Operational workflows for healthcare cybersecurity are complex. Getting this right (or not) can be the difference between an effective cyber operations program and an ineffective one.
1. Many Healthcare Organizations Lack the Operational Maturity to be Effective
Today, most healthcare organizations have invested in core operational cybersecurity controls, network, endpoint, and log analysis (SIEM), but they lack the workflow and operational maturity to be fully effective.
Cyber analysts at these organizations are also likely bouncing between different consoles for each security solution, desperately trying to glue together a cohesive picture of how security events are unfolding across the organization. When compounded by a cybersecurity talent shortage and short tenure for frontline cyber analysts, this lack of a holistic correlated view of events and suboptimal workflows results in a real challenge for management. With $7.13 million being the average healthcare breach cost in 2020, healthcare organizations must be proactive in approaching operational workflows. Luckily, we have a great example of how to overcome these issues. Top MDR (Managed Detection and Response) service providers like CyberMaxx have faced these same challenges and tackled them head-on out of necessity. Their core businesses rely on the efficient use of resources and optimization of cybersecurity outcomes for their customers. As a result, these companies invested in creating portals for their analysts, providing a centralized view of their customers’ cybersecurity data, integrations for automation of analysis activities, and optimized workflows for the MDR teams. Until recently, tools like this have not been available in the commercial marketplace, outside of an MDR service provider relationship. The new entrants in this software category are typically SOAR platforms. Gartner defines SOAR as “technologies that enable organizations to collect inputs monitored by the security operations team.” Specifically, these platforms provide an analyst portal with the ability to ingest data from various security controls, enrich the data with threat intelligence, automate standard operating procedures (often called playbooks), provide integrations for response actions, and centralize case management for investigations. As you can see, a lot is going on here, and these tools can be a significant lift for small teams in mid-size to large organizations, which is why it’s often best to utilize a modern MDR as an extension to your team.
2. The Cybersecurity Talent Shortage Creates Suboptimal Workflows
While the technology continues to evolve and improve, the challenge of operational cybersecurity is still the people. The talent shortage in this nascent field is a significant limitation to most healthcare organizations. The talent is necessary because the technology can’t yet run itself, but quality analysts and managers for actions like incident response are in short supply and difficult to retain once hired.
These two issues (the complexity of the technology stack and challenges around staffing an effective cyber capability) lead most healthcare providers to take a hybrid approach. This approach entails staffing a smaller number of qualified resources internally while partnering with a service provider to deliver 24/7 monitoring coverage with initial triage of security events. This model creates continuity within the organization and ensures service quality does not dip when there’s inevitable internal turnover. Modern MDRs work best as an extension of the customer’s team. In this environment, the MDR handles low-level events on a 24/7 basis, freeing the customer’s internal IT team to utilize their organizational knowledge to tackle the higher-level incidents. This model helps healthcare companies focus on patient outcomes rather than investing a disproportionate amount of money in building out an operational cybersecurity capability.