Not to sound too sales-y here, but managed IDS is the business my company is in, and our hospital clients do NOT pay anywhere near the price mentioned in this thread, and they are extremely happy.
The trick with IDS is that it isn't a full time job, but if you do it in-house you need a full-time expert in it. Whatever you do, don't let the hardware vendors tell you that if you buy their product, you're covered- IDS is a process, not a product, and the real cost is in the labor and expertise involved. It also won't prevent a security breach, but it will give you visibility on your network about policy violations and breaches after the fact so the problem can be remedied intelligently. All you need to put together a robust IDS infrastructure is a few late-model PCs, possibly a server for the central console, so don't get scared by the capital investment. And Snort is more than a fantastic little program! We feel that it's the best IDS option around. Glenn Dekhayser Vice President, Technology Voyant Strategies, Inc. 732-335-1500 x514 Fax: 732-810-0378 ContentCatcher(tm) - The only way your business can manage Spam ------------------------ Voyant Infrastructure Consulting - Find out how we have helped dozens of companies deal with their storage and DR issues using products from Network Appliance, Commvault, and Quantum ------------------------ Voyant Managed Security Services - Network Security for the rest of us -----Original Message----- From: Andrew McLetchie [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 10:28 AM To: WEDI SNIP Security Workgroup List Subject: RE: IDS (Intrusion Detection Systems) Mike, I'm a bit confused (which is not unusual :-) by your reply. Are you saying to utilize an internet connection only to the extent of establishing VPN connections to facilitate basic services, but to disable internet BROWSING?? Or, are you saying not to connect to the internet at all (which is absolutely infeasible at my organization, and likely many others, especially larger hospitals)? In which case, how are you going to establish any VPN connections? andrew >>> "Michael Thoni" <[EMAIL PROTECTED]> 9/15/2003 4:43:39 PM >>> Donna, The easy answer.... Provide VPN connection for your intranet to enable work processes... (email, HIS etc.) and SHUT THE INTERNET OFF. I have worked with several nursing homes that find this solves many more problems than what they set out to fix. Mike -----Original Message----- From: Andrew McLetchie [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 09, 2003 6:15 PM To: WEDI SNIP Security Workgroup List Subject: Re: IDS (Intrusion Detection Systems) It almost sounds like Donna was speaking of outsourced IDS services (managed IDS), and there probably are about 6 players in that space right now (please correct me if I am wrong, Donna!!). Managed IDS services are great for organizations that have neither the expertise/experience nor the human resources to implement and manage an enterprise IDS capability - however, they are expensive. I did some research in this area a little over a year ago. Fees varied a bit, but (remember, this was 12+ months ago, so significant changes either way could have taken place) I was looking at something like $5000-$10000/month. It's a lot of money, but compared to the cost to staff up, train staff, purchase, implement, and monitor IDS(s) ongoing, it's not even close. The realm of "shrinkwrapped" IDS (i.e., non-managed service - you install and monitor the system) is split into two categories: host-based IDS and network-based. Host-based IDS actively monitors a single host (or, in some cases, a group of hosts) for intrusion. Network-based systems monitor various parts of your network for intrusion (depending on where you place them - you might have one on your internet gateway(s) to monitor perimeter intrusion, or on different segments of your network to monitor for intrusion on a particular subnet). IDS is just one of many security measures (like a firewall, anti-virus systems, access control systems, etc.) that you may or may not choose to apply based on your assessment of organizational risk. So, no, HIPAA doesn't require IDS per se - but neither does it require a whole bunch of stuff, per se, that most organizations likely will implement. It requires that we assess the risk associated with housing, processing, and transmitting PHI and apply controls commensurate with that risk. I expect that many healthcare organizations will, indeed, deploy intrusion detection systems of some kind, but there will be vast numbers that do not. The one thing I can say very confidently about pretty much ALL IDS products (even snort, which is a fantastic little program, as Keith mentioned) is that they are absolutely useless without very skilled technical staff to implement the system, and review and interpret the logs and alerts coming from the system (emphasizing Keith's point). These are not easy systems to deploy or manage effectively. If you determined that some level of IDS is required at your organization based on assessed risk, then looking at a managed IDS solution would be a good option in the absence of in-house technical talent. For more information on IDS and how they are being used in various industries, do a search on 'IDS' at whatis.com (a great sort of tech encyclopedia). Andrew S. McLetchie, CISSP Information Security Analyst Sparrow Health System Lansing, MI >>> "Keith W. McCammon" <[EMAIL PROTECTED]> 9/9/2003 4:37:45 PM >>> Just about any security-conscious organization should already have one in place, to some degree. However, "intrusion detection" is a loose term, and a very wide variety of products and services meet that description in one way or another. If you're considering a network-based IDS, I'd recommend Snort. It's free, updated often, and *very* widely used. So your obvious cost is only hardware. However, in addition to the cost of the hardware to run the software, you also need to take into account whether you can afford someone who can actually make sense of and respond to the data. An IDS is no good placed in the hands of an admin who is only interested in keeping things going. And a security analyst can be expensive. Bottom line: If you have some bright folks on staff, let them get going with something like Snort, and 1) your organization is going the extra mile, which will help with HIPAA, if nothing else (HIPAA doesn't care about IDS by definition), 2) your network and staff are improving daily. But that's just my point of view! Cheers Keith ----- Original Message ----- From: "Baldassinlight, Donna" <[EMAIL PROTECTED]> To: "WEDI SNIP Security Workgroup List" <[EMAIL PROTECTED]> Sent: Tuesday, September 09, 2003 3:31 PM Subject: IDS (Intrusion Detection Systems) > Does anyone know whether health care providers are using or considering the > use of IDS (Intrusion Detection Systems) to comply with the security > regulations under HIPAA. We understand that there are about six firms that > provide this type of service. Does anyone know of any healthcare > organizations that have purchased or are considering this? Is it cost > effective considering the level of risk for a 700 bed hospital or a 300 bed > nursing home? > Thanks, > Donna > > > --- > The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. > > You are currently subscribed to wedi-security as: [EMAIL PROTECTED] > To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] > If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org > --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
