The following is a guest article by Preston Duren, Vice President of Cybersecurity Operations at Fortified Health Security
The need for adequate cybersecurity has never been higher for the nation’s hospitals and health systems.
Many factors are in play, including the continuing risk for cyber incidents and ransomware, more stringent requirements to obtain cyber insurance, an increasingly interoperable patient records environment, and potential federal regulations regarding patient privacy. The heightened need for cybersecurity comes at a time when hospital profit margins are anemic and IT projects take a back seat to patient care initiatives.
However, when the cost of hospital cyber incident remediation tops $10 million and cyber insurance continues to skyrocket, IT leaders and the C-suite must take healthcare data security seriously.
A security operations center (SOC) can help organizations develop a 24/7 security mindset that protects patient data and healthcare operations. While organizations can build capabilities in-house, the specialized skills and always-on nature of SOCs make a strong case for outsourcing this critical security function.
Hospitals Losing Cybersecurity Battle
The number of healthcare data breaches of over 500 records dipped slightly in 2022. That’s good news, right? Any positive feelings must be tempered by the fact that breach numbers increased 250% over the past decade. Last year, 699 breaches affected 51.4 million patient records, the highest number on record outside the anomalous 2015, when just two breaches comprised more than 90 million records.
Before 2018, hacking accounted for fewer than 50% of all breaches. Today, that figure is nearly 79%, which means that bad actors are specifically targeting the healthcare industry. The need for security extends outside the four walls of the hospital — breaches attributed to business associates (BAs) increased from 15% in 2021 to 18% in 2022.
Understaffing and lack of technical know-how also stymie healthcare’s efforts to maintain an adequate security posture. There are only 68 cybersecurity workers for every 100 job openings, which leaves a deficit of more than 750,000 workers. Healthcare is competing with every other industry for personnel. Smaller and rural hospitals and health systems face additional challenges because of location and perceived lack of upward mobility for security professionals.
Insurance premiums for cyber have skyrocketed over the past several years, sometimes doubling at policy renewal time. Although an industry report indicates that costs are stabilizing, premium increases remain common, as do restrictions on policy coverages. For example, Lloyd’s of London recently announced its coverages would no longer include cyber attacks from nation-states such as Russia and China.
Small and rural hospitals are being priced out of cyber insurance coverage, during a time when remediation costs for a breach or hacking incident can exceed $10 million. Healthcare remediation costs are nearly double those of the banking and financial services sector, the second most-affected industry.
Protecting a hospital’s IT assets and patient information has always been a monumental task, but the above factors make a strong case for adopting a security operations center.
Why a Security Operations Center Makes Sense
A security operations center (SOC) provides 24/7 continuous monitoring and analysis of an organization’s security posture, threat landscape, and incident response capabilities. SOCs do much more than monitoring, tackling such disciplines as threat intelligence gathering, vulnerability assessment, incident detection, response, and recovery.
Many hospitals have not established an internal SOC because of such constraints as budget, resources, and expertise. However, given the sensitive nature of healthcare data and the increasing frequency of cyberattacks targeting the healthcare sector, every hospital should consider establishing or partnering with a SOC. Hiring a management security services partner (MSSP) can help hospitals meet regulatory requirements and demonstrate a commitment to protecting patient data.
The decision to establish a SOC should not be based solely on the size of the organization. Smaller hospitals and health care systems also benefit from having a SOC because they also handle sensitive data. In fact, many cyber criminals may be targeting small and rural hospitals specifically because they represent easier targets with fewer resources to repel potential attacks.
Ultimately, the decision to establish a SOC should be based on a comprehensive risk assessment that considers the organization’s complexity and threat landscape. It is important to consider the potential benefits and costs of establishing a SOC and ensure that the organization has the resources and expertise to manage it effectively.
What Should Be Included in a SOC?
The mission of a SOC is to protect valuable customer/client data, protected health information, and intellectual property, achieved primarily through the prioritization, collection, and processing of security logs. A security operations center should have comprehensive alerting and monitoring systems to ensure that potential security incidents are detected and addressed promptly in real time. Services should include:
- Security Information and Event Management (SIEM)
- Managed Detection and Response (MDR)
- Internet of Medical Things (IoMT)
- Extended Detection and Response (XDR)
- Dark Web Monitoring
- Vulnerability & Threat Management
Log messages are the most useful data type to collect. Log messages summarize an action or activity that took place on a system and contain data related to an associated event. Most hospitals want to collect log messages from various security, network, and application products. Obviously, the more logs you collect the better chance you have of detecting threats, but it may not be reasonable to collect everything in your environment. As a starting point we recommend collecting:
- Security Logs
- Firewall, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), Anti-Virus Solutions, Malware Analysis Tools, Web Filter
- User Logs
- Authentication, File and Configuration Changes, Remote Access
- Networking Logs
- Routers, Switches, Wireless Application Protocol (WAP)
- System Logs
- OS, Security, Processes
- Cloud/Virtualization Logs
- Azure, Amazon Web Services, Google Cloud Platform, VMware, Microsoft Hyper-V
- Application Logs
- Web Server, Domain Name System (DNS), Email, Internal Applications, Connected Medical Devices
The people who are monitoring the systems are just as important as what is being monitored. The SOC should give guidance around specific logging configurations to ensure valuable data is being monitored and other data is filtered out. An example of this would be ensuring you are logging Event 4104, Powershell Script Block Logging. Event 1404 logs the raw script executed in the command line and is critical for monitoring against attacks. A security operations center should have a team of skilled security personnel who are trained and certified to monitor and respond to incidents. The team should include analysts, engineers, and incident responders. A SOC also is responsible for defining and adopting processes that foster continuous improvement. Personnel should constantly evaluate procedures and technologies to stay up to date with the latest security threats and industry best practices.
Conclusion
Healthcare has topped the list of most breached industries for the past 12 years — a dubious distinction. While hospitals and health systems are taking cybersecurity more seriously, the type of breaches and their severity continue to increase, as evidenced by the large rise in hacking incidents.
An in-house or outsourced security operations center can help level the playing field for hospitals through a total environment approach designed to detect and remediate threats before they cause hospital systems to crash and patient care to be impacted.
