Health systems use security information and event management systems to manage threats. They ingest hundreds of sources, and each one generates alerts, Hughes says, adding that that most of these alerts are noise.
Meanwhile, sorting through alerts requires awareness that, for example, nurses logging in and out 15 times per hours are not a threat, Hughes says.
Carter notes that alert fatigue can also lead to disengagement, stress and turnover for SOC analysts, and replacing these fatigued analysts is expensive and disrupts operations, she adds.
With all of the endpoints and medical devices as well as vendor connections, healthcare SOCs also have one of the broadest attack surfaces of any industry, according to Carter. This only adds to analysts’ fatigue.
How Continuous Threat Exposure Management Changes the SOC Equation
A continuous threat exposure management framework allows health systems to take an iterative approach to fighting cyberthreats. It enables SOCs to continuously understand and prioritize threats and act on organizational exposure rather than just detecting activity, says Carter.
“Traditional SOC models often focus heavily on reactive alert handling,” she says. “CTEM introduces a more strategic, iterative approach by helping organizations continuously scope, discover, prioritize and validate exposures, then mobilize remediation based on real-world risk and attack likelihood.”
CTEM allows SOCs to connect to a “broader remediation workflow,” says Hughes. That includes vulnerability management, IT operations and vendors. It also creates a feedback loop consisting of “scope, discover, remediate and measure,” he says.
“Without that loop, alerts pile up, and the same vulnerabilities appear on assessment reports year after year,” he adds.
AI-Assisted Triage: Supporting Human Analysts, Not Replacing Them
A key challenge when sorting through alerts is deciding if they are from the same or separate security events, Taule says. AI agents help SOCs “ingest, correlate and dedupe” these alerts, Taule says.
In addition, SOCs can perform triage to alert streams using machine learning before humans become involved. The SOCs can “cluster related events, match patterns against known attack behaviors, enrich alerts with asset and threat intelligence context and score likely severity,” Hughes says. He adds that with AI, security analysts in a SOC receive a contextualized queue rather than overwhelming raw data.
Because healthcare security decisions carry consequences for patient health, that accountability must fall to human analysts, Hughes stresses.
“AI surfaces the signal; analysts make the call,” he says.
With AI, SOC teams can put large volumes of telemetry in context faster than humans, Carter says. And with SOC teams understaffed, AI can help improve operational efficiency and reduce the repetitive manual analysis, she says.
Click the banner below to sign up for HealthTech’s weekly newsletter.
Source link
#Healthcare #Security #Operations #Center #Remedying #Alert #Fatigue
