Like a security guard, firewalls control what goes in, and what comes out.
Many smaller healthcare practices struggle to understand how HIPAA requirements translate into specifics for their computer and network environment. HIPAA requirement §164.312(c)(1) for example. This guide will help!
It’s true this HIPAA regulation never mentions the word ‘firewall.’ But, to truly be HIPAA compliant, anytime your practice has a connection to the Internet, you must have a physical firewall device in addition to any software firewalls enabled on your systems to protect yourself.
The most common concern I find with small covered entities is that they don’t know anything about firewalls. Worse, they think the little box their ISP (Internet Service Provider) gave them to connect to the Internet is a firewall, so they feel a false sense of security.
Firewalls & Security 101
More than just a powerful business tool, the Internet is a scary place riddled with viruses and malicious software actively attempting to gain access to computer systems and data.
No matter how boring or unimportant you may think patient data is, there are bad guys out there who want it and have figured out ways to make money once they get it.
Firewalls provide a first line of defense for your practice. A firewall acts much like a solid brick wall around a building, complete with a gate and security guard. The security guard only allows the things we have told him to allow through.
As such, we install a firewall between our computer systems and the Internet. This is often called a ‘perimeter firewall’ because it protects all our systems like a perimeter wall around a building. We give our firewall a list of detailed instructions, also known as Access Control Lists (ACLs), so that it knows what to allow in and out of the network.
Outbound firewall rules
It may be tempting to allow everything out of our systems. But, allowing our computers to go anywhere will greatly increase the chances of malicious software infection.
If you haven’t already, now is a good time to think about the different roles or job functions that computers are used for. For instance, receptionists may need to access company email and health insurance websites. They probably don’t need Facebook, Twitter, Gmail, or even the job sites. We can setup a group and block these type sites.
On the other hand, physician and nurse computers may need the Internet for research purposes, so they need more open access. Though, they probably still don’t need Facebook. We can setup separate access lists for sites and categories which they can access.
Inbound firewall rules
Now let’s talk about what outsiders we want our security guard to let in through the gate. This is where I often see the most problems. Usually there are no rules, so everything is allowed in.
Big holes are left open at many practice so physicians or office managers can connect from home to the EMR or other systems. When someone outside our brick wall needs to come in past the security guard, this is called remote access. The computer used on the outside is the remote computer and allowing that computer to connect to office systems is remote access.
If there is strong business justification for allowing connections from outside, let’s configure it properly. If not, the most secure option is turning off all remote access.
If you are allowing remote access, tell the security guard which people are allowed through and only let them in if they have the secret password. This can be done on our firewall using ACLs and VPNs.
A VPN is a virtual private network. It’s a protected tunnel or pipe between our office computer systems and another computer connecting in through the Internet. You need to have a username and password along with a secret code that is stored on the remote computer and is unique to that remote computer.
Now let’s not forget firewall logging
Logging plays a vital role in real-time alerts and backtracking to discover what occurred during a problem. Unfortunately, it’s often overlooked and misunderstood.
Per HIPAA requirements, we need to configure logging and monitoring properly. Think of logging as a security guard writing down the names of those trying to pass through the gate. Both those permitted, and those that aren’t.
Just like a good security guard will report if the same person keeps trying to get in, our firewall logs can help us determine if bad guys are launching a full-scale attack.
Nearly all firewalls have very limited logging space. This is where Medicus’ Security Package (SIEM/SOC) comes into play.
We log all these events on a local device which is then pushed security up to our Security Operations Center, logged, audited, and provides actionable alerts which need to be addressed. All of this before a breach happens.
What do HIPAA regulations say about system logging?
Event, audit, and access logging is a requirement for HIPAA compliance. HIPAA requires you to keep logs on each of your key systems. These three HIPAA requirements apply to logging, and log monitoring:
- Section 164.308(a)(5)(ii)(C): Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.
- Section 164.312(b): Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
- Section 164.308(a)(1)(ii)(D): Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Hopefully now you have a better understanding of firewalls, and how important they are to keeping system and patient data secure.
For more information regarding firewall protection and cyber security you can download our Security FAQ Sheet below!