Security Operations Center

by Scott Trevino, Senior Vice President of Cybersecurity at TRIMEDX.

How important, yet still often insufficient, hospital cybersecurity remains was underscored again in early March when three cybersecurity companies took a most unusual step: They offered their services for free.

CrowdStrike, Ping Identify, and Cloudfare announced their voluntary effort amid growing worries over a retaliatory cyberattack against the U.S. as it continues to support Ukraine in its war with Russia, according to The Washington Post. Four months of service was offered free to utility companies and hospitals — “the most vulnerable and currently underprotected sectors.”

Hospitals have been a popular target of cyber actors, an unsettling trend for health system CEOs yearning to identify cost-effective measures to bolster their defenses without compromising patient safety. For example, nine out of 10 top executives at large hospitals would value a managed cybersecurity service such as a security operations center (SOC), TRIMEDX research indicates.

For hospitals, reaping full value from an SOC hinges on one of two factors. The SOC works in tandem with a cybersecurity provider with clinical engineering expertise for medical devices or the SOC has medical device cybersecurity expertise itself. Medical devices present unique cybersecurity challenges.

Meanwhile, SOC operators already broadly acknowledge that a lack of deep technical knowledge exists, according to the 2021 security operations center survey by cybersecurity training collaborative SANS Institute.

An SOC coupled with clinical engineering expertise for medical device cybersecurity can elevate a health system’s defenses amid a climate that by many accounts is only going to get worse.

What is a security operations center

Staffed 24/7/365 by a team of subject matter experts, an SOC uses sophisticated technology to monitor, detect, and respond in real-time to cybersecurity threats. Its basic role revolves around typically connected devices such as computers, smartphones, and tablets. Basic functions include maintaining a comprehensive inventory, monitoring device behavior to detect anomalies, risk management, threat hunting and response, and root cause investigations.

Building a security operations center is costly and time-consuming and requires ongoing attention. As a result, many organizations turn to a managed service provider. Likewise, many health systems turn to a third-party service provider knowledgeable about medical device cybersecurity and clinical engineering to work in unison with the SOC. The medical device service provider is able to profile devices and their behavior and is uniquely able to take action on a device to remediate a risk while the SOC monitors, assesses, analyzes, and responds to incidents.

The SOC monitors and responds at a network architecture level. The medical device service provider works at the device level. And much as an SOC requires highly skilled specialists, so too do medical device cybersecurity service providers. Specifically, they require a combination of clinical engineering expertise for medical devices coupled with cybersecurity expertise specific to medical devices.

Why medical device cybersecurity extends beyond monitoring

Hospital cybersecurity now extends far beyond traditional hardware such as desktops, laptops, and even mobile devices. Medical devices such as imaging machines and infusion pumps are increasingly being connected to the internet while cyber threats continue to rise. And securing a medical device is unlike securing a laptop.

Software patches and any other changes to a medical device require a risk assessment as well as validation of the software from the original equipment manufacturer. But long-term manufacturer support isn’t a given. Other than in the instance of an FDA recall, original equipment manufacturers are not required to issue updates, patches, or other remediations. And as devices age, manufacturers often deem the equipment to have reached “end of life,” and they quit providing support.

In these instances when a problem arises, a clinical engineering team or information technology team with medical device expertise can identify and deploy compensating controls. Compensating controls include measures such as disabling services on the devices, enabling encryption if available, network segmentation, or reviewing and ensuring network routing.

As hospitals take steps to strengthen their network defenses, a security operations center provider working with a provider of medical device cybersecurity services can form a formidable one-two punch. An SOC empowers a health system to be proactive versus reactive and reduces the chances of false-positive threats, increases early detection, and improves response time to remediation. A medical device service provider bolsters those efforts because of its expertise outside the scope of what a traditional SOC can provide and can “touch” the device to implement the fix.

How to get started with a security operations center

Before moving forward with an SOC to improve a health system’s cybersecurity efforts, some baseline questions are worth examining.

Assess where your existing cybersecurity efforts are relative to your medical devices. Full value out of an SOC requires a complete understanding of your medical device inventory: where it is, how it is used, and regulatory requirements.

Assess how your existing technology solutions can provide real-time threat information and behavioral anomalies to the SOC to analyze and act on.

Determine whether staffing is adequate to address the number of devices you have. Also, know whether the expertise and training are sufficient to cover enterprise IT assets and specialized assets such as medical devices.

Explore which SOC option might work best for your health system: partner, buy, or build. As noted earlier, the initial startup cost of building an SOC yourself and finding qualified staff can be challenging, so many organizations partner in-house staff with outside experts or outsource the services entirely.

The threat from cyberattacks is unrelenting. Such attacks were predicted to inflict about $6 trillion in damages globally in 2021, according to research firm Cybersecurity Ventures. Put another way, that amount eclipses every global economy other than that of the United States and China.

Health care remains a prime target. A security operations center provider coupled with medical device cybersecurity expertise can provide real-time monitoring, risk assessment, and mitigation or remediation quicker and more thoroughly than hospital and health system IT staff can be expected to provide alone.

Editor’s Note: Scott Trevino is senior vice president of cybersecurity at TRIMEDX, and in this capacity, he leads efforts to define the strategy to deliver value, growth, and evolution of TRIMEDX’s cybersecurity solutions. Mr. Scott is responsible for identifying trends in cybersecurity technology, as well as recognizing and anticipating the evolution of clients, market, and industry needs to translate them into market-leading solutions that meet the needs of and bring value to clients.