Process, people and technology - the key to a successful Security Operations Centres in healthcare

16 May 2018


Discussions about security operations centres (SOCs) often start from a very technical perspective. But that approach to managing an organisation’s security is, in many ways, now starting to look outdated. That’s because the risks posed by cyber security are not purely technical but, importantly, operational. The approach to developing a SOC should follow the same direction.

For health organisations, a SOC represents the opportunity to address what is arguably now their biggest area of operational risk. The purpose of a SOC is not to manage security events and information, per se. rather it’s the ability to manage the cyber resilience of business operations. Of course, it’s harder to protect the business than it is to protect the server. And for healthcare, what protecting the business really means is whether frontline clinical staff can place their trust and confidence in the data and services that they are using in order to do their jobs every day.

A SOC’s purpose is to spot risk at the right time or just in time, and to manage that risk by reducing it or removing it altogether. So, for example, if a GP or a nurse needs to check some test results or a patient’s blood group and the record has, unbeknownst to them, been adjusted by a third-party, the consequences could be very serious. The underlying trust in the healthcare system is called into question. The purpose of a SOC is therefore to manage the resilience of the defences, integrity and confidentiality of the services provided to frontline staff. And this paradigm shift in focus (from technical to business) has come to the fore thanks to the recognition that cybercrime is a significant, serious threat to how health services operate and the trust that is placed in them.  

So, what makes a successful SOC? There are three dimensions to consider: process, people and technology.

Analysts are, in effect, limited in their ability to ‘do the right thing’ because they are working to achieve SLAs. An effective SOC, therefore, needs to consist of processes which are focussed on outcomes. Using clear outcome based objectives, analysts will know exactly what to do and when to do it. SOCs’ business processes need to be disciplined but not rigid, fluid when they need to be, and flexible to move in a new direction when the operational context changes. SOCs have failed in the past because they have been too inflexible and not focussed on what’s really needed.

What about the people in a SOC? We’ve traditionally seen highly technical people hired to work in these environments – and technical prowess is, of course, a key skillset. But where and how those skilled people are encouraged to operate has received less attention. SOC personnel need to be in an environment that is conducive to collaborating and working with others in the business. They need to be able to interact with the main users of the system to understand what they are doing and what they need to do their jobs better. That’s why we now tend to see the actual SOC itself as part of the wider business, stripping away the barriers that have previously separated analysts from the business around them. Rather than organising them hierarchically, having analysts work in teams emphasises collaboration and creativity. And instead of restricting analysts to focus on a limited set of tasks, rotating them to different activities helps to keep them learning and being exposed to new disciplines.

Only after we have the right processes and people do we look at the technology thus bucking the ‘normal’ approach of putting the technology first. We think about a SOC as the bringing together of a variety of technologies rather than being a one dimensional technology platform. And that difference is more than semantic. Taking a ‘platform of technologies’ approach serves to build in flexibility. Using open architecture allows data to be collected, transformed and organised in a way that can be accessed by a broad range of tools.

Using a microservices architecture means developers create the right tool at the right time for the right job. Health is unique in its needs and so requires a considered and relevant approach. Off-the-shelf systems are unlikely to offer the full protection against the range of threats that the NHS faces.

With the right processes, people and technology in place a SOC will be integral to the overall success of the organisation and continue innovating to achieve continuous improvement in the services it provides. And in the frenetic and fast-changing cyber risk and security landscape for health, that’s not only desirable, it’s an imperative.