An intrusion detection and prevention system (IDPS) works in two stages. First, an IDPS monitors and scans for possible threats; then, it acts to stop the threats. Such systems prevent potential cyberattacks against organizations, like those in the healthcare industry, that must safeguard sensitive information.
Cybercriminals target patients' protected health information (PHI), making healthcare organizations prone to malicious cyberattacks. Defensive systems like IDPS help organizations build resilient perimeters that protect their organizations and the sensitive data that they hold.
Learn more: HIPAA Compliant Email: The Definitive Guide
An IDPS provides a necessary security checkpoint for unknown actors trying to view and/or access a system. It acts as a locked boundary that blocks malicious vulnerabilities from entering somewhere they don't belong. It can scan processes, compare system files, and watch user behavior. Moreover, an IDPS can review policies, gather information about networks, and help organizations meet compliance regulations, such as HIPAA.
An IDPS begins by screening for bad cyber traffic, using three broad methods (or a combination) to identify threats:
If a malicious act or actor is detected, the IDPS takes a specific course of action depending on how it was set up. An IDPS could alert administrators, block traffic or flag users, change the security setup or database, or modify the attack content (e.g., remove a malicious attachment). By doing this, an IDPS can guard the infrastructure surrounding sensitive electronic data, like PHI.
Extra read: Who needs to be HIPAA compliant?
There are numerous varieties of IDPS technologies, generally grouped into four basic types organized by the activity that needs to be observed and how the protections are deployed. What kind depends on what an organization is looking for, its current system, and what result is wanted.
A network-based IDPS watches a network or network segments for malicious traffic. This system is usually deployed at specific points or boundaries, such as in routers or modems. Typically, a NIDPS works behind a firewall. It analyzes activity and compares the actions to databases of known attacks. If the activity matches a known attack, it's blocked.
A wireless IDPS monitors wireless networks by analyzing wireless-specific protocols. It is often deployed in areas susceptible to unauthorized wireless networking. This system does not analyze higher network protocols such as transmission control protocol (TCP).
An NBA system identifies threats by checking for unusual traffic patterns. It is deployed in an internal network, typically at points where traffic flows from within a company to external networks. Such unusual patterns are generally the result of policy violations, malware-generated attacks, or distributed denial of service (DDoS) attacks.
A host-based IDPS differs from the three above in that it is deployed in a single host. These hosts are typically critical servers with important data or publicly accessible servers that can be gateways to internal systems. An HIDPS monitors traffic flowing in and out of a host by observing running processes, network activity, system logs, application activity, and/or configuration changes.
Security breaches can be problematic in healthcare given the increasing amount of sensitive data such organizations store and share electronically. Change Healthcare in Tennessee is an example of the difficulties a healthcare organization faces. The healthcare company fell victim to a ransomware attack earlier this year.
The attack against Change Healthcare resulted in 6 TB of data being stolen and disrupted the company's operations. Furthermore, a recent announcement noted that the ransomware group that claimed responsibility, RansomHub, began selling the stolen records. Reports add that Change Healthcare paid a $22 million ransom to stop the sale.
The company still faces growing financial losses and has recently been hit with a multi-class action lawsuit. Increasing breaches such as Change Healthcare's ransomware attack have made stronger layered cybersecurity systems a necessity. Including an IDPS system keeps an organization's defenses secure, allowing it to keep breaches from causing irreparable damage.
An IDPS allows an organization to watch traffic flow, log and alert suspicious actions, and eventually prevent and block malicious intrusions. Given that an IDPS is automated to work in the background, healthcare organizations can remain protected while focusing on proper patient care.
Ultimately, an automated IDPS enabled in the background does not offer enough protection. Healthcare organizations must understand how to properly use it to safeguard PHI. Here are some tips for appropriately incorporating an IDPS into a cybersecurity routine.
Using an IDPS correctly is about balancing what outcome is desired, what information needs to be protected, and what an organization can suitably use.