Launching a cybersecurity war room
Cyberattacks on the healthcare industry are on the rise. In response, some larger systems, including Intermountain Healthcare in Salt Lake City, are setting up around-the-clock security operations centers, or SOCs, to better deploy cybersecurity personnel, technology and processes in fending off the bad guys.
A SOC is a team, primarily composed of security analysts, organized to detect, analyze, respond to, report on and prevent cybersecurity incidents, according to Carson Zimmerman, principal cybersecurity engineer for the MITRE Corp., and author of a guidebook for setting up a SOC. Security operations centers have been fixtures in military and national security organizations for decades.
“At Intermountain, we had monitoring, we had detection, we just didn’t have people looking at it 24/7,” said Karl West, the system’s chief information security officer. “We’d go home and pagers would go off.” Intermountain began planning for its SOC in 2012, following a recommendation that was part of the system’s annual security risk assessment, he said.
West said he initially opposed the idea. But in April 2012, Utah’s Medicaid and Children’s Health Insurance Program discovered its database had been breached by hackers believed to be operating out of Eastern Europe. Analysts discovered a total of 780,000 patient records in the state had been downloaded.
That prompted West to change his mind. “As we saw the threat increasing, and more and more risk to healthcare records, I went to our management committee,” he said. He asked for a SOC. “I explained to them that I didn’t know of any healthcare organizations that were doing it, but I anticipated others would. They were very supportive.”
By 2013, West said he had heard that a few other healthcare organizations were considering SOCs. This summer, in an informal poll of about three dozen of his peers, he learned that close to 60% of them were planning to set up a SOC.
Five hospitals in the University of California Health system are exploring whether to work together and share the costs and labor for establishing a joint security center, said Michael Minear, chief information officer for the UC Davis Health System in Sacramento.
Matt Eversole, chief operating officer at Cincinnati-based Mercy Health, said he hopes to have a SOC up and running in December.
Starting a SOC from scratch and running it in-house is not for everyone, Zimmerman said. “If you’re less than 1,000 computers, it’s unlikely you’re going to be big enough to have the kind of resources to sustain the capabilities in this area,” he said.
Still, even small hospitals have cybersecurity needs, said David Ross, general manager of commercial cyber services for General Dynamics, which operates 15 SOCs and provides outsourced SOC elements that can be shared by smaller customers.
“There’s lots of great commercial technology out there from different vendors,” Ross said. “Then you have to have the right people, and you need the right processes and procedures to make it actionable. It’s really hard for a small guy to do that in a cost-effective way.” For smaller health systems, “it might be wiser and a lot easier to get something up and running with a managed software service,” he said.
Intermountain did a soft launch of its SOC in September 2014. Hewlett-Packard provided the center’s ArcSight technology “backbone,” while technical-services firm MetaNet IVS aided in system design. The SOC began 24-hour coverage earlier this year.
“What it meant was developing processes and procedures—we call them playbooks—that tell our analysts how to respond,” West said.
“The people are really the key to the whole process,” he continued. “They’re very hard to find and very hard to retain. We’ve had people come into our SOC for 10 months and leave us for 30% to 50% pay increases.” Intermountain is working with the University of Utah on cybersecurity workforce development.
Having the SOC, with its detailed, timely reporting capabilities, provides the Intermountain system with a daily cybersecurity scorecard to keep West and his fellow security defenders apprised of ever-changing cyberthreats. West declined to discuss the SOC’s costs and staffing levels. But he said he’s confident Intermountain is getting a return on its investment.
Daily knowledge of cybersecurity threats enables Intermountain to spend more wisely on its defenses and better direct staff resources, he said. Health systems without SOCs may not have access to that data.
“I sat with a group of (chief information security officers) and talked about what threats we have seen,” West said. Questions arose about who had experienced a phishing attack, what countries are conducting the most malicious attacks, and how many times they are attacking databases.
West said he knows the answers to those questions. But it was clear to him from other security leaders’ responses that many of them did not. “I know they’re not monitoring,” he said.
“As we saw the threat increasing, and more and more risk to healthcare records, I went to our management committee.”
Chief information security officer, Intermountain Healthcare