Oct 12 2022

What Is MDR, and How Does It Benefit Healthcare Organizations?

Managed detection and response services let healthcare organizations with a limited IT workforce leave cybersecurity threat monitoring and mitigation to the experts so staff can focus on efforts closer to home.

Staff shortages and burnout concerns in healthcare aren’t limited to clinical staff. A recent survey found that 40 percent of IT professionals are at high risk of burnout, while more that 60 percent report being “physically and emotionally drained” from long hours and demanding workloads.

Healthcare has always been a preferred target for cyberattacks, but today’s organizations face even greater threats. There are the lingering effects of the Log4j vulnerability and the growing number of connected medical devices, along with the ever-present problems posed by insider threats and email-based phishing and ransomware.

Enter managed detection and response. Gartner describes MDR services as a “turnkey experience” through which security vendors provide end-to-end operations — detecting, analyzing, investigating and responding to threats using the vendor’s technology stack. Personnel devoted to MDR services tend to have experience with both threat hunting and incident management, Gartner notes.

Healthcare’s increasing use of third-party MDR services reflects the valuable role partnerships play in security incident and response. For security teams with limited time and resources, amid a global shortage of nearly 3.5 million cybersecurity professionals, MDR offers healthcare organizations access to experts they otherwise would have to hire outright, and the opportunity to outsource threat mitigation and response. This enables organizations to focus on security efforts closer to home, from end user training to policy development.

“Traditionally, the mentality when it comes to cybersecurity in healthcare is, ‘We’ll build the model ourselves,’ and that consists of taller walls and wider moats,” says Drex DeFord, executive strategist for healthcare at CrowdStrike and a former hospital CIO. “Moving to an MDR structure, the idea is to take that burden off the health system’s hands, because not many organizations can build the operational capabilities that a security vendor can.”

Cybersecurity Awareness Month Visual Header


MDR Services Provide Fast Responses at Any Time of the Day or Night  

CrowdStrike’s recent 2022 Falcon OverWatch Threat Hunting Report found that organizations are facing 50 percent more intrusion attacks than they were one year ago. Once attackers get inside, it takes only an hour and 24 minutes, on average, for them to gain access to a second system.

For the most effective MDR services, the “response” component is more than just a notification that something has happened that requires a security team’s attention, DeFord says. In these cases, the service provider takes remedial action to stop the attack.

The ideal model, he explains, is one minute to detect an attack, 10 minutes to investigate it and 60 minutes to remediate it — roughly 13 minutes faster than the average attacker.

“If you can create a security program where you are extremely confident that you can detect every adversary within one hour and 24 minutes, odds are good that your program is devastatingly effective,” he says. “That speed is a critical factor in modern security.”

That speed is possible because MDR services are designed to offer 24/7 incident response, which is something even large healthcare organizations may struggle to do. The foundation is an extended detection and response (XDR) platform, which gathers incident data from hundreds of sources in a single data lake to give security analysts a complete view of suspicious activity, says William J. Thorn, senior architect for healthcare at Trellix.

Click the banner below to discover how MDR can support your security strategy.

When MDR providers add automated threat response, threat hunting and remediation capabilities to XDR, and when they offer access to skilled security analytics, they show that they’re “laser-focused” on defending healthcare organizations, Thorn says. They’re also going above and beyond what’s typically available from a managed security service provider.

“MSSP services tend to be reactive in nature, focused on management, monitoring and vulnerabilities,” he says. “Vendors often will manage security infrastructure such as security information and event management platforms and firewalls, but generally they won’t have the same level of threat analytics, forensics and integrated intelligence as MDR providers leveraging XDR tools.” 

The XDR platform’s data lake provides an additional benefit to healthcare organizations, DeFord notes: It builds an inventory of endpoints, devices and applications in use throughout the facility. Here, an effective MDR provider will go beyond simply providing the list and will help organizations determine what can be managed directly, what needs to be managed through a more secure endpoint and what ought to be taken offline entirely, he adds.

How MDR Services and Threat Hunting Benefit Healthcare

MDR’s close ties to threat hunting — the proactive search for, detection of and isolation of active threats within an IT environment — serves healthcare well for several reasons.

One is that organizations tend to compensate for short-staffed cybersecurity teams with the adoption of additional monitoring tools. Unfortunately, this tends to heighten alert fatigue and leaves teams ill-equipped to truly assess the threats they face, DeFord says.

“If you get thousands of alerts and you only look at the highs, then you’re overlooking the mediums and lows that turn out to be real threats,” DeFord says. “Most organizations don’t have people with the experience to do that. You need to use artificial intelligence and machine learning to find the things you need to pay attention to, and refine that search over time.”

Additionally, the combination of MDR and XDR protects organizations against a range of possible attacks, Thorn says. Along with well-known threats such as ransomware and phishing, MDR providers will look for advanced, persistent threats that can be difficult to identify, such as compromised accounts, risky cloud configurations, remote access trojans or attempts to exfiltrate data.

A third benefit is the potential to identify, isolate and mitigate threats before they escalate into a service interruption — a risk that hospitals and health systems can ill afford, Thorn says.

“The combination of machine learning, threat intelligence, behavioral analysis engines and expert-led threat hunting can uncover threats organizations just won’t find otherwise,” he says. “MDR services reduce incident response and containment times, ultimately lowering the impact of incidents.”

Keep this page bookmarked to keep up with all of HealthTech’s Cybersecurity Awareness Month coverage, including more on managed detection and response.

PeopleImages/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.