HIPAA compliant firewalls in 60 seconds.

Tod Ferran, CISSP, QSA
By: Tod Ferran
How do you block access to your systems (and sensitive data) from hackers in the outside world? The easiest way is through a firewall. Firewalls block bad guys from intruding into your private systems, while still allowing you to access the Internet and communicate with the outside world.

Learn more about firewall basics here: How Does a Firewall Protect a Business?

So how does this apply to healthcare? Every organization that deals with sensitive information (such as credit cards, patient health data, or government records) should have both a hardware and software firewall to protect them from attackers.

Watch the video below to learn best practices for healthcare firewall security in just 60 seconds.

So how exactly does a firewall help me?

A software firewall regulates data traffic through two things: port numbers, and applications. Depending on your firewall settings, your firewall could stop programs from accessing the Internet, and/or block incoming or outgoing access via ports.

SEE ALSO: Understanding the HIPAA Application of Firewalls

For example, Port 80 is your Internet connection. Leaving outgoing Port 80 open is ok, because that is what allows you to browse the Internet. Leaving incoming Port 80 open is a different story. If it’s left open, anybody could access your network through Port 80.

One downside to a software-only firewall is that you have to train and maintain the software to recognize threats. As you add or update programs, your firewall will block them, until you tell it not to. Additionally it only protects the device it is installed on. That’s what it does by design.

For a firewall to be effective, you must have enough knowledge to know which programs and applications to allow, and which ones not to allow.

SEE ALSO: How to Configure a Firewall in 5 Steps

But, software firewalls are only half your defense. All networks (whether small or large) need a physical hardware firewall.

A physical hardware firewall is placed between your office network and the Internet and guest wireless (if you have one). We often call this a ‘perimeter firewall’ because it is protecting our network and systems at the perimeter of the outside world. It not only adds a layer of protection to our workstations, it also protects network devices such as printers, medical equipment, and telephone systems which often don’t have a software firewall available on them.

Why both a hardware and software firewall?

The difference between hardware and software firewall is this: A hardware firewall protects you from the outside world, and a software firewall protects a specific device from other internal systems.
Basically, the software firewall helps protect you from yourself.
For example, if someone tries to access your systems from the outside, your physical firewall will block them. But if you accidentally click on a virus-laden email that’s already managed to get into your system, your software firewall on the other computers in your office network may stop it from infecting them.

SEE ALSO: PCI Compliant Firewalls: 5 Things You’re Doing Wrong

Don’t be a hero

Even if you have both a hardware and software firewall, they may be useless unless you have the right people monitoring and managing them.

We’ve all heard about the Target breach of over 40 million credit cards. Did you know Target IT staff received firewall alerts 5 days and then again 3 days BEFORE any data was stolen? These alerts were ignored, which allowed the bad guys to continue the attack.

It does no good if you don’t have the technical expertise to work with firewall rules, understand them, and react to the alerts generated. Contract with an IT professional to help you set up and maintain this crucial portion of your healthcare security.

Have a HIPAA security question? Leave a comment and you may see your question answered on the next HIPAA Snippets video.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.