Steward Health Care protects patient data in an evolving cyber pandemic through Microsoft Security solutions

Building resistance to a growing threat landscape

Healthcare delivery company Steward Health Care looks after millions of patients every year. The company’s size alone would challenge any IT team—multiple hospitals in nine US states and more than 43,000 staff. But as healthcare workers fought to save lives in an overburdened system during the COVID-19 pandemic and IT staff scrambled to support them, malicious actors intensified their attacks in what is now being called the cyber pandemic. Steward Health decided not to go it alone. It engaged an elite cybersecurity partner, BlueVoyant, and deployed Microsoft Security solutions for a coordinated approach to the many issues that complicate protecting a vast IT landscape.

Rallying against a cyber pandemic

When Steward Health Care Chief Information Security Officer Esmond Kane looks back on the period that unfolded with the 2020 New Year, what he remembers most is how many diverse threats all came together at once to cause widespread turmoil. The COVID-19 pandemic and resulting supply chain issues shook the foundations of the healthcare system. The accompanying increase in cyberattacks wasn’t reported in mainstream news, but it threatened to overwhelm security teams. The number of attacks swelled case logs of security teams everywhere, causing alert fatigue that complicated threat hunting. “Malicious actors have shown that they too can use machine learning and the most modern cloud technologies,” explains Kane. “In 2020, our industry was horrified by the rate of cybercrime industrialization. Phishing and ransomware increased by about 600 percent.” Like the healthcare workers who worked so hard, IT teams struggled but kept systems intact. “We weathered a cyber pandemic,” he continues. “Never had so many needed the healthcare system so desperately, and that added to the perfect storm of malicious actors seeking to take advantage of the healthcare system.”

That experience shaped Kane’s cyber defense approach. Now on the other side of the crisis, he draws parallels between the progress the medical profession made against COVID-19 and the steps to heightened cybersecurity. “Just like individuals need to get vaccinated against diseases, security practitioners need to find solution providers that improve the quality of their defenses through constant innovation.”

Despite having an IT team of hundreds, including excellent security operations center (SOC) professionals, Steward Health sought outside help. “I don’t know many organizations that believe they have sufficient IT security staff,” says Kane. “And if COVID-19 taught us anything, it’s that strategic outsourcing and optimizing vendor relationships is vital.” For Steward Health, that combination was to be managed detection and response (MDR) provider BlueVoyant and Microsoft.

Adopting a “Swiss Army Knife” connected security tool set

“If you had told me four years ago that I would have so intensely invested in the Microsoft ecosystem and aligned so closely with a Microsoft partner, I probably would not have believed it,” says Kane. “But in early 2020, I decided to double down on Microsoft. Its commitment to its strategic security portfolio is impressive.” Steward Health had already deployed Microsoft 365 and Microsoft Defender for Office 365. It was using Azure Active Directory for identity authentication. The company had previously turned to companies like Symantec for security and compliance, Proofpoint for email security, CrowdStrike for endpoint detection and response, and Trend Micro for network security, but it was concerned about their long-term viability. “Microsoft offers the consistency, innovation, and stability I needed in a security solution vendor,” says Kane.

He turned to BlueVoyant to help deploy Microsoft Defender for Endpoint so that his team could identify endpoint data signals and unify the logs ingested by Microsoft Sentinel for optimal threat hunting. “I wanted a Swiss Army Knife solution that could expand into endpoint configuration, firewall management, and data loss prevention,” says Kane. “We’ve fulfilled that hope by adopting Defender for Endpoint.” BlueVoyant set up automated remediations in Defender for Endpoint that it can use to isolate, quarantine, and remediate a device, proactively halting threats. “Healthcare providers are increasingly targeted with sophisticated cyberattacks,” says Milan Patel, Global Head of Managed Security Services at BlueVoyant. “An attack on a healthcare system can have real-world impact on patient care. BlueVoyant’s service is not just monitoring for security alerts; rather, we provide end-to-end support from the early stages of malicious activity through threat eradication.”

That point resonates with Kane, who says that system vulnerabilities are no longer the most used access for malicious actors. “Modern attacks take advantage of the human operating system,” he explains. “Azure Active Directory conditional access and multifactor authentication capabilities are invaluable. In tandem with employee testing and Microsoft training in Attack simulation, they’re a force multiplier to help us ensure that a user is who they say they are.” Attackers work on human empathy, moving in on rights and privileges afforded to administrators or employees. “One of the greatest benefits I’ve seen from working with both Microsoft and BlueVoyant is the level of behavioral analytics and telemetry, which helps us distinguish signals from noise,” Kane adds. “Looking for a needle in a haystack in a whole field of haystacks is an impossible mission. I need high-caliber teams, including our SOC analysts and BlueVoyant, working together.”

The company used BlueVoyant deployment services to adopt Microsoft Defender for Cloud, providing visibility and telemetry into its attack surface from both a threat and a compliance perspective, creating additional layers of security. In a complex regulatory environment, compliance is key to Steward Health’s security. It uses Microsoft Purview Information Protection to protect data across its full spectrum of collaboration tools, like SharePoint sites and Microsoft Teams.

Partnering with a proven security expert

Forming a strategic partnership with BlueVoyant filled an important need for Steward Health. “There’s a lot of value in choosing a strategic partner that can help you optimize your Microsoft investment and tune your security tools to get the most benefits from them,” says Kane. “BlueVoyant stood out in a small pool of vendors as a strategic partner that would solve our current problems and help us reap the benefits of our technology investments.”

BlueVoyant understood Steward Health’s need to closely manage its data. The BlueVoyant team takes a co-management approach, using Azure Lighthouse to deliver SOC services while security data remains within Steward Health’s Microsoft Sentinel instance. “Microsoft Sentinel is our log aggregation platform of choice,” says Kane. This management approach keeps the maximum amount of data in Steward Health’s domain while making security logs available to BlueVoyant so that it can run threat analytics. “BlueVoyant brings its intelligence and expertise, which we complement with our SOC. That gives us much-needed, round-the-clock support.”

Transforming the systems that support healthcare

Cloud transformation has come slowly to the healthcare industry, but the enormous difficulties of dealing with COVID-19 and the need to physically isolate had one positive side effect. Overnight, telemedicine and virtual conferencing brought new convenience and safety to patient encounters and physician consultations. “We need to transform our organizations to meet new healthcare demands,” says Kane. “And our relationships with Microsoft and BlueVoyant have been a great help in our journey to security in the cloud and on-premises.”

For BlueVoyant, a tool set that evolves with the threat landscape is a must. “Our service proactively ensures that the right signals are ingested into Microsoft Sentinel, continually developing real-world threat detection rules and automations to quickly sift through tens of thousands of alerts per year,” says Patel. “This enables both BlueVoyant and Steward to focus on events that require immediate attention.” Kane appreciates that preemptive approach. “Malicious actors aren’t going to submit a change ticket or ask your permission. So, you need to patch medical devices, pay attention to supply chain attacks, and understand the potential for an adversary to use your trusted circle against you.

“Knowing you have a problem is fine,“ concludes Kane. “But knowing that you have a trusted partner to take action is peace of mind.”

Find out more about Steward Health on Twitter, Facebook, and LinkedIn.