Intrusion Detection System: What's Missing in HIPAA Security

The #1 most important piece of a data loss prevention method? An intrusion detection system.

It can be a struggle to protect patient data in today’s healthcare environment. Not only does the Internet of Things (IOT) virtually connect all healthcare systems, networks, workforce members, and equipment, but technologies are evolving quickly and hospital IT staff must keep up. On top of all of that, hacker techniques evolve even faster than technology manufacturers.

One of the reasons healthcare data breaches are so prevalent is the lack of proactive, comprehensive security systems dedicated to monitoring system irregularities. Security tools like intrusion detection systems, or IDS. A key piece of any security strategy, this tool/software should be implemented in every single hospital, doctor’s office, clearinghouse, or any other location sensitive data is received, transmitted or stored.

See also: White Paper: How to Implement and Maintain PCI Compliant Firewalls

Why does healthcare need intrusion detection systems?

Electronic storage of patient data is maintained on a network basis. This means the actions surrounding that sensitive data can be recorded if you have the right system (enter: IDS).

An IDS can log and alert you when suspicious actions (like the 3:00 a.m. login) occur in your system. Then, it’s up to you to investigate. Why was someone with administrative credentials logging into our EHR system at 3 in the morning? Was a doctor up late working? Or was it a hacker trying to get into the system when no one would notice?

The actions surrounding your sensitive Electronic Protected Health Information (PHI) can act as clues to what’s happening inside your network, and if it’s normal, suspicious, or downright unacceptable.

‍Not just another piece of security technology

‍I know what you’re thinking, how is an IDS different from my anti-virus or firewall tools? Attackers and their malware evolve quickly, and it's difficult for anti-virus software to keep up with them. And there are many ways to bypass firewalls. Intrusion detection is another layer in security alerting that many entities need and miss out on until it’s too late.

See also: Payroll Phishing Emails Attack Hospital and Healthcare Security‍

Keep in mind that an IDS isn’t preventive. Similar to a private investigator, an IDS doesn’t interfere with what it sees. It simply follows the action, takes pictures, records conversations, and alerts the client. For more preventative measures you might consider an Intrusion Prevention System (IPS), which is an extension of IDS. The two systems are frequently paired together. However unlike IDS, it will prevent and block many intrusions that are detected.

Using IDS can help identify a suspected attack and help you locate security holes in your network that gave the bad guys access in the first place. Without the knowledge derived from IDS logs, it can be very difficult to find system vulnerabilities, or determine if patient health data was accessed/stolen.

Stop data breaches before they become catastrophic‍

Not only can an IDS help you see the weak points in your environment, it can help your brand after a hacker gets in.

By setting up alerts on an IDS, you can be alerted as quickly as suspicious activity occurs, which means you can get your task force together to stop it ASAP.

From a legal standpoint, a healthcare organization could also use the information stored by their IDS in a breach court case to show they did as much as possible to contain the breach.

Additionally, SecurityMetrics forensic investigators use information gleaned from client IDS tools to investigate breaches, such as how the hacker got in, how long they remained in the system, and when they exported data. This helps determine exactly how much patient data was exported, and what the organization must do to secure system vulnerabilities.

How to use an intrusion detection system (IDS)

1. Buy an IDS.
   • There are a variety of different tools on the market and each tool will need to be carefully reviewed before a decision is made. I often ask my clients if they want a NIDS or HIDS (Network or Host based). I advise that a combination of both should be used for any organization looking to take their security seriously. When choosing your IDS/IPS it’s best to get help from a security consultant and make sure that your security team is always involved.
2. Install it on the outside of your network to detect external attacks.
   • Don’t just integrate your IDS to secure your EHR. Using pivot attacks, hackers can hack into unrelated or unprotected areas of your network and easily hop onto more secured areas of your network (like your EHR) from there.
3. Don’t forget about internal attacks.
   • Whether the threat is a fired workforce member who wants to get back at the organization, or an attacker who plugs a malware-filled USB into an exam room computer after nonchalantly walking in the office, an internal IDS should be configured to detect internal activities to prevent an attack from the inside.
4. Configure alerts.
   • Configure the intrusion detection system to alert you as soon as suspicious activity occurs. Discuss what alerts should be configured with your security advisor, internal team, and vendor.
5. Form a task force.
   • You need a team to manage this important part of your security strategy. Whether it’s the responsibility of your data loss prevention team, IT team, or a mash up of security-related department heads, a group must be formed to take charge. Their activities could include identification of suspicious activity alerts, ensuring regular scheduled IDS updates, incident response planning, and/or alert monitoring.
6. Constant alert monitoring.
   • Many hospital IT departments may already have a network intrusion detection system in place, but aren’t regularly checking it. This is mistake #1, and can cost you a swift breach recovery. If you don’t check your IDS, or alerts aren’t being sent to you, you might as well not have it.
7. Have an action plan.
   • What happens when your IDS actually identifies an attack? You may also have an intrusion prevention system in place that may or may be active and preventing illicit traffic. If not, your task force must form an action plan, and follow your tested and approved incident response plan (e.g., how to identify the threat, which appropriate persons to notify, how to contain the threat, etc.)

Your data loss prevention strategy needs an IDS

‍Just because you have an intrusion detection system doesn’t mean your network is impenetrable. Security should encompass a multi-layered strategy within your sensitive environment. An IDS is just one of the many pieces of that data loss prevention and security strategy.

No one tool, process, or technology is comprehensive enough to protect an organization from attack. Security must have a layered concept to achieve the maximum benefit to your organization.

If you correctly use an IDS, you will be able to significantly mitigate compromise risk within your organization, and you may even stop a breach in its tracks.