FIREWALL CONFIGURATION BEST PRACTICES
This post contains the text from the White Paper: How to Implement and Maintain HIPAA Compliant Firewalls. Download the PDF below.
Network firewalls are vital for you to become Health Insurance Portability and Accountability Act (HIPAA) compliant. A firewall’s goal is to filter potentially harmful Internet traffic from the Internet to protect valuable protected health information (PHI).
Simply installing a firewall on your organization’s network perimeter doesn’t make you HIPAA compliant.
Firewalls are often riddled with configuration flaws and aren’t accurately protecting systems that touch patient data. According to recent breaches analyzed by SecurityMetrics’ team of forensic investigators, 76% of investigated organizations had incorrectly configured firewalls.
In this white paper, you will learn essential HIPAA firewall requirements and best practices for firewall implementation and maintenance.
Network firewalls can be software or hardware technologies that provide a first line of defense to a network. Firewalls restrict incoming and outgoing network traffic through rules and criteria configured by the organization. Secure networks rely on hardware, software, and web application firewalls.
Graphs throughout this white paper are an analysis of responses collected from 91individuals who are responsible for HIPAA compliance (40 professionals in 2018 and 51 in 2017) about their firewall policies and procedures.
A hardware firewall (or perimeter firewall) is typically installed at the perimeter of an organization’s network to protect internal systems from the Internet. Hardware firewalls are also used inside the environment to create isolated network segments separating networks who have and don’t have access to PHI.
In summary, a hardware firewall protects environments from the outside world. For example, if an attacker tries to access your network from the outside, your hardware firewall should block them.
Most robust security option
Generally more expensive
Protects an entire network
Difficult to configure properly
Can segment internal parts of a network
Needs to be maintained and reviewed regularly
You also need a firewall between systems that store PHI and all other systems, even internal ones. Software firewalls are used to protect a single host from internal threats, particularly mobile devices that can move “outside” of the secure corporate environment.
Many devices come preinstalled with software firewalls, but for devices connecting to PHI remotely, make sure they have a software firewall installed. For example, if a receptionist accidentally clicks on a phishing email scam, their device’s software firewall should stop the malware from infecting it.
Protects mobile workers when outside the corporate network
Should not replace hardware firewalls for network segmentation
Doesn’t protect an entire network
Easier to maintain and control
Fewer security options
WEB APPLICATION FIREWALLS
Web application firewalls (WAFs) should be implemented in front of public-facing web applications to monitor, detect, and prevent web-based attacks. They can also be used to perform application application security assessments. Even though these solutions can’t perform the many functions of an all-purpose network firewall, (e.g., network segmentation), they specialize in one specific area: monitoring and blocking web-based traffic.
A WAF can protect web applications visible or accessible from the Internet. Your WAF must be up-to-date, generate audit logs, and either block cyber attacks or generate a cyber security alert if an imminent attack is suspected.
Immediate response to web application security flaws
Requires more effort to set it up
Protection for third party modules used in web applications
Possibly breaks critical business functions (if not careful)
Deployed as reverse proxies
May require some network re-configurations
A common firewall mistake is assuming that they are a ‘plug and play’ technology. Organizations often don’t realize it’s necessary to configure the firewall to help with their unique environment.
After installation, you likely need to spend some time setting up your firewall so it restricts network traffic to only those authorized to access it (e.g., ports/services necessary for business).
However, configuring firewalls can be difficult because there are many firewall rules to write, configure, and maintain, and even small mistakes can completely negate your firewall’s effectiveness and open you up to a data breach.
In a recent data breach investigation conducted by SecurityMetrics’ Forensic Investigators, an organization had a fairly sophisticated security and IT system. However, two incorrectly written firewall rules (amongst 300 pages of firewall rules, with about 100 rules on every page) essentially negated the whole firewall, leaving the entire network exposed. It was through this vulnerability that the attacker accessed their network and stole sensitive data.
To properly configure a firewall you need to restrict and control the flow of traffic as much as possible, specifically around networks with PHI access.
Depending on how complex your environment is, you might require many firewalls to ensure all systems are separated correctly. The more controls you have, the less chance an attacker has at getting through unprotected Internet connections.
Access Control Lists (ACLs) help the firewall decide what it permits and denies into and out of your network. Firewall rules typically allow you to whitelist, blacklist, or block certain websites or IP addresses.
When no ACLs have been configured, everything is allowed into or out of the network. Rules are what give firewalls their security power, which is why they must be constantly maintained and updated to remain effective.
Remember, your firewall is your first line of defense, so you should dedicate time to make sure it’s set up correctly and functioning properly.
FIVE BASIC FIREWALL CONFIGURATION BEST PRACTICES
- SET SECURITY: Set security settings for each switch port, particularly if using segmentation
- ESTABLISH RULES: Update firewall rules if your applications and/or systems don’t have proper security hardening in place (e.g., out-of-date software, default accounts and passwords)
- USE VPNS: If using remote access, set up virtual private networks (VPNs)
- INBOUND/OUTBOUND RULES: Decide what traffic comes in and out of your network
- ADD/CLOSE SWITCH PORTS: Segment different networks with switch ports (e.g., Internet, office, EMR)
INBOUND FIREWALL RULES
If there’s strong business justification for allowing connections from outside, configure these connections properly. If not, the most secure option is turning off all remote access.
If you need to use remote access, you’ll need to set up a VPN. A VPN is a protected tunnel or pipe between an office computer and another computer connecting in through the Internet and should require a username, password and secret code (e.g., multi-factor authentication) unique to the remote computer.
OUTBOUND FIREWALL RULES
It may be tempting to allow everything out of your systems. But, allowing your computers to go anywhere will greatly increase the chances of malicious software infection.
If you haven’t already, now is a good time to think about the different roles or job functions that computers are used for. For instance, receptionists may need to access company email and websites. They probably don’t need Facebook, Twitter, Gmail, or anything else. You can whitelist these computers so that employees can only go to the websites you want them to go to.
On the other hand, physicians may need the Internet for research purposes, so they need more open access. You can blacklist these computers so that employees can go anywhere except to certain websites you don’t want them to visit. For example, they probably don’t need to use Facebook or YouTube.
You may also have some computers, such as one’s connecting to electronic medical record (EMR) system, which never needs Internet access. Block these computers from having any access to the Internet.
Healthcare organizations often setup large flat networks, where everything inside the network can connect to everything else. They may have one firewall at the edge of their network, but that’s it.
Generally, the more places that have access to patient information, the higher the chances for a HIPAA violation or data breach.
Firewalls can be used to implement segmentation within an organization’s network. When you create networks with PHI access (e.g., EMR systems) firewalled off from the rest of the day-to-day business traffic, you can better ensure patient data is only sent to known and trusted sources.
For example, you install and configure a multi-interface firewall at the edge of your network. From there, you create one interface on the firewall dedicated just to the systems that store/process/transmit PHI data. If that interface doesn’t allow any other traffic into or out of any other zones, this is proper network segmentation.
Segmentation can be extremely tricky, especially for those without a technical security background. Consider having a security professional double check all your segmentation work.
TEST AND MONITOR CONFIGURATION
As stated earlier, network firewalls aren’t a plug-and-forget technology. No matter the size of your environment, things change over time. Firewall rules will need to be revised over the course of a few months and at least every six months. While forcing you to ensure there are no security weaknesses, it also gives you the chance to update your firewall strategy.
TESTING YOUR NETWORK
You need to test the effectiveness of your firewall rules. For example, you need to scan for rogue wireless access points, particularly if they are attached to your non-guest network. Rogue wireless access points can allow attackers unauthorized access to secure networks, giving them the access to attack your network remotely. Scanning for rogue wireless access points helps you to identify which access points need to be changed.
Use vulnerability scans and penetration tests to find weaknesses in your network. Vulnerability scans are great weekly, monthly, or quarterly insight into your network security, while penetration tests are a more thorough way to deeply examine network security.
Although HIPAA does not specifically state the necessity of vulnerability scans (e.g., internal and external vulnerability scans), it is considered by almost every security expert as one of the best ways to find potential vulnerabilities. A vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities. All external IPs and domains with PHI access should be scanned at least quarterly.
Typically, internal and external vulnerability scans generate an extensive list/report of vulnerabilities found and references for further research on the vulnerability. Some even offer directions on how to fix the problem.
Despite what many businesses believe, scanning is not enough. You can’t just scan and sit on the report. Act quickly on any vulnerabilities discovered to ensure security holes are patched and then re-scan to validate that the vulnerabilities have been successfully addressed.
Although not required for all organizations, organizations may find it helpful to request a penetration test to measure their organization’s security. Helping you find security weaknesses, penetration testers analyze network environments, identify potential vulnerabilities, and attempt to exploit those vulnerabilities (or coding errors) just like a hacker would.
The time it takes to conduct a penetration test varies based on network size, network complexity, and the individual penetration test staff members assigned. A small environment can be completed in a few days, but a large environment can take several weeks. Typically, penetration test reports contain a detailed description of attacks used, testing methodologies, and suggestions for remediation.
FIREWALL LOG MANAGEMENT
Log management also plays a vital role in monitoring firewalls. Set up logging so you have real-time alerts and backtracking to discover what occurred during a problem. Logs keep track of both normal and potentially damaging user actions happening against a firewall and help prevent, detect, and minimize the impact of a data breach. If event log software is configured correctly, administrators can be alerted if firewall logs indicate an attack.
To take advantage of log management, look at your security strategy and make sure these steps are taken care of:
- Decide how and when to generate logs.
- Secure your stored logs so they aren’t maliciously altered by cybercriminals or accidentally altered by well-intentioned employees.
- Assign an employee to review logs daily.
- Set up a team to review suspicious alerts.
- Spend time to create rules for alert generation (don’t just rely on a template).
- Store logs for at least six years
- Frequently check log collection to identify necessary adjustments.
ORGANIZATIONS SHOULD REVIEW THEIR LOGS DAILY TO SEARCH FOR ERRORS, ANOMALIES, OR SUSPICIOUS ACTIVITY THAT DEVIATE FROM WHAT’S NORMAL.
Nearly all firewalls have very limited logging space. It’s important to set up a logging server somewhere in the office and configure the firewall logs to go to that server. Software on the logging server can monitor logs from the firewall, as well as from all other systems, and send an email or text alert if it detects you’re under attack.
LOG MANAGEMENT TOOLS
Given the large amount of log data generated by systems, it’s virtually impossible to manually analyze logs beyond one or two systems, especially reviewing logs all day. Log monitoring software takes care of that task by using rules to automate log review and only alert on events that might reveal problems.
You likely need Security Information and Event Management (SIEM) tools to sift through logs and drill down into problems. In the past, SIEM systems were only utilized in enterprise organizations, but now, smaller organizations are beginning to realize system monitoring can help identify attacks.
Organizations often struggle with good log review processes. Using SIEM tools can enable you to have real-time alerting to help you recognize current attacks. If you really do have a problem, you can initiate your incident response plan (IRP).
Also, remember that in order to correlate events over multiple systems you must synchronize system times. All systems should get their system time from one or two internal timeservers, which in turn receive time from a trusted external source.
Firewall documentation helps your team comprehend what has been done, what still needs to be done, and where the problems are in your environment. Ultimately, it keeps your security efforts organized and makes next year’s job easier. After all, updating already existing documentation is much easier than starting from scratch.
You’ll likely spend some time documenting your HIPAA firewall compliance process and what you’ve completed.
Make sure documentation is regularly updated, especially if processes and/or rules change.
Here are some of the most important documentation pieces to consider:
- Description of groups, roles, and responsibilities: By documenting who is involved in the firewall process, you ensure those assigned are aware of their responsibilities.
- Organization justification for allowed services, protocols, and ports: Compromise often occurs in areas that are unused, unpatched, and unmonitored. Ensure your firewall only allows the minimum amount of connections required for your business to operate. If you need any ports or services open for your organization to function, the US Department of Health and Human Services (HHS) wants to know why and how you’re going to protect against those open areas (particularly if they’re insecure services or protocols.
- Network and PHI flow diagrams: Without an accurate view into how your network is set up, you could overlook devices that need to be part of your firewall rule set. Network and PHI flow diagrams help identify the location of all network devices and how PHI flows through each piece of the network. While analyzing these diagrams, you should be able to study exactly what areas must be protected, and the unnecessary services, protocols, and ports to disable.
NETWORK AND PHI FLOW DIAGRAMS
Accurate PHI flow diagrams are vital for firewall documentation because they show how your systems are interacting with patient data. Systems in your network that store, process, or transmit PHI data need to be properly secured and separated from other systems on your network.
Create a diagram that shows how PHI enters your network, the systems it touches as it flows through your network, and any point it may leave your network. For example, patients fill out forms at hospitals, which pass patient records to doctors’ offices, which then transfer medical records to pharmacies. Patients add sensitive information to third party patient portals online, which then email a dentist receptionist, who then prints and stores it in a giant file cabinet.
Then you can overlay the PHI flows onto the systems in the network environment, and diagram and understand which systems store, process, or transmit PHI data. You can examine your actual network and decide how it fits into your PHI flow diagram by asking yourself:
- How is my network constructed?
- Is there one firewall at the edge of networks with PHI access?
- Is my network segmented internally?
- Does my environment have a multi-interface firewall?
- Do I have multiple firewalls?
Make necessary adjustments to your firewall rules so that your organization’s firewall(s) is properly set-up.
PHI FLOW CHARTS ARE OFTEN MASSIVE. HEALTHCARE IS PROBABLY THE MOST INTERCONNECTED INDUSTRY IN THE WORLD.
FIREWALL BEST PRACTICES
Large healthcare organizations typically have firewalls in place, at least at the perimeter of their network (i.e., hardware firewalls). But be careful when selecting firewalls; make sure they support the necessary configuration options to protect critical systems and provide segmentation between the networks that do and do not have PHI access.
Smaller organizations sometimes struggle to understand firewall basics, and they often don’t have the necessary in-house expertise to configure and manage them correctly and securely. If this is the case, a third-party service provider should be contracted to provide assistance (e.g., a managed firewall solution), rather than simply deploying a default configuration and hoping for the best.
It may seem obvious, but leave as few holes as possible in your firewall. Rules should be as specific as possible for your networks; don’t just allow access to all Internet connections. For example, if you have third parties that remotely support your networks, limit their inbound access and the time-frames within which they can access your network. Then spend time reviewing your firewall rules and configuration.
Firewalls are the first (and often the only) line of defense; strict attention needs to be given to the logs and alerts that firewalls generate. Often, the volume of log data can be overwhelming, so organizations don’t look through them. But it’s important (and required) to review firewall logs in order to identify patterns and activity that indicate attempts to breach security. There are many good software packages available to help organizations deal with the volume of firewall log data and to more easily pick out the important data that requires you to take action.
For firewall implementation and maintenance, remember to follow these three practices:
- Write strict firewall rules.
- Pay attention to what logs tell you.
- Review firewall configurations frequently, adjust as necessary, and document everything.
THINGS YOU WILL NEED TO HAVE:
- Limited traffic into networks with PHI
- “Deny All” rule for all other inbound and outbound traffic
- Stateful Inspection/Dynamic Packet Filtering
- Documented business justification for each port or protocol allowed through the firewall
- An automated audit log tracking all security related events for all system components
- An inventory of authorized wireless access points with listed business justifications
THINGS YOU WILL NEED TO DO:
- Position firewall to prohibit direct inbound and outbound traffic from networks with PHI traffic
- Create secure zone for any networks with PHI access, must be separate from DMZ (or demilitarized zone)
- Outbound connections from networks with PHI access must be explicitly authorized
- Document all firewall policies and procedures
- Have a process in place to review the logs and security events at least daily, in addition to any reviews of system components as defined by the business for risk management strategy or other policies
- Have a process in place to respond to anomalies or exceptions
- Keep all audit log records for at least one year and keep the last three months’ logs readily available for analysis
- Run internal vulnerability scans on a quarterly basis using a qualified internal resource or qualified external third party (organizational independence must exist) and re-scan all scans until “high-risk” vulnerabilities are resolved
- Run quarterly external vulnerability scans and re-scan until all scans obtain a passing status (no vulnerability scores over 4.0)
- If wireless scanning is used to identify wireless access points, the scan must be run at least quarterly
THINGS YOU MAY NEED TO DO:
- Install a firewall between wireless networks and networks with PHI access (wireless only)
- Install a web application firewall on public-facing applications
To ensure your firewall does what it’s supposed to, consult with a HIPAA security professional. You’ll want to discuss what firewall types you need to use and which firewalls to purchase. This will prevent common mistakes and ensure everything is set up correctly. Make sure to take time to properly configure and periodically review your firewall rules/configuration.
Installing, updating, and maintaining your firewall can be difficult. Some organizations use a managed firewall(s) to help them with complex firewall rules and firewall management.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.