New software crystallizes network security big picture

August 1, 2005

Security event monitors, an emerging technology in security software, can help protect radiology departments from the increasing onslaught of network attacks, according to researchers at the University of Pittsburgh Medical Center.

Security event monitors, an emerging technology in security software, can help protect radiology departments from the increasing onslaught of network attacks, according to researchers at the University of Pittsburgh Medical Center.

The monitors correlate data from various network system defenses and provide users with one unified source of security information, said Dr. Barton F. Branstetter IV, associate director of radiology informatics at Pittsburgh. Branstetter spoke at a SCAR University session on security.

The Health Insurance Portability and Accountability Act has made security one of the hottest topics in healthcare.

"It's one thing to lose a paper chart, but it's another to expose your medical records to the outside world," Dr. Paul Chang, director of radiology informatics at Pittsburgh, said during the session.

An emerging problem in network security is the growing frequency and complexity of attacks, according to Branstetter. New event monitoring tools can help hospitals gain a better understanding of the various ways their networks may be infiltrated.

Branstetter used a pyramid analogy to describe a hospital's network security. At the base of the pyramid are static defenses such as firewalls. These are essentially "dumb" defenses that do not analyze attack types or even recognize that they have been breached. They simply block certain transactions and log those results.

The second line of defense relies on analytical software tools, including intruder detection systems that "sniff" data and look for suspicious conversations such as broadcast messages and increased traffic. Other tools at this level of the pyramid are probes that mimic hackers and can alert administrators to weak points in the system, system integrity verifiers that identify changes in system files, and log file monitors that detect rejection event patterns.

But even these more intelligent security software systems can't deal with security data overload, he said. Some larger entities can be attacked by up to 10 MB of security data threats per minute. With so many assaults, often originating at a variety of sources, managing the amount of incoming data can be nearly impossible.

This is where security event monitors, which sit at the top of the security pyramid, come in. They gather data from all the systems below them and correlate the information by time and type of event.

These tools essentially provide a meta-analysis of all collected security data, helping administrators to determine the timing and sources of attacks. Thus armed, they can prepare for impending attacks, find system loopholes, and develop containment strategies, Branstetter said.

The technology is still maturing, and only a few products are on the market. The University of Pittsburgh uses many elements from the middle tier of the security pyramid but is waiting for security event monitoring technology to fully mature.

"In medicine, we tend to be way behind the curve in adoption of this sort of technology, compared with business and others in academia. It is important that we keep abreast of such developments," he said.