Duc Lai, Vice President and CISO at University of Maryland Medical System, says doing research is important when searching for a managed detection and response service.

Oct 26 2022

How MDR Services Are Helping Healthcare Organizations ‘Sleep Peacefully at Night’

Managed detection and response services offer support for stretched-thin healthcare security staff.

About 44 percent of healthcare organizations that experienced a ransomware attack last year took up to a week to recover, according to a 2022 Sophos report. That kind of downtime is especially worrisome for patient care, so organizations are shoring up their defenses with much-needed alliances.

The threat of a ransomware attack was the most urgent reason the University of Maryland Medical System signed on to a managed detection and response (MDR) service, but the partnership also strengthens the health system’s perimeter defenses against all kinds of malware, says Duc Lai, UMMS vice president and CISO.

“The best way to stop ransomware attacks is with endpoint security software, but that has to be monitored 24/7,” Lai says. “Security teams in the healthcare industry don’t generally have the resources for that kind of coverage, so it’s important to find a partner in a managed service that can do that monitoring and do the containment and response for you.”

MDR has among the fastest-growing adoption rates of all managed services because it offers the capabilities of a remote security operations center (SOC), with 24-hour monitoring, comprehensive detection and differentiated response to incidents, says Craig Robinson, a research vice president in IDC’s security services practice.

MDR services focus on endpoint security, but most also gather telemetry from cloud transactions, identity applications and the network to detect indicators of compromise (IOC), he adds.

“MDR vendors distinguish themselves on factors like how many types of telemetry they provide beyond the endpoint and their response capabilities,” Robinson says. “It’s also important for the service to identify the threat level posed by an IOC. Not every IOC is worthy of analysis by a highly paid and skilled security analyst.”

Cybersecurity Awareness Month Visual Header


Some MDR services are a better fit for organizations in particular sectors, and decision-makers can avoid pitfalls by seeking references from others in the industry who can vouch for how a serv­ice deals with specific issues, such as the growing number of Internet of Medical Things endpoints, Robinson says.

Potential subscribers should also know whether a service works equally well with heterogenous security software stacks or only performs in homogenous environments, or those using the vendor’s own endpoint detection and response (EDR) software, he adds.

An MDR service can fortify defenses and take pressure off in-house IT staff, but only after some initial groundwork, Robinson says. Response times should be clearly defined, and the vendor and user of the service should work through potential IOC scenarios and agree on the criticality of alerts.

“It’s necessary to make a time investment up front to tune the service to your needs,” Robinson says. “An IOC related to a receptionist’s desktop should probably not warrant a 2 a.m. call to your CIO, but an IOC to a patient database might.”

The Right Partner Is Critical to MDR Success

Since UMMS was already using CrowdStrike’s EDR software, Lai says, it was an easy decision to contract for the vendor’s MDR Falcon Complete service to monitor the Baltimore-based health system’s far-flung endpoints in its 11 hospitals and a network of more than 150 other medical facilities in 13 Maryland counties.

“It doesn’t make sense to have someone else manage CrowdStrike technology, because they’re the experts,” Lai says. “The drawback is that they’re limited to that technology. Our MDR serv­ice is focused on the endpoint because that’s where we put the agent.”

The CrowdStrike MDR fits into a layered environment of complementary and supplementary security measures. UMMS uses a managed SOC from Accenture that monitors the network security appliances, Lai adds. A Medigate platform monitors biomedical devices, such as IV pumps, CT scanners and MRI machines that collect patient information and are connected to the internet but don’t support agents from the EDR software.

The MDR model is ideal for any organization with an under-resourced security staff, Lai says, but selecting the right partner is critical.

“You’ve got to do your research. Talk to your peers about their experiences with the technologies and services,” Lai says. “Evaluate the technology yourself in your environment, if possible.”

Click the banner below to discover how MDR can support your security strategy.

MDR Services Allow Healthcare Organizations to Refocus Resources

In Monterey, Calif., Montage Health has a daunting number and variety of endpoints to protect in its community hospital, provider network, urgent care centers and more, says Information Security Manager Stacy Estrada.

“There are a lot of different devices and a lot of different workflows that we want to make sure are end-to-end secure,” Estrada says. “It’s very complex, and when we can break out a piece like MDR for endpoint security, it frees us up to focus on the bigger picture of business needs.”

After extensive research that involved talking to peers in other healthcare organizations, Montage Health signed on to the CrowdStrike Falcon MDR service, Estrada says. In addition to easing the in-house IT staff’s security burden, the key criteria for selecting the service were 24-hour monitoring, speed of triage when an incident was detected and the vendor’s ability to customize the service to Montage Health’s specific needs.

Stacy Estrada Quote


The health system’s decision-makers also discussed the long-term direction of the MDR service to see if it meshed with their strategy, Estrada says. “We didn’t want to be in the position of looking for a new MDR service in a year,” she adds.

CrowdStrike was ready to deploy the service within two weeks of Montage Health signing on, but the health system took extra time to determine how it would affect nonstandard devices and to work with other vendors to ensure their products were compatible, Estrada says.

Communicating with Montage Health security staff about their roles after the adoption of the service was also a priority, Estrada adds.

“Letting them see how they’d be refocusing and learning more things after we partnered with the service was essential,” she says. “We wanted them to know that our aim was to grow them as a team. Using the MDR service opens opportunities for them as a security team. There are a lot of exciting things going on with our program because we can bring in managed solutions.”

MDR Enables Small Hospitals to Face Big Cyberthreats

The support MDR services offer for health systems cannot be overstated, especially when staffing shortages and budget constraints keep security strategies tight.

Jackson Parish, in rural northern Louisiana, may attract hunters and fishermen, but it’s less of a magnet for doctors and IT security specialists, says Jackson Parish Hospital COO and CIO Jason Thomas. The 25-bed hospital is the only critical access medical facility in the parish, and it operates in the same cyberthreat environment as any big city medical center. Without enough in-house IT staff for 24/7 security monitoring, JPH relies on the Arctic Wolf MDR service, Thomas says.

“For a hospital in our situation, the managed security model becomes a necessity. IT security must be working all the time,” he adds. “I can’t recruit the number of security specialists I would need to cover my needs, and I couldn’t afford to pay them if I could.”

The hospital’s anti-virus software, network, wireless, servers and SonicWall next-generation firewall all push their logs to Arctic Wolf, enabling more comprehensive protection from the service. Hospital IT staff also works in partnership with the MDR service, keeping an eye on in-house dashboards monitoring the hospital network, Thomas says.

MDR services can be a particularly good fit for a healthcare setting, where the number of endpoints on a network, in the form of medical monitors and other devices, is rapidly growing, he adds.

“If you don’t have enough eyes in-house, this kind of platform is ideal to open things up and see what’s happening on your network, that it’s safe from intrusions and in regulatory compliance,” Thomas says. “I’m the one who will have to answer for a breach. I need to be able to trust what’s on my network and know what’s happening with my patient data. Arctic Wolf gives me the confidence I need that we are bringing our A-game, and I can sleep peacefully at night.” 

Keep this page bookmarked to keep up with all of HealthTech’s Cybersecurity Awareness Month coverage, including more on managed detection and response.

Duc Lai photo by Ryan Donnell, Stacy Estrada photo by Robert Houser

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.