What is an intrusion detection and prevention system (IDPS)?

An intrusion detection and prevention system (IDPS) works in two stages. First, an IDPS monitors and scans for possible threats; then, it acts to stop the threats. Such systems prevent potential cyberattacks against organizations, like those in the healthcare industry, that must safeguard sensitive information.

Cybercriminals target patients' protected health information (PHI), making healthcare organizations prone to malicious cyberattacks. Defensive systems like IDPS help organizations build resilient perimeters that protect their organizations and the sensitive data that they hold.

Learn more: HIPAA Compliant Email: The Definitive Guide

How an IDPS works

An IDPS provides a necessary security checkpoint for unknown actors trying to view and/or access a system. It acts as a locked boundary that blocks malicious vulnerabilities from entering somewhere they don't belong. It can scan processes, compare system files, and watch user behavior. Moreover, an IDPS can review policies, gather information about networks, and help organizations meet compliance regulations, such as HIPAA.

An IDPS begins by screening for bad cyber traffic, using three broad methods (or a combination) to identify threats:

• Signature-based: matches monitored activity to a database filled with unique patterns or identifiers of previous threats
• Anomaly-based: matches a random selection of network activity against a baseline standard
• Protocol-based: matches monitored activity to a database of specific protocols defined by an organization

If a malicious act or actor is detected, the IDPS takes a specific course of action depending on how it was set up. An IDPS could alert administrators, block traffic or flag users, change the security setup or database, or modify the attack content (e.g., remove a malicious attachment). By doing this, an IDPS can guard the infrastructure surrounding sensitive electronic data, like PHI.

Extra read: Who needs to be HIPAA compliant?

Types of IDPS

There are numerous varieties of IDPS technologies, generally grouped into four basic types organized by the activity that needs to be observed and how the protections are deployed. What kind depends on what an organization is looking for, its current system, and what result is wanted.

NIDPS: Network-based intrusion detection and prevention system

A network-based IDPS watches a network or network segments for malicious traffic. This system is usually deployed at specific points or boundaries, such as in routers or modems. Typically, a NIDPS works behind a firewall. It analyzes activity and compares the actions to databases of known attacks. If the activity matches a known attack, it's blocked.

WIDPS: wireless intrusion detection and prevention system

A wireless IDPS monitors wireless networks by analyzing wireless-specific protocols. It is often deployed in areas susceptible to unauthorized wireless networking. This system does not analyze higher network protocols such as transmission control protocol (TCP).

NBA: network behavior analysis system

An NBA system identifies threats by checking for unusual traffic patterns. It is deployed in an internal network, typically at points where traffic flows from within a company to external networks. Such unusual patterns are generally the result of policy violations, malware-generated attacks, or distributed denial of service (DDoS) attacks.

HIDPS: host-based intrusion detection and prevention system

A host-based IDPS differs from the three above in that it is deployed in a single host. These hosts are typically critical servers with important data or publicly accessible servers that can be gateways to internal systems. An HIDPS monitors traffic flowing in and out of a host by observing running processes, network activity, system logs, application activity, and/or configuration changes.

The need for IDPS in healthcare

Security breaches can be problematic in healthcare given the increasing amount of sensitive data such organizations store and share electronically. Change Healthcare in Tennessee is an example of the difficulties a healthcare organization faces. The healthcare company fell victim to a ransomware attack earlier this year.

The attack against Change Healthcare resulted in 6 TB of data being stolen and disrupted the company's operations. Furthermore, a recent announcement noted that the ransomware group that claimed responsibility, RansomHub, began selling the stolen records. Reports add that Change Healthcare paid a $22 million ransom to stop the sale.

The company still faces growing financial losses and has recently been hit with a multi-class action lawsuit. Increasing breaches such as Change Healthcare's ransomware attack have made stronger layered cybersecurity systems a necessity. Including an IDPS system keeps an organization's defenses secure, allowing it to keep breaches from causing irreparable damage.

An IDPS allows an organization to watch traffic flow, log and alert suspicious actions, and eventually prevent and block malicious intrusions. Given that an IDPS is automated to work in the background, healthcare organizations can remain protected while focusing on proper patient care.

Tips for proper use of an IDPS

Ultimately, an automated IDPS enabled in the background does not offer enough protection. Healthcare organizations must understand how to properly use it to safeguard PHI. Here are some tips for appropriately incorporating an IDPS into a cybersecurity routine.

1. Choose an IDPS that meets your needs, abilities, and issues.
2. Properly define the scope of and objectives for having an IDPS.
3. Update and customize the chosen IDPS regularly.
4. Integrate and correlate the IDPS with other cybersecurity features to ensure a layered approach to cyber protection. Other security measures include access controls, data encryption, and malware detectors.
5. Supervise and review the enabled IDPS; keep it up to date with the latest security patches and databases.
6. Look over all logs and ensure that the IDPS is monitoring what it needs to observe and block.
7. Train and educate staff about using an IDPS and all enabled cybersecurity features.

Using an IDPS correctly is about balancing what outcome is desired, what information needs to be protected, and what an organization can suitably use.