Healthcare Organizations Need to Be Proactive and Hunt for Security Threats

Many organizations are now opting to outsource cybersecurity to managed security services providers (MSSPs) due to a lack of internal resources and expertise. However, many MSSPs are unable to offer the advanced threat detection services necessary to significantly improve cybersecurity posture.

Raytheon Foreground Security recently commissioned a Ponemon Institute study to investigate how MSSPs were being used by organizations.  Raytheon surveyed 1,784 information security leaders from a range of organizations – including healthcare providers – in North America, the Middle East, Europe, and the Asia-Pacific region. Respondents were asked about the role of MSSPs, how important their services are, and how MSSPs fit in to business strategies.

80% of organizations that have enlisted the services of MSSPs say that they are an important element of their IT overall security strategy and provide a range of services that cannot be managed in house. Many organizations do not have sufficient IT personnel to make their cybersecurity strategies more effective, and when staff are available they lack the relevant expertise. Recruiting highly skilled IT staff with the relevant security expertise is a difficult task, made harder by a lack of funding.  Even when highly skilled staff are employed, demand is such that they are hard to retain. In order to ensure cybersecurity posture is improved, outsourcing may be the only option.

While there is not a shortage of MSSPs to choose from, many providers are only able to offer a limited range of services. MSSPs may be important to security strategies, but all too often they are not providing an advanced range of cybersecurity services.

84% of respondents that use MSSPs said they are not offered proactive threat hunting services. Most of the services in MSSPs core offerings are reactive rather than proactive. With a lack of in house talent and the difficulty finding third party companies capable of providing proactive threat hunting services, many organizations are unable to significantly improve their security posture. The study also revealed that only a handful of MSSPs provide incident response and advanced analytics services.

As Mark Orlando, director of cyber operations with Raytheon Foreground Security points out, “[This] leaves organizations to rely on security tools and MSS partners that offer inadequate protection.”

Advanced threat detection services are important for most organizations, but especially for those operating in the healthcare industry. Data thieves, ransomware gangs, and state sponsored hacking groups are targeting healthcare organizations in the United States with increasing frequency. The attacks are also becoming much more sophisticated and the attack surface has also increased significantly. Unless healthcare organizations actively search for threats and vulnerabilities and take action to address risks, data breaches are likely to occur.

Dave Amsler, president and founder of Raytheon Foreground Security, says that the days of defend, detect, and respond are gone and organizations must now go on the hunt for threats. “Now it’s detect, isolate and eradicate. You have to proactively hunt for the skilled attacker in your network.”

Taking a more proactive stance will enable vulnerabilities to be found much faster limiting the opportunity for criminals to take advantage. Additionally, when compromises do occur they can be identified in days instead of weeks or months. As the 2016 Ponemon Institute Cost of a Data Breach study showed, the cost of breach resolution is considerably lower when breaches are detected promptly.

Finding suitably skilled IT staff or MSSPs that offer proactive threat hunting services may be difficult, but healthcare organizations do need to make the switch to proactive threat hunting rather than simply reacting to data breaches when they occur.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.