Launch­ing a cybersecurity war room

Modern Healthcare - - INNOVATIONS - By Joseph Conn

Cy­ber­at­tacks on the health­care in­dus­try are on the rise. In re­sponse, some larger sys­tems, in­clud­ing In­ter­moun­tain Health­care in Salt Lake City, are set­ting up around-the-clock se­cu­rity oper­a­tions cen­ters, or SOCs, to bet­ter de­ploy cybersecurity per­son­nel, tech­nol­ogy and pro­cesses in fend­ing off the bad guys.

A SOC is a team, pri­mar­ily com­posed of se­cu­rity an­a­lysts, or­ga­nized to de­tect, an­a­lyze, re­spond to, re­port on and pre­vent cybersecurity in­ci­dents, ac­cord­ing to Car­son Zim­mer­man, prin­ci­pal cybersecurity en­gi­neer for the MITRE Corp., and au­thor of a guide­book for set­ting up a SOC. Se­cu­rity oper­a­tions cen­ters have been fix­tures in mil­i­tary and na­tional se­cu­rity or­ga­ni­za­tions for decades.

“At In­ter­moun­tain, we had mon­i­tor­ing, we had de­tec­tion, we just didn’t have peo­ple look­ing at it 24/7,” said Karl West, the sys­tem’s chief in­for­ma­tion se­cu­rity of­fi­cer. “We’d go home and pagers would go off.” In­ter­moun­tain be­gan plan­ning for its SOC in 2012, fol­low­ing a rec­om­men­da­tion that was part of the sys­tem’s an­nual se­cu­rity risk as­sess­ment, he said.

West said he ini­tially op­posed the idea. But in April 2012, Utah’s Med­i­caid and Chil­dren’s Health In­sur­ance Pro­gram dis­cov­ered its data­base had been breached by hack­ers be­lieved to be op­er­at­ing out of East­ern Europe. An­a­lysts dis­cov­ered a to­tal of 780,000 pa­tient records in the state had been down­loaded.

That prompted West to change his mind. “As we saw the threat in­creas­ing, and more and more risk to health­care records, I went to our man­age­ment com­mit­tee,” he said. He asked for a SOC. “I ex­plained to them that I didn’t know of any health­care or­ga­ni­za­tions that were do­ing it, but I an­tic­i­pated oth­ers would. They were very sup­port­ive.”

By 2013, West said he had heard that a few other health­care or­ga­ni­za­tions were con­sid­er­ing SOCs. This sum­mer, in an in­for­mal poll of about three dozen of his peers, he learned that close to 60% of them were plan­ning to set up a SOC.

Five hos­pi­tals in the Univer­sity of Cal­i­for­nia Health sys­tem are ex­plor­ing whether to work to­gether and share the costs and la­bor for es­tab­lish­ing a joint se­cu­rity cen­ter, said Michael Minear, chief in­for­ma­tion of­fi­cer for the UC Davis Health Sys­tem in Sacra­mento.

Matt Ever­sole, chief op­er­at­ing of­fi­cer at Cincin­nati-based Mercy Health, said he hopes to have a SOC up and run­ning in De­cem­ber.

Start­ing a SOC from scratch and run­ning it in-house is not for ev­ery­one, Zim­mer­man said. “If you’re less than 1,000 com­put­ers, it’s un­likely you’re go­ing to be big enough to have the kind of re­sources to sus­tain the ca­pa­bil­i­ties in this area,” he said.

Still, even small hos­pi­tals have cybersecurity needs, said David Ross, gen­eral man­ager of com­mer­cial cy­ber ser­vices for Gen­eral Dy­nam­ics, which op­er­ates 15 SOCs and pro­vides out­sourced SOC el­e­ments that can be shared by smaller cus­tomers.

“There’s lots of great com­mer­cial tech­nol­ogy out there from dif­fer­ent ven­dors,” Ross said. “Then you have to have the right peo­ple, and you need the right pro­cesses and pro­ce­dures to make it ac­tion­able. It’s really hard for a small guy to do that in a cost-ef­fec­tive way.” For smaller health sys­tems, “it might be wiser and a lot eas­ier to get some­thing up and run­ning with a man­aged soft­ware ser­vice,” he said.

In­ter­moun­tain did a soft launch of its SOC in Septem­ber 2014. Hewlett-Packard pro­vided the cen­ter’s Ar­cSight tech­nol­ogy “back­bone,” while tech­ni­cal-ser­vices firm Me­taNet IVS aided in sys­tem de­sign. The SOC be­gan 24-hour cov­er­age ear­lier this year.

“What it meant was de­vel­op­ing pro­cesses and pro­ce­dures—we call them play­books—that tell our an­a­lysts how to re­spond,” West said.

“The peo­ple are really the key to the whole process,” he con­tin­ued. “They’re very hard to find and very hard to re­tain. We’ve had peo­ple come into our SOC for 10 months and leave us for 30% to 50% pay in­creases.” In­ter­moun­tain is work­ing with the Univer­sity of Utah on cybersecurity work­force de­vel­op­ment.

Hav­ing the SOC, with its de­tailed, timely re­port­ing ca­pa­bil­i­ties, pro­vides the In­ter­moun­tain sys­tem with a daily cybersecurity score­card to keep West and his fel­low se­cu­rity de­fend­ers ap­prised of ever-chang­ing cy­berthreats. West de­clined to dis­cuss the SOC’s costs and staffing lev­els. But he said he’s con­fi­dent In­ter­moun­tain is get­ting a re­turn on its in­vest­ment.

Daily knowl­edge of cybersecurity threats en­ables In­ter­moun­tain to spend more wisely on its de­fenses and bet­ter direct staff re­sources, he said. Health sys­tems with­out SOCs may not have ac­cess to that data.

“I sat with a group of (chief in­for­ma­tion se­cu­rity of­fi­cers) and talked about what threats we have seen,” West said. Ques­tions arose about who had ex­pe­ri­enced a phish­ing at­tack, what coun­tries are con­duct­ing the most ma­li­cious at­tacks, and how many times they are at­tack­ing data­bases.

West said he knows the an­swers to those ques­tions. But it was clear to him from other se­cu­rity lead­ers’ re­sponses that many of them did not. “I know they’re not mon­i­tor­ing,” he said.

“As we saw the threat in­creas­ing, and more and more risk to health­care records, I went to our man­age­ment com­mit­tee.”

KARL WEST

Chief in­for­ma­tion se­cu­rity of­fi­cer, In­ter­moun­tain Health­care

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.