Ever wondered why we need Security Operation Centers?
Imagine a scenario where someone needs immediate medical attention, and they get to the hospital. They try to check-in, but all the computers are locked with a message telling them to make a Bitcoin payment. The nurses try to hook them to a machine and get their vitals, but that machine is also locked. They try to take the patient back to get internal imaging done, but all the imaging machines are locked as well.
This, unfortunately, is a very real cyber threat that healthcare organizations face every single day, and most of them are not prepared for it. According to a recent report by HIMSS, significant security incidents are a near-universal experience in US healthcare organizations. Most incidents are initiated by bad actors, leveraging e-mail as a means to compromise the integrity of their targets. Yes, they might be on a protected network, but the endpoint devices themselves aren’t protected as well as they could be. Combine an unprotected medical device with staff that hasn’t had any cyber training creates a huge insider threat, whether the staff does anything unwittingly or maliciously.
Rise of cyberattacks on the Healthcare Industry
2 Ways a Security Operation Centers can help protect a Healthcare Organization
1. Greater network visibility
- Since a SOC monitors everything that’s going on with the network, most likely via a SIEM, a SOC analyst can investigate whether an anomaly is malicious or not. If it is malicious, they will be able to respond to it accordingly.
- Another aspect of greater network visibility is seeing exactly what devices are on the network and their status. If a device has an out of date virus definition or unauthorized software installed, that device can be quarantined until everything is resolved with it.
2. Faster incident response
- If a healthcare organization just has anti-virus software installed on every device, an attacker can gain access to the network outside of business hours. This can be done via a multitude of ways, including social engineering and/or an APT. But if a SOC analyst is watching the network 24/7/365, they can react immediately to any kind of threat.
How to set up Security Operation Centers
A Security Operation Center (SOC) is a specific group that handles security operations, including detection, mitigation, and incident response. Incorporating a SOC into a health organization would immensely increase their defenses against crippling cyber-attacks. Since healthcare organizations deal with PHI and ePHI, they need to start with building a sound incident response plan.
Cyber-attacks on healthcare organizations are a matter of when so proper and swift actions need to be taken to help minimize the effect of an attack. But there are a few things that should happen before creating a SOC. Since a SOC is customizable to the point where you can have someone monitoring your network on the other side of the world, you need to figure out what is best for your organization and the business needs of that organization, along with the resources that are available to go towards a SOC.
- Implementing a risk-based security framework, like NIST’s CSF, would help shed light on exactly what is on the network and how to protect it properly. To protect something and decide how much protection you need, you need to know the value of all of your assets and the information they hold. It also prioritizes risks from low to high and what should get more attention and/or protection.
- Having a thorough and robust governance policy would help, as well. A governing policy would not just help enforce compliance and generally create a better security posture of the healthcare organization. Still, it would require executive buy-in from key stakeholders. For example, writing a policy mandating all staff to take good cyber hygiene training yearly.
- Although not directly related to setting up a SOC, segmenting the network virtually would make incident response easier. If an attack is happening on the network, the SOC would be able to pinpoint exactly where the attack is happening. They will then virtually quarantine that part of the network to help prevent propagation across the entire network.
Become a SOC Analyst
Being a SOC analyst can be an intense job, but it is undoubtedly a very rewarding career. Imagine being in a SOC at a healthcare organization, and you start to see indicators that an attack is happening on the network. You follow the proper procedure and eventually thwart the attack. After an analysis, you find that the attack you thwarted would have caused enough damage to cripple the entire hospital. Some might call that being a modern-day hero; others might call it just doing their job. Either way, getting the CSA Certification is the first step to take.
Over 34,000 SOC jobs remain unfilled!
Transform into a SOC Analyst and get job-ready today