It’s Hard to improve Cyber Resiliency when Reactive Security Prevails

Why Now is the Time to Consider a Change to Break This Cycle

Because the threat landscape is constantly evolving, many healthcare organizations and business associates feel like they’re playing catch-up, trying to stay on top of vulnerabilities and security weaknesses and hoping to be at least one step ahead of attackers.

Many organizations have security practices that keep them from improving their cyber resiliency. Often an endless cycle, especially for those managing small to mid-sized enterprises, it can be difficult to move past reactive security as a coping mechanism.

Getting Stuck in The Continuous Cycle

Smaller healthcare organizations often don’t have the resources, skilled professionals, or financial support to set up around-the-clock security operations. Instead, there’s often a small IT staff and, if lucky, someone dedicated to security. These teams are often overwhelmed with tracking vulnerabilities, trying to remediate them, patching systems, and securing and tracking new assets and systems quickly spinning up across the organization.

And while larger healthcare organizations may have more support, whether a more robust internal team or a Security Operations Center (SOC) managed by a third party, they face similar challenges at a larger scale.

As teams become accustomed to constantly putting out security fires, they get good at it. This leads to reactive teams that learn how to be flexible and can routinely and effectively manage crises.  Quickly resolving cybersecurity incidents and often earning recognition for it at the moment. These reactive teams get good at demonstrating their value by how well they respond during the heat of a security event.

But there are a lot of downsides to this approach.

While good in action, it leaves no time for strategic security planning, making it difficult to achieve better long-term security outcomes that bring increased cyber resiliency. With more cyber resiliency, the need for continuous reactive security decreases as there is a level of security maturity that minimizes the need to react continuously.

For organizations where executive support is lackluster, this level of change can create higher levels of dissatisfaction and burnout from those on the cyber front lines.

No One is Exempt

Small and mid-size healthcare organizations can no longer assume that breaches only happen in large enterprises. As we’ve seen over the last several years, any organization that creates, stores, or transmits sensitive, protected, or financial data is at risk because this data is so valuable to cyber criminals. Healthcare continues to serve as a primary target for cyber attackers, accounting for 15% of all targets, and in 2021, there was a 43% jump in breaches at outpatient/specialty clinics.

Verizon’s 2022 Data Breach Investigations Report looked at nearly 24,000 security incidents last year. While organization size for most incidents is noted as unknown, some 2,065 incidents affected small organizations (less than 1,000 employees) compared to 636 for large organizations.

715 confirmed breaches affected small and mid-sized organizations compared to 255 for large.

Those numbers and the headline-making breaches, especially those along the supply chain that have resulted in millions of record exposures, are surely enough to make most organizations rethink how well their reactive security strategies are working.

Still, reactive security is continually rewarded. As teams look to the number of closed vulnerabilities and event resolutions to prove program value, the reactive cycle becomes the default way of dealing with security issues. This is not how organizations with more mature security measure their programs.

The Security Noise Keeps Growing

There is plenty of external intelligence about threats, alerts, and exploits to keep teams busy. Security management of an organization’s infrastructure across networks, cloud, endpoints, and others also creates noisy events and logs. Reaction is what is expected, but at what cost and is it sustainable?

According to JumpCloud’s 2022 State of the SME IT Admin Report, more than 59% of respondents said cybersecurity is the top IT challenge they have faced since early 2021.

Outside threats are also a growing concern, with the report noting the top three as:

  • Network attacks (40%)
  • Ransomware (31%)
  • Software vulnerability exploits (31%)

Unfortunately, the healthcare industry needs to keep pace with the growing volume of attacks. But many organizations are suffering from:

  • Security teams experience a high rate of false positives and suffer from alert fatigue.
  • To dampen false positives, they may alter configuration sensitivity, which could inadvertently increase security event detection time.
  • Legitimate security alerts sporadically occur, but because of time demands, lack of expertise, and security spending, it’s not feasible for teams to hunt down threats and make a definitive conclusion about if the organization is at risk or not.

Breaking the Cycle

Reactive cybersecurity is a common and complex cycle to break. Healthcare organizations constantly face new unknowns and unexpected threats, vulnerabilities, and security alerts. This can make it exceptionally challenging for healthcare organizations to focus on security maturity, especially if they have minimal executive support.

So, how can you evolve your security practices to a more strategic approach, one that helps seek out and identify security risks before an incident occurs while ensuring you’re ready to respond when one inevitably does?

While focused and deliberate cybersecurity changes may take more time and effort upfront, building cyber resiliency is important.  Having the time and context to respond effectively to an event is much better than impulsively reacting. Part of this is having a framework and methodology for response that follows the same path of inquiry.

When thinking about maturing your cybersecurity practices, consider:

  • What security alerts do we currently have?
  • What is the intent of each alert?
  • What should these alerts detect?
  • What happens when these alerts discover malicious activity?
  • Where in the attack lifecycle does the alert live, and how does it signal situation severity?
  • Would logs from associated systems and firewalls give more insight?
  • Is there a correlation with indicators of an attack based on threat context?
  • How often does this alert trigger?
  • Does it happen across connected networks, accounts, or hosts?
  • Does the alert lead to evidence of unauthorized activity or lateral movement?
  • Do these alerts encompass a range of evolving threats we may face?
  • What do we need to do to close those gaps?

The more your teams get comfortable with this approach, the more natural it becomes to make decisions that deliver better security outcomes. Healthcare organizations of all sizes can achieve a higher level of cyber resiliency and become less susceptible to risk with this type of strategy.

Should Your Organization Make the Shift?

Do you think your organization is caught in a reactive security cycle? There are many reasons this might be the case, from security operations staff limitations, lack of expertise, or even the growing complexities within your IT environments. The good news is that you can break out. Contact a Clearwater advisor today to learn more.


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us