A Snapshot of Firewalls, HIPAA, and Healthcare Security
See how healthcare organizations are managing their firewalls.Do you know if your firewalls are HIPAA compliant? How is your organization doing with logging? Do you use a managed firewall service? If you don’t know the answer to these questions, you’re not alone.
Many organizations don’t know much about their firewalls, besides that they have them.
We surveyed 52 healthcare professionals responsible for HIPAA compliance to see how they’re doing in firewalls. Here’s what we found:
What types of firewalls does your organization use?What’s concerning about this question is 27% of those surveyed didn’t know which firewalls they use, and only 18% use both hardware and software firewalls.
All networks need both a hardware and a software firewall.The fact that only 18% are doing this in this survey could mean many networks aren’t being protected adequately.
SEE ALSO: Firewalls 101: 5 Things You Should Know
Are your network firewalls managed by a security professional or third party?In this survey, 75% use a firewall that’s managed by a third party. While this isn’t required by HIPAA, having a managed firewall can help you with complex firewall rules and management. Instead of having to deal with the rules, have someone with the technical experience take care of it. It helps ensure your firewall is working properly.
Looking for a managed firewall service? Come talk to us!
How often are firewall rules reviewed?41% of those surveyed don’t know how often their firewall rules are reviewed, 13% say they’re
reviewed yearly, and 17% say they’re reviewed quarterly. This is a little scary. If you’re not reviewing your firewall rules regularly, there’s no guarantee your firewall is properly configured to protect your networks.
You should have a security professional review your firewall at least quarterly, if not more depending on how much your networks change.
Do you store firewall logs?37% of those surveyed don’t know if their organization stores firewall logs and 15% say they don’t. This is a problem because storing logs is a good way to keep track of your network activity.
HIPAA also requires that organizations enable logging and log alerting on critical systems. That way, if someone tries to make an unauthorized connection attempt, you will be alerted.
Is someone assigned to review logs daily?In this survey, 44% do have someone to review their firewall logs, but 32% don’t know. Firewall logs are useless unless someone is assigned to review them daily. That way if something suspicious does come up, (e.g. someone tried to log into the network 900 times around 3 am) you have someone there to notice.
You should have a security professional or third party review your firewall logs daily.
SEE ALSO: The Importance of Log Management
Do you have limited access between Internet and patient data storage systems?This is one that organizations seem to be doing fairly well in. 67% say they do have limited access, while only 28% say they don’t know. You should limit all computers or electronic devices with PHI access to only go to necessary websites. This helps prevents PHI from leaking to less secure sites and unprotected networks.
Get your firewalls HIPAA compliant!Overall, the organizations we surveyed are doing well in having managed firewalls and limiting access, but they need to improve on regular firewall logging and reviewing firewall rules.
Remember, firewalls aren’t just a plug-and-play technology. You have to review them regularly to make sure they’re configured properly. You also need to store and review firewall logs to catch any potential data breaches.
Need help getting HIPAA compliant? Let’s see what you need to do!
Learn more about this survey through our data visualization: How is Healthcare Doing with Firewalls?