In focus: MDR for healthcare

While no industry is immune to the threat of ransomware, some stand to lose far more than others. 

Cyberattacks on healthcare providers are particularly crippling because life-saving procedures and treatments depend on availability of patient data and access to medical technologies. When these systems go offline, patients’ lives are put in jeopardy.

To reduce the likelihood of such crises, healthcare organizations are turning to managed detection and response (or MDR) for protection and peace of mind. 

As the name indicates, MDR is a security service in which a MDR provider assumes responsibility for investigating threats and vulnerabilities in a customer’s attack surface. The MDR provider employs professional threat hunters who can proactively eliminate threats and contain suspicious activity before damage is done to the customer. They perform 24/7/365 threat monitoring for a global clientele, which means they have significantly more threat data and dedicated personnel than the average organization can assemble on their own.

MDR is a powerful service for organizations that feel the constant strain of cyberattacks. And recent data suggests that healthcare providers are feeling that strain more than anyone.

Cyberattacks on healthcare

Healthcare organizations can’t catch a break. They’re a nearly constant fixture in today’s headlines, outpacing all other industries in sheer attack frequency and ransoms being paid to restore critical systems. 

  • The FBI’s Internet Crime Complaint Center received 870 complaints from critical infrastructure organizations hit by ransomware in 2022, 210 of which were sustained by healthcare orgs (the most cases reported by any sector). 
  • Nearly half of healthcare respondents surveyed by Ponemon Institute experienced a ransomware attack in the last two years, and 93% faced between one to five ransomware-related incidents. The report found that outages spurred from these attacks can last upwards of 35 days.
  • According to data collected by the cybersecurity vendor Sophos, healthcare is the sector most likely to pay the ransom, with 61% of respondents whose data was encrypted admitting to paying the ransom compared to the cross-sector average of 46%.
  • Healthcare groups are also facing the onslaught of nation-state attacks. North Korean state-sponsored ransomware, like Maui and H0lyGh0st, have used revenue gained from ransom attacks on health agencies to fund national priorities that include cyber ops and espionage targeting the U.S. and South Korea.

But healthcare practitioners know that more than just revenue losses are at stake. Unlike other industries, paying off the ransom in healthcare can’t always restore everything – or everyone –  to their previously stable condition. The capacity to provide emergency medical care hangs in the balance.

“Our ability to diagnose a patient is tied to the technology that we use every day as clinicians: we are so dependent,” said Christian Dameff, a physician at the University of California San Diego, in remarks given to the House Energy and Commerce Committee in July 2021. “You can imagine during a large ransomware attack, wherein these technical systems are no longer available, that we can’t do our jobs as clinicians.” 

Dameff’s overall diagnosis? “I am here today to tell you health care is not prepared to defend or respond to ransomware threats.”

MDR for healthcare

The forecast looks grim, but MDR can help flip the script for healthcare agencies under constant cyber duress. 

Below, we’ve listed some of the ways that MDR can address security challenges unique to the health sector. 

Challenge 1: Security of patient health data. Individual patient records impacted by data breaches totaled 28.5 million in the latter half of 2022, the highest on record. Patient medical data is valuable to cyber criminals, who can then sell this identifying information on the dark web for a sizable purse. With 24/7 monitoring of customer attack surfaces and endpoints (including on weekends and holidays), MDR threat hunter teams can investigate and eliminate malicious activity designed to steal patient data. 

Challenge 2: Disruptions to emergency services. Cyberattacks on health institutions can paralyze efforts to provide time-sensitive care to vulnerable patients. MDR teams work overtime before, during and after an attack to ensure the resiliency of health IT. Before an attack, hunters hypothesize all the possible conditions under which an attack could succeed, then spend time closing any doors that would make such an attack possible. In the event an attack is detected, the MDR team’s automated software can immediately notify the customer, contain and isolate affected assets, and restore functionality in a matter of seconds compared to the hours it would take to accomplish manually. 

Sophos MDR threat hunters use automated incident response software to significantly speed up discovery, containment, and remediation of affected devices. Credit: Sophos

Challenge 3: Third party vulnerabilities in the supply chain. Ninety percent of the 10 largest healthcare data breaches reported in 2022 were caused by third-party vendors, with two of these vendor incidents affecting hundreds of providers. Most organizations, including those in healthcare, may only be able to see what’s happening on their own network. This visibility does not generally extend to third party partners that may require the customer’s data to perform a service. However, MDR providers don’t have these limitations. Their clientele include companies of all industries and sizes, so when a threat emerges in one part of the supply chain they know about it long before others do. Consequently, they can immediately notify customers down the supply chain to take actions that eliminate the threat.

Challenge 4: Shifting healthcare boundaries. Medical care is increasingly delivered beyond hospitals and doctors’ offices, such as in telehealth settings, hospice or field stations. Traditionally, these locations haven’t been outfitted with the same degree of cyber protections that one would expect in the ICU, for example. But due to the Covid-19 pandemic and recent advances in telemedicine, MDR providers are tailoring their services so that healthcare can be delivered whenever and wherever it’s needed. As an extension of its MDR service, for example, Sophos Zero Trust Network Access helps customers secure data and communications in remote settings by building defense around patient identities. 

Challenge 5: The burden of cyber admin. In a 2021 survey Sophos issued to healthcare professionals, 70% of respondents said their cybersecurity workload increased within the last year. 60 percent, meanwhile, reported that cyberattacks had become too advanced for their IT to deal with on their own. Consequently, it takes healthcare organizations on average a full week to recover from an attack, with remediation fees reaching $1.85 million in most cases. One of the major benefits a MDR vendor can provide is removing the tedious overhead and day-to-day triaging that is typical of a SOC. “MDR can take care of 99% of the stuff that's at the bottom that just is constantly hitting you every single day,” says John Shier, Senior Security Advisor at Sophos. “These are things you need to deal with proactively from both the detection and the response side of things, and MDR is engineered to do just that.”  

Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.