Healthcare Security Operations Center: Remedying Alert Fatigue

SOCs also monitor physical security, relying on IP cameras, badge readers and access control systems. However, health systems, facilities or operation teams could own the cameras, depending on the organization, Taule says.

The cameras sit outside the realm of a CISO, Hughes notes, and that lack of ownership can be problematic.

“When a camera's firmware gets exploited as a pivot point into the clinical network, the SOC finds out after the fact, if at all,” Hughes says.

Security alerts can be interpreted as noise, but becoming desensitized to threats is dangerous to patient health. Excessive alerts could also bring exposure to compliance violations such as a HIPAA breach.

“Regulators are not sympathetic to ‘We had too many alerts,’” Hughes says.

Why Healthcare SOCs Are Susceptible to Alert Fatigue

Unchecked alert fatigue can bring a missed threat as well as analyst attrition. With SOC talent difficult to recruit in healthcare, security professionals leave and take their institutional knowledge with them, Hughes says.

Alert fatigue is a problem in health systems because they have added tools after the fact for decades, according to Hughes.

“The real problem is architectural,” Hughes says. “Most healthcare SOCs were built by layering tools reactively over years. Each tool was procured to address a specific gap and wasn’t designed to work with the others.”

Alert fatigue is a structural problem in SOCs because they have leaner security teams compared with the rest of their personnel, Hughes notes. That means trouble due to the number of endpoints.

“A community hospital with 2,000 endpoints and few analysts is going to drown,” Hughes says.

To fix this structural program, healthcare orgs must consolidate data sources, build context into correlation of data and establish clear triage logic, he advises.

Health systems use security information and event management systems to manage threats. They ingest hundreds of sources, and each one generates alerts, Hughes says, adding that that most of these alerts are noise.

Meanwhile, sorting through alerts requires awareness that, for example, nurses logging in and out 15 times per hours are not a threat, Hughes says.

Carter notes that alert fatigue can also lead to disengagement, stress and turnover for SOC analysts, and replacing these fatigued analysts is expensive and disrupts operations, she adds.

With all of the endpoints and medical devices as well as vendor connections, healthcare SOCs also have one of the broadest attack surfaces of any industry, according to Carter. This only adds to analysts’ fatigue.

How Continuous Threat Exposure Management Changes the SOC Equation

A continuous threat exposure management framework allows health systems to take an iterative approach to fighting cyberthreats. It enables SOCs to continuously understand and prioritize threats and act on organizational exposure rather than just detecting activity, says Carter.

“Traditional SOC models often focus heavily on reactive alert handling,” she says. “CTEM introduces a more strategic, iterative approach by helping organizations continuously scope, discover, prioritize and validate exposures, then mobilize remediation based on real-world risk and attack likelihood.”

CTEM allows SOCs to connect to a “broader remediation workflow,” says Hughes. That includes vulnerability management, IT operations and vendors. It also creates a feedback loop consisting of “scope, discover, remediate and measure,” he says.

“Without that loop, alerts pile up, and the same vulnerabilities appear on assessment reports year after year,” he adds.

AI-Assisted Triage: Supporting Human Analysts, Not Replacing Them

A key challenge when sorting through alerts is deciding if they are from the same or separate security events, Taule says. AI agents help SOCs “ingest, correlate and dedupe” these alerts, Taule says.

In addition, SOCs can perform triage to alert streams using machine learning before humans become involved. The SOCs can “cluster related events, match patterns against known attack behaviors, enrich alerts with asset and threat intelligence context and score likely severity,” Hughes says. He adds that with AI, security analysts in a SOC receive a contextualized queue rather than overwhelming raw data. 

Because healthcare security decisions carry consequences for patient health, that accountability must fall to human analysts, Hughes stresses.

“AI surfaces the signal; analysts make the call,” he says.

With AI, SOC teams can put large volumes of telemetry in context faster than humans, Carter says. And with SOC teams understaffed, AI can help improve operational efficiency and reduce the repetitive manual analysis, she says.

Click the banner below to sign up for HealthTech’s weekly newsletter.

How To Know if Your SOC Is Getting Better at Managing Exposure

Measuring progress at SOCs is more about reducing exposure over time, reducing response times and boosting the resiliency for the organization rather than the number of alerts closed or dashboards monitored, Carter says.

“In healthcare specifically, organizations must also consider operational resilience indicators such as reduced disruption to clinical workflows, improved downtime preparedness, and the ability to sustain safe operations during cyber events,” she says.

She adds that other ways to measure progress include metrics such as reduction in exploitable attack paths, improved asset visibility across the environment and better integration between security, IT and operational teams, which includes physical security.

Going forward, SOCs can measure progress in managing exposure or risk reduction by connecting data to asset inventory, vulnerability management and identity governance. That will allow SOCs to develop a clear picture of where a risk began and what the trajectory looks like, Hughes says.