BLOG HOME > HIPAA > Auditor Tips: Set Up Your Intrusion Detection/Prevention System

Auditor Tips: Set Up Your Intrusion Detection/Prevention System

*This article was taken from our HIPAA Guide. For more information on this topic, download our free HIPAA Guide. 

"The reality is cybercriminals can and often will hop from one area of your network into another area until they reach their goal and target."

Here are the steps you should follow to correctly use an IDS/IPS:

Have a HIPAA Deadline?

Request a Quote

Form a task force. You need a team to choose and manage an IDS/IPS. Whether it’s the responsibility of your IT Security Team,Data Loss Prevention Team, a managed service provider, or a designated co-managed team consisting of security-related department heads.

This group must be formed to take charge, make decisions, and lead. Their activities could include a bucket list of activities from vendor selection, policy development, install and setup, tuning alerts, identification of suspicious activity, playbook writing, ensuring regularly scheduled IDS/IPS updates, incident response planning, ongoing alert monitoring, or facilitating tabletop training exercises.

First, pick an IDS/IPS. There are a variety of different tools on the market, from managed service providers to a few open source solutions.

The task force approach should always make decisions based on what is best for the business to be successful. Any IDS/IPS pathway will need to be carefully reviewed for both the benefits and drawbacks before a decision is made.

It is best to start with a checklist of what specific deliverables or goals your business wants to accomplish. Perhaps the business would benefit from a host-based intrusion detection system(HIDS) or a combination of network-based intrusion detection system (NIDS) with host.

When choosing your IDS/IPS, you have many decision points and none should be taken lightly or ignored. Partnering with a consultant can ensure the right questions get asked before anything new is added to your environment.

Decide where to install your IDS/IPS. Where is the best place to install them? Depending on your use case and problems, it is often best to install it outside of your network so you can detect external attacks.

Never just integrate your IDS to secure your EHR/EMR system. Cybercriminals love to pivot their attacks, by hacking into unrelated and unprotected areas of your network. The reality is cybercriminals can and often will hop from one area of your network into another area until they reach their goal and target.

Perimeter monitoring can potentially alert you of an attack earlier and keep you one step ahead of the threat actors

Tune your IDS/IPS. Initially, you’ll find that there are a large number of alerts that could number in the thousands out of the box. This of course can be quite challenging to tune your IDP/IPS depending on your network and the size of your business footprint.

Someone on your task force will need to fine tune the IDS/IPS by adding new rules, remove outdated or deprecated rules, and focus on minimizing the impact of false positives.

For example, you may find replication mechanisms in your environment which are not attacks by threat actors but instead processes that occur day to day that are non-malicious.

Several vendors offer subscriptions to rule sets that can speed up your tuning efforts.

Don’t forget about internal attacks. Tuning should also include a focus on examining internal traffic.

Whether the threat is a fired workforce member (who wants to get back at the organization) or an employee who non-malicious left a firewall open, this internal tuning must be part of your activities. Internal tuning of your IDS/IPS requires a significant investment of time and labor to ensure false positives are marked correctly.

Configure alerts. Members of your task force will need to correctly configure your IDS to alert you as soon as activity occurs.

For example, you’ll need to define what types of alerts will be classified as malicious versus non-malicious and whether or not there are other categories of alerts you want to include.

One of the best ways to capture this information is with detailed playbooks that describe the alerts and corresponding responses. Any decisions made regarding alert responses should be made by the task force.

Alert configuration goes hand-in-hand with the tuning mentioned previously. Getting the right amount of alerts is vital. If you have too many false positives, then your system becomes “the boy who cried wolf.”

If you have too few alerts, then you may miss the indicators of compromise (IOC). The part of this process will be an ongoing activity as your environment changes to meet the business needs. Getting your IDS/IPS to a point where you know what maturity looks like is critical.

Constant alert monitoring. For many in the Healthcare sector, having a network IDS/IPS in place is old news, but the reality is conducting regular tune ups and cyber hygiene check ups is not prioritized. If you don’t regularly check yourIDS/IPS alerting, tuning out false positives and maturing the alerts, then you may find this hampers your ability to recover from a data breach.

Create IDS/IPS playbooks. What happens when yourIDS actually identifies an attack? What is the process and procedures for handling? Ensure your task force has repeatable processes and playbooks in place therefore as people transition into and out of the operations, no knowledge, skills, or abilities is lost.

It is critical that playbooks, incident response plans, and regular table top exercises are facilitated by the task force to ensure everyone is on the same page, prepared and knows how to identify the threat, which appropriate persons to notify, how to contain the threat, and conduct an after-action review.

Director of SIEM Operations

Join Thousands of Security Professionals and Subscribe