Like a security guard, firewalls control what goes in and what comes out.
Many smaller healthcare entities and business associates struggle to understand how HIPAA requirements translate into specific security controls for their environment. Let's take HIPAA requirement §164.312(c)(1):
§164.312(c)(1): Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
It’s true this HIPAA regulation never mentions the word ‘firewall," which many organizations try to use as a way out of implementing one. However, it’s important to understand that regulations are not standards – they tell us what to do without the details of how to do it.
Security standards such as NIST SP 800-53 fill in the details of what security controls need to be in place to protect electronic information from improper alteration and destruction. These standards assert that boundary protection is essential to guard sensitive information from public access. The common term for this boundary protection is “firewall.”
It is common for small covered entities and business associates not to know anything about firewalls. Worse, they might think the little box their ISP (Internet Service Provider) gave them to connect to the Internet is a firewall, offering a false sense of security.
The purpose of this article is to help small organizations understand how firewalls support their efforts to protect patient information.
HIPAA Firewalls 101
While the Internet is a powerful business tool, it can also be a scary place riddled with viruses and malicious software actively attempting to gain access to computer systems and data. Patient data is valuable, and there are bad guys out there who want it and have figured out ways to make money once they get it.
Firewalls can provide a first line of defense. A firewall acts much like a solid brick wall around a building, complete with a gate and security guard. The security guard only allowing the specific things you have told him through.
When we install a firewall between your computer systems and the Internet, it's often called a ‘perimeter firewall’ because it protects all our systems like a perimeter wall around a building. We give our firewall a list of instructions, also known as Access Control Lists (ACLs), so that it knows what to allow in and out.
Check out SecurityMetrics Managed Firewall here.
Outbound firewall rules
It is tempting to allow people in our organizations to access anything on the Internet. We might justify it by saying it helps them do their jobs unhindered or makes them happier when they can get to Facebook, Twitter, and personal email during working hours. Unfortunately, allowing computers to connect anywhere greatly increases the chances of malicious software infection.
To create meaningful firewall rules, start by identifying who uses a specific computer, and what their roles are. For instance, receptionists may need to access company email and health insurance websites. They probably don’t need Facebook or Twitter. Because the websites a receptionist needs to access can be clearly defined. we can whitelist these computers so that they can only go to the websites related to their job function, blocking access to all other websites.
On the other hand, physician and nurse computers may need the Internet for research purposes, and the places they might need to seek out information could be unknown to them prior to the search, so they need more open access. However, they probably still don’t need Facebook. We can blacklist these computers so that they can go anywhere except to certain websites we don’t want them to visit. Blacklisting might keep users from areas of the Internet known to harbor malicious software, but it is not as effective as whitelisting, because malicious websites are always increasing.
We may also have some computers, such as an EMR/EHR server, which never needs Internet access. These computers we can block from having any access to the Internet, while still connecting them to the computers of employees that need to interact with them from inside your organization’s network.
Inbound firewall rules
Now let’s talk about what outsiders we want our security guard to let in through the gate. This is where we often see problems. Usually there are no rules, so everything is allowed in.
Even when rules are in place, big holes are often left open to allow physicians or office managers to connect from home to the EMR or other systems. When someone outside our brick wall needs to come in past the security guard, this is called remote access. The computer used on the outside is the remote computer, because it is outside the perimeter firewall that protects your organization, and allowing that computer to connect to office systems is remote access.
SEE ALSO: Is Working From Home HIPAA Compliant?
The most secure option is turning off all remote access. If there is strong business justification for allowing connections from outside, it’s possible to secure that connection, but the firewall must be configured properly.
If you allow remote access, tell the security guard which people are allowed through and to let them in only if they have the secret password. This can be done on the firewall using access control lists (ACLs) and virtual private networks (VPNs).
A VPN is like a protected tunnel or pipe between your office computer systems and a remote computer connecting in through the Internet. For a VPN to work, you need to have a username and password along with a secret code that is stored on the remote computer and is unique to that remote computer.
To relate these concepts back to our brick wall, gate, and security guard, we might give our security guard (firewall) the following instructions:
- Whitelist – Only allow Fred and Wilma (the receptionist computers) to go to the grocer and the dry cleaners
- Blacklist – Allow Barney and Betty (the physician computers) to go anywhere except to the saloon
- Block – Don’t allow Albert (the EMR server) to leave the premises
- VPN – Only allow Gandhi (the physician at home) to come inside if he shows up from the underground tunnel #12 and has the secret password assigned only to him
Remember firewall logging
Logging plays a vital role in real-time alerts and forensics to discover what occurred during a problem. Unfortunately, logging is often overlooked and misunderstood.
Per HIPAA requirements, we need to configure logging and monitoring properly. Think of logging as a security guard writing down the names of those trying to pass through the gate – both those permitted, and those who aren’t.
Nearly all firewalls have very limited logging space, which means they won’t be able to save logs for many days before they are overwritten by new logs. Because HIPAA requires you to keep certain logs for six years, it’s important to set up a separate logging server and configure your firewall logs to go to that server. Software on the logging server can monitor logs from the firewall, as well as from all other systems, and send an email or text alert if it detects you are under attack.
Hopefully now you have a better understanding of firewalls, and how important they are to keeping system and patient data secure.
Need help with PCI compliance or want to learn more about PCI Audits and HIPAA Audits? Contact us here.
Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.