IDS and IPS Buyers Guide: How do you know if your intrusion detection and prevention solution meets HIPAA compliance rules?
Despite the dizzying array of solutions out there HIPAA does not specify what technology is required to be in compliance. Looking at these security vendors one can see that the current compliance demands being made on healthcare institutions are forcing all the security vendors to devise their own unique ways to satisfy the latest government regulations.
HIPPA and Federal Information Security Modernization Act for federal agencies are the driving forces creating the new security strategies coming from the traditional security vendors.
Aviva Halpert, the former Chief HIPAA Officer at Mt. Sinai Medical Center in New York is now president of ADViZE, a HIPAA consultancy that helps IT companies navigate the complexities of both HIPAA and HITECH compliance. According to Halpert, one of the challenges for companies is that every vendor will say their product is HIPAA compliant yet a vendor isn’t truly HIPAA-compliant until the system is in place.
“You can enable compliance, the product itself is not compliant,” says Halpert. “It’s the implementation.”
Halpert says there a Federally driven certification program for electronic medical records is “on the horizon.”
The question remains: how does the CIO know if the security supplier enables compliance. If a product cannot be compliant but is in fact only compliant in its implementation, what does the CIO have to do?
CIOs have to match the security regulations against the policy and procedures that comply with those regulations and they have to conduct a risk assessment as needed but at a minimum annually.
However, each one of those requirements is huge, says Halpert. “You might have 30 to 60 policies to demonstrate compliance with the regulations. You also need to conduct a risk assessment to demonstrate whether or not you meet the tens of standards included in the Security Rule,” says Halpert.
And for each standard that is not met the healthcare organization must identify any threats that may exploit system vulnerabilities. A vulnerability might be that email is not encrypted in transmission. The threat would be that somebody can hack into the environment and intercept email. But, if the organization doesn’t permit transmission of protected health information via email it has neutralized the threat and virtually eliminated the risk.
“You have to do that for every item in the security rule,” says Halpert. The security rule has three types of requirements, administrative, technical and physical, all of which address the need to ensure confidentiality, integrity and availability of electronic protected health information (ePHI). The Privacy Rule addresses what needs to be kept confidential and the security rule addresses how to accomplish that. Typically this is done with access controls, media controls, data integrity, availability and confidentiality.
The Office of Civil Rights will conduct just 200 audits this year, 150 desk audits, paper submissions, and 50 onsite audits. The audits will target both covered entities, mostly providers, insurance companies and healthcare clearing houses as well as their business associates, many of whom are IT companies.
If you thought stopping the bad guys was complex and HIPAA compliance a challenge, IDS and IPS pricing is no less so.
“Some believe you can buy a device (IDS and IPS), not hire staff and not worry about it. That’s not the case,” says Devin Paden, a former network security consultant and currently a Networking and Cybersecurity assistant professor at Champlain College in Burlington, Vermont.
A prerequisite to deploying an IDS and IPS solution is to have a knowledgeable staff that knows the network, knows what systems run and what the network traffic looks like. Then you can bring in devices or software that passively monitor traffic on the network or sit inline between the network and the user.
Otherwise, Paden says it’s like buying a loud obnoxious dog that barks at everything but it doesn’t know what is important.
In addition when these devices are in place, either bought outright, leased by a service provider or part of a subscription based service, devices can be a single point of failure so you also need to ensure that you are getting what you are paying for, devices that have a bypass mechanism so that if the system goes down network traffic still can go through. Of course, depending on your use case you might have to shut the network down.
Here comes the bottom line. These systems are complex and require a seasoned staff. A mid-sized healthcare entity might need three to four full-time employees in addition to licensing and annual maintenance fees.
The organization will also need a logging system that marries up all the various services and devices into one console and correlates events against these multiple detection systems are priced by volume of logs. The dollars can mount up quickly if you don’t plan well.
Gartner’s Young points out the bigger the pipe, the higher the price. When adding protection to a firewall, it is typically an additional 20 percent of the list price of the firewall.
It’s important to estimate scalability and its costs. A performance engineer should measure current and estimate future network throughput prior to any purchase.
Again it comes down to staff and what they know about traffic flows, how fast is it going across the network and can a device keep up with it. Otherwise, the system begins to start dropping packets on the floor. Vendor claims about throughput capabilities are often exaggerated. These claims need to be verified through independent functional and performance testing.
Beyond the firewall and the intrusion devices, sensors are also needed. Everywhere there is a router, for example, an intrusion detection system has got to be there to monitor the network traffic.
While hiring experienced engineers with the level of expertise might start at 75K, a contractor will typically charge at least double. The costs don’t stop there. Where do you store all of those logs so you can do forensics when a breach occurs. A large storage system will be required. Remember, many organizations are exploited well before discovery, as was the case with the Sony breach, and having those logs accessible can make the difference in a breach investigation.
The reality is medical institutions have a high profile. Not only do they have a big brother in Washington monitoring how well privacy is maintained, but the media is also paying attention. If something goes wrong, thanks to social media, the world will know it almost as soon as the CIO.
CIOs, CISOs and all of IT have a daily challenge and they need to meet it head-on with the best staff and the latest tools.
Read our reviews of leading security specialists latest tools:
⇒Cisco offers integration to prevent intrusion attacks from reaching medical devices, old and new
Helpful advice on planning your purchase of IDS and IPS tools:
- 3 key factors to plan your budget for an intrusion protection system
- What to watch: IDS and IPS features to consider when comparing different vendors products