.
Patient Data Access by Non-Treating Physicians Collection T1056.004: Credential API Hooking High
Investigation Actions (APIs) Cross-check physician-patient relationships with EHR Access Logs API.
Use role-based access analytics for user role validation.
Incident Creation Criteria Incident if non-treating physicians repeatedly access specific patient records without valid authorization.
Unauthorized Device Access Persistence T1136.003: Create Cloud Account Medium
Investigation Actions (APIs) Track access using Device Activity API.
Query device profiles for unusual or unauthorized devices.
Incident Creation Criteria Create incident if unauthorized device access is repeated or involves critical EHR system.
High Frequency of Role Changes Persistence T1098: Account Manipulation Medium
Investigation Actions (APIs) Monitor role change frequency with Role Modification API.
Verify change approvals and authorization levels.
Incident Creation Criteria Incident if role changes for user accounts exceed normal frequency or lack approval documentation.
Unauthorized API Usage Command and Control T1071.001: Web Protocols High
Investigation Actions (APIs) Validate unusual API calls and usage patterns.
Check API usage logs for unauthorized or suspicious endpoints.
Incident Creation Criteria Create incident if unauthorized API calls access sensitive data or bypass standard authentication protocols.

APIs and Their Scopes

App : Cerner Required API Scopes Required Usage
Unauthorized Access to EHR Records EHR Access API read:ehr_access_logs Retrieves logs to monitor access patterns and identify unauthorized access to patient records.
Suspicious Login Attempts Login Events API read:login_events Captures login attempt details, including geo-location and timestamps, to identify suspicious login behavior.
Unusual Access Outside Working Hours User Activity API read:user_activity Provides user access patterns, enabling the identification of access events outside normal working hours.
Large Volume Data Exports File Export Logs API read:export_logs Tracks data export events to monitor for large volumes or unusual frequency in data transfers.
Modifications to Critical EHR Records EHR Modification API read:modification_logs Accesses modification history of EHR records to monitor for unauthorized or critical changes.
Unusual Activity in Privileged Accounts Account Activity API read:privileged_activity Monitors privileged accounts, highlighting unusual actions or deviations from typical account usage.
Patient Data Access by Non-Treating Physicians EHR Access Logs API read:patient_access_logs Verifies physician-patient relationships and validates that only treating physicians access patient records.
Unauthorized Device Access Device Activity API read:device_activity Tracks device access events, enabling detection of access from unauthorized or unusual devices.
High Frequency of Role Changes Role Modification API read:role_modifications Captures details of role modifications to identify frequency and patterns in role changes across the platform.
Unauthorized API Usage API Usage Logs API read:api_usage Analyzes API call patterns, ensuring calls align with expected usage and don’t access unauthorized endpoints or data.

Reports and Widgets for CISO

Report Name Widgets Description
Access & Authentication Report Login Events by Geo-location Summarizes user login events, failed attempts, and unauthorized access attempts.

Failed Login Attempt Counts

Unusual Device Access
EHR Access Audit Top Users Accessing EHR Records Tracks user access to EHR records to ensure only authorized users access sensitive data.

Access by User Role

Access Outside Working Hours
Data Export and Transfer Report High Volume Exports by Department Monitors large or frequent data exports, with a focus on potential data exfiltration.

Export Events Timeline

Top Exporting Users
Modification History Report Modification Counts by User Details changes to critical patient records and key platform settings.

Modified Record Types

Critical Modifications Overview
Privileged Account Activity Actions by Privileged Accounts Tracks activity from privileged accounts for signs of abuse or unauthorized actions.

Role Changes Over Time

Suspicious Actions Summary
Patient Record Access Report Patient Access by Physician Ensures compliance by verifying that only treating physicians access patient records.

Non-Treating Physician Access

Unauthorized Record Access
API Usage Monitoring API Calls by Endpoint Highlights usage patterns and potential misuse of APIs within the platform.

Unauthorized API Usage Instances

High Usage API Accounts
Device Access Report Access by Device Type Tracks access to Cerner data from authorized and unauthorized devices.

Unauthorized Device Usage

Device Access Trends Over Time
Role Change Frequency Report Role Changes by Department Monitors role changes to identify any unusual frequency that could suggest security issues.

High Frequency Changes

Recent Critical Role Changes