Ask the Expert

Firewall requirements for mental health organization using DSL

I am trying to figure out the requirements for a firewall for my company. I am part of a mental health organization. We currently have a DSL line coming into our main office with a LinkSys DSL router. My understanding is that the router provides a NAT firewall. Is that sufficient? Also, we have a modem that accesses some of our database from remote locations. How do we secure (or can we) the modem access?

    Requires Free Membership to View

NAT is a good start for "firewalling" your Internet connection. NAT can help conceal your internal network configuration and help restrict incoming and outgoing traffic, but it's certainly not a complete solution. NAT has some drawbacks, such as not being able to log all connections effectively (since they are being translated) and interfering with VPN connections (although this is fixed with the NAT Traversal standard). In addition, NAT firewalls typically do not inspect the data in the packets passing thru it, potentially allowing malicious attacks to occur over your open ports without your knowledge.

The best bang for your HIPAA compliance buck may be to install host-based firewall/intrustion-prevention software like BlackICE or similar on your Windows-based servers (at a minimum) and optimally on your Windows-based workstations as well -- that is if you use Windows. There are other options for other platforms. This software will not only act as a firewall, but it will cut off any malicious attacks or intrusions that make it through the firewall/NAT combination in real-time. In a small office setting, with logging turned on, this can help fulfill several of the Security Rule requirements.

Also, keep in mind that just because you have a firewall or host-based intrusion detection system, the modem on your network could still be a huge vulnerability. A couple of quick tips would be to make it policy that the claims/modem software is not loaded except for when you need to send a claim and that the modem cannot receive incoming calls by any other means. This needs to be tested from the outside to verify this is the case. In addition, call-back verification, strong passwords and encryption (if available) are other best practices for dialup connections. You might consider encouraging your vendor to eventually eliminate the modem/dialup requirement and instead communicate via an encrypted SSL link over the Internet. An improperly configured modem and its associated application(s) can completely negate any other technologies, policies and procedures that you've implemented to protect patient privacy and keep PHI confidential.


For more information on this topic, visit these other SearchSecurity.com resources:
  • Ask the Expert: Necessity of a firewall for office using modem to send electronic claims
  • News & Analysis: Firewall best practices
  • Tech Tip: Performing firewall maintenance


    This was first published in April 2003

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: