Cyberattackers are stealthy and patient, often operating unnoticed in a network for months on end. A long dwell time — the time from when cyberattackers enter an environment until they are removed — gives these bad actors more opportunity to access sensitive electronic protected health information (ePHI), infiltrate financial accounts, and introduce malicious malware. The longer the dwell time, the greater the potential impact.

In 2021, Newman Regional Health experienced first-hand the stealth and patience of a lurking cyberattacker. The critical access hospital in Emporia, Kansas, experienced a cyber breach where a cyberattacker gained access to the organization’s email accounts, which contained names, medical record numbers, treatment information, birthdates, email addresses, contact information, and some financial data and Social Security numbers. The breach lasted from Jan. 26 to Nov. 23, 2021, exposing the ePHI of more than 52,000 individuals, and was finally concluded on March 14, 2022. That’s more than enough time to cause substantial harm within a network.

The average time to identify and contain a data breach is 287 days, according to the IBM Security Cost of a Data Breach Report 2021. The report shows that breaches taking more than 200 days to identify and contain cost an average of $4.87 million, whereas breaches taking fewer than 200 days cost an average of $3.61 million. The longer dwell time comes at a high cost of $1.26 million.

But there are steps healthcare organizations can take to detect and prevent dwell time in their networks including threat hunting and integrated incident response.


Every healthcare organization needs a continuous, multi-prong approach to safeguard its cyber environment from attack and ePHI from exposure. The cybersecurity team must implement controls, configure security devices, use safeguards such as firewalls and multifactor authentication, conduct testing and vulnerability scanning, and equip and monitor every endpoint, among other things. These action items demand ongoing management to keep cyberattackers from penetrating vulnerable entry points in the network. More and more, healthcare organizations are working with managed detection and response (MDR) providers to assure that these critical actions receive the time and attention required to prevent cyberattacks.

Detection and threat hunting

A cybersecurity team shouldn’t simply wait to respond to a cyber threat. The team should be proactively hunting for threats to monitor and detect malicious activity on the network, endpoints, logs, and clouds. Experienced humans are key to proactive threat hunting. Analysts and security experts need to perform 24/7 monitoring of the system to hunt down would-be intruders to your network.

“Sophisticated attackers take drastic steps to gain and maintain access to networks, and these methods can often bypass established prevention and detection methods,” said Lyndon Brown, Chief Strategy Officer at Pondurance. “Threat hunting is about going beyond alerts to look for hidden threats that may have already gained access. It is far better to detect a threat in hours or days versus months and years. Expert-driven threat hunting helps uncover these threats before damage and loss can occur.”

Integrated incident response

The onset of a cyberattack is not the time for making strategic decisions about how to respond. Before a breach is detected, your team should have an incident response plan in place to identify, contain, respond to, eradicate, and recover from the cyber event. The incident response plan assures that you know where your data lives, recognize your vulnerabilities, and can respond to a threat as quickly and objectively as possible. Integrated incident response can allow your organization to halt a threat before your system can be severely impacted. 

“The time between detecting and responding to a threat makes the difference between a catastrophic event and a minor nuisance,” said Lyndon. “Unfortunately, most organizations don’t have an incident response program that is integrated with their detection and response capabilities. When something is detected, these organizations struggle to take the necessary steps and align appropriate resources to address the issue. This gives attackers more time to embed their tools, steal data, and move laterally in victim networks. Integrated incident response capabilities help close the gap between detection and resolution.”


A long dwell time provides cyberattackers greater opportunity to cause harm to your network and compromise your ePHI. But there are steps your healthcare organization can take to reduce dwell time and hopefully minimize any impact to your network. Learn more about how MDR services can provide the prevention, detection and threat hunting, and integrated incident response your healthcare organization needs to protect against cyber threats. 

For more information and to keep up with the latest, check out our healthcare resources.