The #1 most important piece of a data loss prevention method? An intrusion detection system.

Brand Barney, SecurityMetrics
By: Brand Barney
Let’s face it. It’s an absolute struggle to protect patient data in today’s healthcare environment. Not only does the Internet of Things virtually connect all healthcare systems, networks, workforce members, and equipment, but technologies are evolving way too fast for hospital IT security staff to keep up. On top of all of that, hacker techniques evolve even faster than technology manufacturers.

Should we abandon all hope? Absolutely not!

One of the reasons healthcare data breaches are so prevalent is from a lack of proactive, comprehensive security systems dedicated to monitoring system irregularities. I’m talking about intrusion detection systems, or IDS. A key piece of any security strategy, this tool/software should be implemented in every single hospital, doctor’s office, clearinghouse, or any other location sensitive data is received, transmitted or even stored.

Why does healthcare need intrusion detection systems?

intrusion detection system
Electronic storage of patient data is maintained on a network basis. This means the actions

surrounding that sensitive data can be recorded . . . if you have the right system (enter: IDS).

Why would you want to track the actions surrounding your patient data? I don’t know about you, but I would definitely want to know if my system logged suspicious administrative login activity at 3:00 a.m. this morning.

An IDS can log and alert you when suspicious actions (like the 3:00 a.m. login) occur in your system. Then, it’s up to you to investigate. Why was someone with administrative credentials logging into our EHR system at 3 in the morning? Was a doctor up late working? Or was it a hacker trying to get into the system when no one would notice?

The actions surrounding your sensitive Electronic Protected Health Information (PHI) can act as clues to what’s happening inside your network, and if it’s normal, suspicious, or downright unacceptable.

Not just another piece of security technology

I know what you’re thinking . . . how is an IDS different from my already implemented anti-virus or firewall tools? Like I mentioned before, attackers and their malware evolve much too quickly for anti-virus to keep up. And there are many ways to bypass firewalls. Intrusion detection is another layer in security alerting that many entities need and miss out on until it’s too late.

SEE ALSO: Payroll Phishing Emails Attack Hospital and Healthcare Security

Keep in mind that an IDS isn’t preventive. Similar to a private investigator, an IDS doesn’t interfere with what he sees. He simply follows the action, takes pictures, records conversations, and alerts his client. For more preventative measures you might consider an Intrusion Prevention System (IPS), which is an extension of IDS and is usually paired together.  However unlike IDS, it will prevent and block many intrusions that are detected.

Using IDS can help identify a suspected attack and help you locate security holes in your network that gave the bad guys access in the first place. Without the knowledge derived from IDS logs, it can be very difficult to find system vulnerabilities, or determine if patient health data was accessed/stolen.

Stop breaches before they become catastrophic

Not only can an IDS help you see the weak points in your environment, it can help your brand after a hacker gets in.
An IDS could help you detect a security breach as it’s happening in real time.
By setting up alerts on an IDS, you can be alerted as quickly as suspicious activity occurs, which means you can get your task force together to stop it ASAP.

From a legal standpoint, a healthcare organization could also use the information stored by their IDS in a breach court case to show they did as much as possible to contain the breach.

Additionally, SecurityMetrics forensic investigators use information gleaned from client IDS tools to investigate breaches, such as how the hacker got in, how long they remained in the system, and when they exported data. This helps determine exactly how much patient data was exported, and what the organization must do to secure system vulnerabilities.

How to correctly use an IDS

    data loss prevention
  • First, purchase an IDS. There are a variety of different tools on the market and each tool will need to be carefully reviewed before a decision is made. I often ask my clients do they want a NIDS or HIDS (Network or Host based). I advise that a combination of both should be used for any organization looking to take their security seriously. When choosing your IDS/IPS it’s best to get help from a security consultant and make sure that your security team is always involved.
  • Install it on the outside of your network to detect external attacks. Don’t just integrate your IDS to secure your EHR. Using pivot attacks, hackers can hack into unrelated or unprotected areas of your network and easily hop onto more secured areas of your network (like your EHR) from there.
  • Don’t forget about internal attacks. Whether the threat is a fired workforce member who wants to get back at the organization, or an attacker who plugs a malware-filled USB into an exam room computer after nonchalantly walking in the office, an internal IDS should be configured to detect internal activities to prevent an attack from the inside.
  • Configure alerts. Configure the intrusion detection system to alert you as soon as suspicious activity occurs. Discuss what alerts should be configured with your security advisor, internal team, and vendor.
  • Form a task force. You need a team to manage this important part of your security strategy. Whether it’s the responsibility of your data loss prevention team, IT team, or a mash up of security-related department heads, a group must be formed to take charge. Their activities could include identification of suspicious activity alerts, ensuring regular scheduled IDS updates, incident response planning, and/or alert monitoring.
  • Constant alert monitoring. Many hospital IT departments may already have a network intrusion detection system in place, but aren’t regularly checking it. This is mistake #1, and can cost you a swift breach recovery. If you don’t check your IDS, or alerts aren’t being sent to you, you might as well not have it.
  • Have an action plan. What happens when your IDS actually identifies an attack? You may also have an intrusion prevention system in place that may or may be active and preventing illicit traffic. If not, your task force must form an action plan, and follow your tested and approved incident response plan (e.g., how to identify the threat, which appropriate persons to notify, how to contain the threat, etc.).

Your data loss prevention strategy needs an IDS…now

Just because you have an intrusion detection system doesn’t mean your security is A-OK. Security should encompass a multi-layered strategy within your sensitive environment. An IDS is just one of the many pieces of that data loss prevention and security strategy.

Does an IDS make your network impenetrable? No. In fact, hackers recently and very successfully attacked a government network without alerting the IDS at all. But that’s nothing new to the security world. Many different security tools are necessary to secure an environment, because no one tool, process, or technology is good enough to protect an organization from attack. Like I said before, security must have a layered concept to achieve the maximum benefit to your organization.

If you correctly use an IDS, you will be able to significantly mitigate compromise risk within your organization, and you may even stop a breach in its tracks.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

HIPAA learning center, SecurityMetrics