By Rhett W. Jackson
One reality in healthcare is that hospitals must continually find efficiencies and do more with less. This is certainly the case at Madison Memorial Hospital, where our 580 employees provide care to five counties in eastern Idaho. As a county-owned, nonprofit hospital, we strive to meet the needs of the region with an excellent maternity center, surgical centers, and more. In an effort to improve security for our patients and protect their sensitive health-related data, we recently adopted several new security innovations that, if implemented more broadly, can improve care models around the country.
Our Information Systems team of just under 20 people manages all aspects of clinical & business systems, data reporting, biomedical, and the IT infrastructure, which includes overseeing all issues related to cybersecurity and compliance. As in many industries, our small IT team must address IT risks in a complex cybersecurity realm. That’s why we found it difficult to accelerate projects that could deliver better care and—at the same time—could improve our cybersecurity maturity and meet compliance obligations.
Leverage Cybersecurity Best Practices with a Security Operations Center
A key factor in our successful cyber hygiene maintenance was the decision to establish a security operations center (SOC) that aggregates telemetry from various systems and allows analysts to review data, find anomalies and indicators of compromise, and identify potential threats. A SOC has also become a linchpin for meeting Health Insurance Portability and Accountability Act (HIPAA) obligations for log monitoring and analysis. Unfortunately, establishing a SOC is anything but easy. It can require costly infrastructure, like security information and event management system (SIEM) software, threat intelligence information feeds, and security analyst headcount to provide 24×7 monitoring—none of which we had in-house.
First, Determine the Right SOC Model
However, there are various ways to gain the capabilities of a SOC, including affordable alternatives. At Madison, we evaluated the options of creating one in-house, using a managed security service provider, or a managed detection and response (MDR) service. The challenges of an on-premises SOC were manifold, starting with the need for a SIEM and the resources to manage it. After very little analysis it became clear our budget and resources weren’t up to the task of tuning a SIEM, sifting through false positives, and updating SIEM rules regularly. We couldn’t risk acquiring a bunch of expensive products that might become shelfware if not implemented and resourced properly.
After further discovery an in-house SOC just didn’t seem viable. A managed security service provider (MSSP) approach is another possibility, however such vendors tend to be security generalists that are good at tasks like updating firewall rules, but may not have deep expertise in monitoring and responding to threats. For us, an MSSP could have provided some of what we need, but we recognized this option brought a high probability our team would still spend considerable internal resources engaged in triaging security alerts.
We searched further for alternatives and discovered SOC-as-a-service offerings that combine the capabilities of a SIEM with intrusion detection, vulnerability scanning, and incident response. This was the best of both worlds. Today, MDR capabilities provide a force multiplier for our IT team.
How MDR Augments Your IT Team
Our MDR partner, Arctic Wolf, does not eliminate the need to have skilled IT security staff on hand, but lets us maximize the capabilities of our IT team. Given our geographical location, cybersecurity skills are particularly hard to locate, making it a struggle to hire, train, and retain the three to five analysts we projected needing to provide continuous 24×7 cybersecurity monitoring. Gartner research from June 2018 titled “Selecting the Right SOC Model for Your Organization” suggests it would take 8-12 analysts to provide 24×7 coverage, so we recognized we would be running a skeleton crew, with possibly less than desirable results. By using SOC-as-a-service, our MDR partner maintains the staff that hunts for threats in our environment, and alerts us when something significant occurs. This has amped up our cybersecurity and IT game.
Here’s another big plus. The hospital had limited visibility into in our environment before using the MDR service. We now have a comprehensive view of our infrastructure, a better understanding of our security posture, and dashboards and reports that provide a clear picture of what takes place. Arctic Wolf’s MDR service flags vulnerabilities and areas to improve along with the steps needed to achieve that improvement. The extensive reporting includes custom reports for business or compliance needs, which can be shared with other executives to show the strides we’ve made in terms of Madison’s overall security posture and how we continuously work to improve it.
Equally beneficial, the MDR service has reduced the number of false positives that we receive. When we find a false positive, it is typically something that provides assurance that someone is monitoring our environment. It is reassuring for us to know that the alert is from a legitimate user error rather than someone outside trying to compromise credentials. In the past, we simply wouldn’t have known about it. It provides confidence so when an attack does occur, someone will be there to detect it and help lead a response.
MDR Services Free IT to Direct Its Focus on Healthcare Projects
An optimal SOC-as-a-service meets today’s needs and scales as your healthcare organization evolves. It must accommodate your existing on-premises environment as well as monitor your cloud environment. While I encourage you to explore any and all offerings, scrutinize your traditional MSSP security vendors carefully as they may not be the best bet to monitor new cloud applications requiring a depth of threat expertise.
As an IT leader, one of my challenges is figuring out where to invest to provide optimal care. This means projects to integrate new healthcare technologies, better leverage our EHR system, as well as manage cybersecurity risk and meet compliance obligations. MDR allows me to improve security and compliance while also being able to strategically redeploy headcount away from security to accelerate projects that improve care. Adopting some of these best practices has definitely helped Madison Memorial Hospital provide better care in addition to ramping up our security and compliance.
Rhett Jackson is a business and technology visionary with over 18 years of experience leading and directing teams in leveraging technology, to implement change and improve efficiencies while reducing costs and eliminating waste. He serves on various committees and councils, including the Board of Directors for the Idaho HIMSS Chapter.
Rhett received his Bachelor of Science in Business Administration and Information Systems Management from Adams State University, is proficient in Spanish, and is a graduate of the Leadership Program of the Rockies.
He is currently the Executive Director of Facilities & Information Systems for Madison Memorial Hospital in Rexburg, Idaho. As a dedicated athlete and scholar, he became a multi-event state champion in track and field, was a member of National Honors Society and achieved the rank of Eagle Scout. Rhett is a father of 10 children and actively serves in his community and church.