Cybersecurity: Adopting a Detection and Response Mindset

By Glen Combs, CPA; Jared R. Hamilton, CISSP; and Kiel E. Murray, CISSP
| 1/21/2020
Cybersecurity: Adopting a Detection and Response Mindset

A significant cybersecurity event can have widespread implications for healthcare organizations, potentially crippling their ability to provide care to the patients who depend on them. An increasing number of large-scale ransomware attacks in the news herald the escalating risk in healthcare, as do sobering statistics: As of 2019, the healthcare industry had experienced the costliest breaches compared to other sectors, with the average cost of a data breach of $6.45 million.1

To manage cybersecurity in an already-complex environment such as healthcare, organizations need to move from simply being compliant to being resilient. Traditionally, healthcare organizations have focused more on using prevention techniques to secure their networks; in essence, they worked on preventing the bad actors from getting in. In recent years, however, focusing on managed detection and response (MDR) has become a vital piece of cybersecurity and a crucial step on the path to becoming resilient.

The following three steps can help healthcare IT leaders adopt an MDR mindset, which can go a long way toward helping them secure their organizations' IT environments in an increasingly threatening cyber climate. These steps can provide an organization with the necessary visibility into its IT infrastructure for taking appropriate actions to identify cybersecurity threats, prevent a cybersecurity incident, or, should a breach occur, minimize its impact on the organization.

Step 1: Consolidate records

Healthcare organizations use multiple technology applications to run their complex clinical and operational functions. Most of these applications log activity and report important actions; however, the information usually is dispersed across systems, with staff having to digest multiple reports to get a solid sense of what’s occurring globally across the network.

Ideally, an organization will consolidate the log output from all the applications and devices on its network into one place. The singular output then can serve as a useful clearinghouse that staff easily can access to detect and manage cybersecurity threats and suspicious activity.

Step 2: Implement logic

To assist with MDR, organizations need advanced logic that can help distinguish real cyberthreats from background noise and false positives. Well-programmed and well-implemented logic can detect patterns in an organization’s log records that indicate an actual or potential cybersecurity breach. The types of activity to look for will be different for each organization. In addition, what’s important for each organization might change over time, so detection logic to identify threat actors must also evolve.

Step 3: Make a plan for response

When potential cybersecurity threats are brought to the surface using the detection logic, an organization must have a plan in place for how it will investigate and respond to this potentially malicious activity. Upon further investigation, some of the detected incidents might turn out to be false positives. These results must be fed back into the logic to further refine it. Other detected incidents, however, might turn out to be items that present a risk to the organization. Organizations need a plan for classifying, containing, and eradicating threats as well as for communicating about them both internally and externally.

These plans will look different depending on the type and size of the healthcare organization. As an example, many organizations will send all detected incidents to a security operations center, which is managed either internally or externally via a third-party vendor. Then, those validated attacks that represent real risk to the organization are reported to an incident response team. These teams typically are organizationwide task forces composed of representatives from various stakeholder departments such as IT, security, legal, and human resources. Larger healthcare organizations might have a dedicated response team within the organization that solely handles cybersecurity events and is trained and equipped for digital forensics, reverse engineering, communication, and root cause analyses – all while maintaining evidence chain of custody.

Assess internal capabilities

Moving from focusing primarily on cybersecurity prevention to adopting an effective MDR program is a big job for today’s healthcare organizations. Many smaller or medium-size organizations might find that they simply do not have the internal capabilities, time, or skills to manage this on their own. Healthcare leaders should review their internal capabilities in this area and consider filling gaps by using a hosted, external MDR program or otherwise working with third-party specialists to design appropriate detection and response systems.

1 Larry Ponemon, “What’s New in the 2019 Cost of a Data Breach Report,” Ponemon Institute LLC, July 23, 2019,

Contact us

Learn more about how Crowe can provide industry-specific financial, regulatory, and technology expertise for your healthcare organization.
Jared Hamilton
Jared Hamilton
Managing Director, IT Assurance Services
Kiel Murray
Kiel Murray