Hard2bit

Healthcare · Managed defence

24/7 managed SOC at a private healthcare group

A Spanish healthcare group with seven clinics found an intrusion attempt on a Monday morning — by accident, while checking logs for something else. Nobody was watching at night or over the weekend, and NIS2 designated the organisation an essential entity. A year after deploying our managed SOC, three real incidents were contained in the small hours without a single patient noticing.

Sector

Private healthcare · 7 clinics

Size

~900 employees

Service

24/7 managed SOC (MDR)

Scope

~1,100 endpoints · HIS · medical legacy

Framework

NIS2 · essential entity · GDPR

Outcome

3 incidents contained · 0 clinical impact

The starting point

The IT team was six people covering seven clinics: systems, networks, support for the HIS — the hospital information system every clinical activity depends on — and not a single person dedicated to security. Protection amounted to a traditional antivirus, and visibility ended when the working day did: from eight in the evening and all weekend, nobody was looking at anything. The wake-up call came on a Monday, when a technician stumbled on traces of an intrusion attempt that had been running since Friday night. Nothing happened that time. It was luck, and everyone knew it.

Two sector-specific complications sat on top of that. First, a large share of the estate was diagnostic equipment running old versions of Windows the manufacturer forbids patching or touching. Second, the data at stake was clinical records — special-category data under the GDPR — and NIS2 classed the group as an essential entity in the health sector, obliged to demonstrate detection and response capability, not merely to claim it.

How we approached it

  1. EDR rollout and a real inventory — agents deployed across ~1,100 endpoints and servers in all seven clinics, in waves so as not to interfere with clinical activity. The inventory delivered the first surprise: 14% of connected assets IT had never catalogued, from consulting-room machines to a forgotten test server with access to the HIS.
  2. Medical legacy is not touched: it is isolated and watched — no agents were installed on the unpatchable diagnostic equipment. Instead, network microsegmentation so those devices talk only to what they strictly need, plus reinforced traffic monitoring from the outside. Any anomalous connection from a CT scanner or an ultrasound machine raises a priority alert.
  3. Use cases prioritised with the business, not from a catalogue — playbooks built around the three scenarios that would hurt most: ransomware, anomalous access to clinical records, and data exfiltration. Each with predefined containment actions and thresholds agreed with management.
  4. Escalation defined with IT and the on-call medical directorate — who decides to isolate an HIS server at three in the morning cannot be improvised. We defined an escalation chain with IT on-call rotas and a reachable medical directorate contact, with clear criteria for when the SOC acts alone and when it wakes somebody up.
  5. 24/7 operation and continuous improvement — round-the-clock monitoring from our SOC, with a monthly review of metrics (detections, false positives, response times) and ongoing tuning of rules and playbooks. The service in month twelve bears little resemblance to month one: it detects more and interrupts less.
  6. Monthly exposed-credential monitoring and threat intelligence — every month we sweep open sources, criminal marketplaces, leak channels and third-party breach dumps for corporate credentials belonging to the group. In the first year alone, 47 exposed credentials surfaced in third-party service breaches — every one was rotated before anyone could use it, and three belonged to accounts with HIS access. Each finding feeds a monthly intelligence report for management: new exposures, active campaigns against the healthcare sector, techniques observed in the group's own incidents, and prioritised recommendations. Management stopped learning about threats from the press: they see them coming in their own report.

Results

11 min

median MTTD: detection went from days to minutes

3

real incidents contained outside working hours in the first year

100%

visibility of catalogued endpoints, up from ~86% at the start

The first year's three incidents — two ransomware attempts caught at an early stage and a compromised account being used in the small hours — were contained with no impact on clinical activity: not one clinic lost a single hour of operation. And when NIS2 became applicable, the group did not have to improvise a story: it had metrics, playbooks and handled incidents with which to demonstrate genuine detection and response capability.

The monthly exposed-credential monitoring added a layer the EDR cannot see: the 47 credentials rotated in time were bought-and-paid-for entry points that never got to open a door. And the monthly intelligence report turned security into a board-level conversation built on the group's own data and its sector's threat picture — not a technical annex nobody read.

What made it work

  • In healthcare, availability is not merely operational — it is clinical. A downed HIS server is not a ticket; it is a surgery that cannot see patients.
  • Medical legacy is never patched — it is isolated and watched. Trying to install agents on a CT scanner is the fast route to voiding the warranty and the manufacturer's goodwill.
  • Without 24/7 operation, the year's three incidents would have been three Monday-morning disasters. Attackers work precisely when IT does not.

Frequently asked questions

What does a managed SOC (MDR) actually include?

24/7 detection and response with real analysts: EDR deployed across endpoints and servers, containment playbooks built around the scenarios that would hurt the business most, an escalation chain agreed with IT and management, and continuous tuning with a monthly metrics review. Our service also includes monthly monitoring for corporate credentials exposed in third-party breaches, plus a monthly intelligence report for management covering new exposures, active campaigns against the sector and prioritised recommendations.

We run legacy systems that cannot take an agent — is it still viable?

Yes. Equipment the manufacturer forbids patching or touching — common with medical or industrial kit — is not left outside the service: it is isolated through network microsegmentation so it talks only to what it strictly needs, and its traffic is monitored from the outside. Any anomalous connection from one of those devices raises a priority alert, with nothing installed on them and no warranty put at risk.

How long does it take to deploy a managed SOC?

The initial rollout — EDR agents, asset inventory and the first use cases — is done in waves over a few weeks, without disrupting operations. Round-the-clock monitoring starts as soon as telemetry is flowing, but the service matures with use: the first months go into tuning rules and playbooks against real data, and the service in month twelve detects more and interrupts less than in month one.

Does a managed SOC replace our internal IT team?

No — it complements it. IT keeps systems administration and its knowledge of the business; the SOC brings the continuous monitoring, the analytical capability and the out-of-hours response a small internal team cannot cover. The escalation chain is defined together: it is agreed in advance when the SOC contains on its own and when it wakes someone in IT or management.

Related services

Who is watching your network tonight?

If the answer is "nobody", attackers already know. Our managed SOC delivers 24/7 detection and response with real analysts, tailored playbooks and metrics you can show an auditor.