Healthcare & Security Operations: Batteries Included

It’s not a crime if you don’t get caught. Speeding is the perfect example: we all do it (except the people in front of me when I’m late for a meeting) but few of us consider it breaking the law. That’s because there are way too few police to be in enough places at the same time to make a real dent in speeding. In fact, when I see someone else pulled over I go faster because I figure that with one cop tied up the statistics are even more in my favor.

Most organizations largely treat network monitoring like traffic cops: check random locations, with some favorite speed traps, occasionally. And while there’s a cost with outfitting roads and intersections with cameras, practically your entire IT environment comes complete with monitoring capability–you just need to flip the switches on your endpoints, perimeter devices, and devices in between.

Okay, it’s not really that simple. You need to send the data somewhere, which means a log management or SIEM solution. And technology alone does not a security program make. Trained staff are required to manage the technology, and defined processes and procedures glue it all together.

It turns out the healthcare industry is already wired to operate a security operations program. I’m stealing from Kris Lovejoy’s paper “Security Essentials for CIOs, Responding to the Inevitable Incident”, by comparing information security to an emergency room. But unlike critical care, the patients here are all presumably healthy and you’re monitoring their vitals constantly for early detection of an unusual condition; the model is more aligned to the goal of health maintenance.

Once you’re taking the vitals from your information assets and feeding the data into a security operations center (SOC), you’re in perfect position to detect signs of a threat. Like humans, every network has its homeostatic rhythm: the applications in use in your environment; the number of successful and failed logins at any given time (heartbeats and PVCs, perhaps); the pace of database transactions in your billing application. Once you’re attuned to it, changes alert you to step in and diagnose the symptom.

As with any incident response program, you need trained analysts–diagnosticians–and a triage protocol. Once the order of severity is determined, all complaints will be examined; seemingly minor symptoms over time can add up to an acute condition that must be treated as soon as possible. Every case must be assigned to an analyst, documented so the history of an incident is available for the next related occurrence, and followed through to a reasonable diagnosis and treatment plan.

You may not care about stopping the internet speeders, but all healthcare organizations have seen firsthand the consequences of street racing and drunk drivers. You have excellent ER procedures to deal them. As it turns out, healthcare providers already understand everything it takes to define, staff, and manage a solid information security program. Is yours as mature as your patient health maintenance and emergency medicine program?

Read more perspectives about security in the healthcare industry.

Contributor'photo

Chris Poulin

Research Strategist, X-Force R&D, IBM

Chris Poulin brings a balance of management experience and technical skills encompassing 30 years in information...