Security Information and Event Management (SIEM) in Healthcare

Healthcare is transforming and with complexity and trends that have changed the UK healthcare market significantly in line with the NHS Long Term Plan.

Advances in diagnosing, treating and managing patient’s health, as well as aligning with other supporting services from local council, social care and third-party providers, all lend themselves to patient wellness and health, in a home setting and an element of self-provisioning care.

This digitisation of healthcare brings with it an inevitable increase in cyber attacks for the NHS – as well as patient confidentiality and safety. While there are regulatory controls around data privacy; personal health information (PHI/e-PHI), data breaches are becoming all too common.

There has been an exponential increase in the growing dependence on interconnected devices, digitisation of information for shared care provision and the prevalence of cyber security threats. This means that the NHS is now under increased pressure to fend off these threats, automate compliance and improve patient care – all while controlling costs.

The recent agreement between NHS Digital and Microsoft will lead to improved productivity, enhanced collaboration and importantly strengthen cyber security across healthcare services.

As part of the agreement, M365 will be deployed to as many as 1.2 million staff across NHS organisations including Trusts, CCGs and health Informatics Services, creating a truly joined-up NHS. Staff will be able to communicate more effectively and will have access to the information, applications and services they need, reducing the administrative burden on staff and improving patient safety.


What is Security Information and Event Management (SIEM)?

Gartner defines SIEM as “a technology that supports threat detection and security incident response through the real-time collection and historical analysis of security events from a wide variety of event and contextual data sources”

Early detection, rapid response and collaboration to mitigate advanced threats means further significant demands on your Security and IT Teams. Reporting and monitoring your log information is no longer enough and given the digitisation of our networks, you need to capture broader insights, generated at scale, across your whole Trust.

Data aggregation is only one part of your effective SIEM – it needs to go beyond to look for unusual behaviours, system anomalies and other indicators of a security incident.

COVID-19 has seen escalating numbers of sophisticated cyber security attacks, compounded by an increase of remote working practices.

What are the SIEM essentials?

  1. Real-Time Monitoring – the ability to monitor; correlate and act in real-time
  2. Incident Response – alongside your Cyber Security Incident Plans, you need an organised way to address and manage any potential breach as well as post-incident handling in line with robust Business Continuity and Disaster Plans.
  3. User Monitoring – Using controls such as privileged user monitoring to seek out any misuse against aligned frameworks
  4. Threat Intelligence – which recognises abnormal activity, assesses the risk to the Trust and supports the prioritising of responding.
  5. Advanced Threat Detection – tools available to your security professionals in order to monitor, analyse and detect threats across the kill chain.
  6. Advanced Analytics – use of machine learning, to automate analysis of trends, patterns and analysis of any hidden threats.

Why Azure Sentinel?

Azure Sentinel is Microsoft’s cloud-native security information and event management (SIEM) and security orchestration automated response (SOAR) solution all in one!

It brings together the latest in security innovation and advanced AI to provide near real-time intelligent security analytics for a bird’s-eye view over your entire enterprise’s IT estate.

With Azure Sentinel you can consume security related data from almost any source – not just sources inside your Microsoft tenant. This removes the need to manage multiple pieces of complex and costly infrastructure components – whilst providing a cloud platform solution that can easily scale to your needs.

Sentinel uses machine learning and AI models to surface important insights based on data consumed through a wide catalogue of data connectors. This includes native connections to all key Microsoft sources, together with a range of native third-party connectors which includes technologies from AWS, Symantec, Barracuda, Cisco and many others.

The solution analyses in excess of 6.5 trillion signals daily to provide unparalleled threat intelligence. This coupled with the ability to filter millions of signals into meaningful dashboard alerts provides comprehensive hunting and investigative capabilities – enabling you to expedite your response to potential attacks.

Sentinel also integrates with a wide range of systems – providing the option to automate your incident response activities, thereby allowing you to orchestrate your activities in an efficient and effective manner.

Four Key Security Pillars

Put simply. Azure Sentinel enables you to:

Easily gather data at cloud scale across users, devices, applications and infrastructure both on-premises and across multiple clouds.

Sentinel recognises previously discovered threats and minimises false positives by using analytics and threat intelligence drawn directly from Microsoft.

Artificial intelligence identifies threats and hunts suspicious activities at scale.

React calmly and quickly to incidents with built-in automation processes and responses.

As most of the enterprises consume more and more cloud services, there is a huge requirement for Cloud-Native SIEM. This is where Azure Sentinel comes in to play and has following advantages:

  • Easy collection from cloud sources
  • Effortless infinite scale
  • Integrated automation capabilities
  • Continually maintained cloud and on-premise use cases enhanced with Microsoft TI and ML
  • GitHub community
  • Microsoft research and ML capabilities
  • Avoid sending cloud telemetry downstream

Protecting Healthcare

Azure Sentinel is a powerful SIEM fit for the modern technological landscape. It provides a bird’s-eye view of your entire IT estate along with smart analytics supported by advanced artificial intelligence to help detect and respond to threats in near real-time.

Azure Sentinel can integrate seamlessly with your pre-existing Microsoft and non-Microsoft infrastructure, while still providing you the control to customise Sentinel to match your security requirements.

This all contributes toward defending your organisation against the ever-growing cyber security threats of this modern world. Azure Sentinel’s use of automated playbooks can also increase the productivity of IT and support personnel by reducing the amount of trivial and time-consuming remediation tasks required, all while increasing response times to incidents.

Ready to learn more?

To discuss Azure Sentinel and more, contact the Security, Risk and Compliance Team at Phoenix. Just fill in the form to the right, or alternatively you can email us at [email protected] or call us on 01904 562200.