Like a security guard, firewalls control what goes in, and what comes out.

Tod Ferran, CISSP, QSA
By: Tod Ferran
Many smaller healthcare entities and business associates struggle to understand how HIPAA requirements translate into specifics for their environment. HIPAA requirement §164.312(c)(1) for example.

It’s true this HIPAA regulation never mentions the word ‘firewall.’ But, to truly be HIPAA compliant, anytime your entity has a connection to the Internet, you must have a physical firewall device in addition to any software firewalls enabled on your systems.

The most common concern I find with small covered entities and business associates is that they don’t know anything about firewalls. Worse, they think the little box their ISP (Internet Service Provider) gave them to connect to the Internet is a firewall, so they feel a false sense of security.


Firewalls 101

More than just a powerful business tool, the Internet is a scary place riddled with viruses and malicious software actively attempting to gain access to computer systems and data.

No matter how boring or unimportant you may think patient data is, there are bad guys out there who want it and have figured out ways to make money once they get it.

Firewalls provide a first line of defense. A firewall acts much like a solid brick wall around a building, complete with a gate and security guard. The security guard only allows the things we have told him to allow through.

As such, we install a firewall between our computer systems and the Internet. This is often called a ‘perimeter firewall’ because it protects all our systems like a perimeter wall around a building. We give our firewall a list of instructions, also known as Access Control Lists (ACLs), so that it knows what to allow in and out.


Outbound firewall rules

It may be tempting to allow everything out of our systems. But, allowing our computers to go anywhere will greatly increase the chances of malicious software infection.

If you haven’t already, now is a good time to think about the different roles or job functions that computers are used for. For instance, receptionists may need to access company email and health insurance websites. They probably don’t need Facebook, Twitter, Gmail, or anything else. We can whitelist these computers so that they can only go to the websites we want them to go to.

On the other hand, physician and nurse computers may need the Internet for research purposes, so they need more open access. Though, they probably still don’t need Facebook. We can blacklist these computers so that they can go anywhere except to certain websites we don’t want them to visit.

We may also have some computers, such as an EMR/EHR server, which never needs Internet access. These computers we can block from having any access to the Internet.


Inbound firewall rules

Now let’s talk about what outsiders we want our security guard to let in through the gate. This is where I often see the most problems. Usually there are no rules, so everything is allowed in.

When filtering is enabled, big holes are left open so physicians or office managers can connect from home to the EMR or other systems. When someone outside our brick wall needs to come in past the security guard, this is called remote access. The computer used on the outside is the remote computer, and allowing that computer to connect to office systems is remote access.

SEE ALSO: Is Working From Home HIPAA Compliant?

If there is strong business justification for allowing connections from outside, let’s configure it properly. If not, the most secure option is turning off all remote access.

If you are allowing remote access, tell the security guard which people are allowed through and only let them in if they have the secret password. This can be done on our firewall using ACLs and VPNs.

A VPN is a virtual private network. It’s a protected tunnel or pipe between our office computer systems and another computer connecting in through the Internet. You need to have a username and password along with a secret code that is stored on the remote computer and is unique to that remote computer.

To relate these concepts back to our brick wall, gate, and security guard, we give our security guard (firewall) the following instructions:
  • Whitelist – Only allow Fred and Wilma (the receptionist computers) to go to the grocer and the dry cleaners
  • Blacklist – Allow Barney and Betty (the physician computers) to go anywhere except to the saloon
  • Block – Don’t allow Albert (the EMR server) to leave the premises
  • VPN – Only allow Gandhi (the physician at home) to come inside if he shows up from the underground tunnel #12 and has the secret password assigned only to him

Don’t forget firewall logging

Logging plays a vital role in real-time alerts and backtracking to discover what occurred during a problem. Unfortunately, it’s often overlooked and misunderstood.

Per HIPAA requirements, we need to configure logging and monitoring properly. Think of logging as a security guard writing down the names of those trying to pass through the gate. Both those permitted, and those that aren’t.
Just like a good security guard will report if the same person keeps trying to get in, our firewall logs can help us determine if bad guys are launching a full scale attack.
Nearly all firewalls have very limited logging space. It’s important to set up a logging server somewhere in the office and configure the firewall logs to go to that server. Software on the logging server can monitor logs from the firewall, as well as from all other systems, and send an email or text alert if it detects we are under attack.

Hopefully now you have a better understanding of firewalls, and how important they are to keeping system and patient data secure.

If you liked this post, please share!

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.

1 comment:

  1. Regarding firewall logs, how far back must the firewall logs go to be compliant with HIPAA?

    ReplyDelete