March 2, 2021
5 minutes

Why Security Operation Centers (SOCs) Weren’t Meeting the Needs in Healthcare

Cyber criminals are getting more savvy at finding new ways to target healthcare. Healthcare needs to respond and innovate to get ahead of the cyber criminals. One way is to level up your typical Security Operations Center.

Security Operations Centers (SOCs) have been around for along time, and they serve a purpose, especially in some industries outside of healthcare. We heard over and over from our healthcare clients that SOCs just weren’t meeting their needs. Read on for the story of the evolution of a CTOC – Cybersecurity Tactical Operations Center – and what makes it different from a SOC.

Back in 2015, we were approached by some of our customers to add a Security Operations Center ("SOC") to our offerings. It was actually perplexing to us that we were being asked to create a SOC. Our view was that SOCs were a dime a dozen and we couldn't understand why yet another SOC was needed.

As appreciative as we were for our client’s guidance, we didn't jump at the opportunity. In fact, we spent about a year trying to better understand why anyone would want yet another SOC offering in the market, especially the healthcare market. What was even more curious, was that some of these clients already had either established their own SOC or were contracting with big-name SOC vendors.

Continuing to research and speak with our clients, little by little we started to better understand the frustration associated with the entire SOC model. It wasn't that there was a shortage of SOCs in the market, but rather there was a complete deficit of value from any SOC offering.

We often heard the following from our clients about their current SOCs:

- "It's just a glorified help-desk!"

- "Every little thing is yet another statement of work!"

- "Managed detection and response looks great on their PowerPoints but it isn't reality!"

- "This is just not what we envisioned or even wanted!"

Despite the obvious frustrations of our clients, and industry research validating the lack of value organizations realize in using a SOC, we decided not to build a SOC. To be honest, we firmly believe the entire concept of a SOC is so 2010, and really does not do much to improve the security of an organization against the current and evolving threat landscape.

What we decided was to throw out the entire concept of a SOC and start from scratch. Our research led to the development of the very first CybersecurityTactical Operations Center or CTOC. Now you might think that we just added lipstick on a pig, but that would be a huge misnomer.

The Sensato CTOC is actually patterned after the military's concept of a Tactical Operations Center or TOC. It is a purpose-built entity that is designed to support the cybersecurity operations of critical infrastructure, specifically healthcare providers.

The people behind the CTOC have healthcare experience - they know the difference between TCP, UDP, HL7 and DICOM. They understand that they are not just defending servers and switches, but systems that ultimately impact human life.

The CTOC is designed to go well-beyond incident response, with something we call "IR beyond IT" and even more important, is that the CTOC is the only organization of its kind that has specific rapid response protocols for attacks against medical devices.


To that end, we established a memorandum of understanding ("MOU") with the FDA to address medical device cybersecurity and threat intelligence. The CTOC is also an ISAO (Information Sharing & Analysis Organization), which provides us with access to additional threat information from DHS/CISA. If you are a member of the CTOC, it may provide you with lower insurance premiums.

One of the unique approaches of the CTOC is that it takes its role as a support and over-watch group extremely seriously. This means that is can help coordinate not only incident response, but also support logistical and recovery operations.


One example of this is a situation that occurred at the start of COVID-19 in the Spring of 2020. Here’s what happened:

One of the CTOC members, a hospital in North Jersey, was in dire need of PPE. Regardless of their best efforts, they couldn't obtain PPE from any of their sources. This CTOC member reached out to the CTOC. This might sound strange,that a hospital CIO would call upon a cybersecurity partner for help with PPE, but they did, because the CTOCs first objective is to be mission focused and that mission is to support our members.

The CTOC put out a call for PPE across all of its resources,and within hours was answered by the CEO of a hospital in southern California. The CTOC helped to then coordinate the logistics of getting the PPE from California to NJ. This is a mission we are very proud of and it’s just one example of what makes the CTOC not just a SOC.

There are many more features of the CTOC that make it an extremely different and modern approach to cybersecurity operations. You can learn more about the CTOC here, and I would be very grateful to have the chance to walk you through what makes the CTOC special and to hear about your specific needs, no matter how challenging or unique.


Cybersecurity Awareness Month Recap - Resources and Tips
October was National Cybersecurity Awareness Month which is meant to put a spotlight and focus on cybersecurity education and taking action to protect yourself and your organization from a cyberattack. Here’s a roundup of some of the top things we shared in October.
Four New Phishing Tactics to Watch Out For
By now most healthcare organizations perform cybersecurity awareness training and their staff are on the lookout for phishing emails. Cyber attackers are getting more savvy, however and are coming up with new phishing techniques that are harder to spot. Below are some examples of these new tactics and how to spot them.
Real-time Review of Oklahoma State University Cybersecurity Breach
Healthcare organizations that are victims of a cyberattack are reported daily. Reviewing OCR findings to identify actions you can take to protect your organization from similar attacks is a good best practice. Here is a review of the OSU breach to use as an example.
No items found.