Firewall requirements for mental health organization using DSL

Firewall requirements for mental health organization using DSL

I am trying to figure out the requirements for a firewall for my company. I am part of a mental health organization. We currently have a DSL line coming into our main office with a LinkSys DSL router. My understanding is that the router provides a NAT firewall. Is that sufficient? Also, we have a modem that accesses some of our database from remote locations. How do we secure (or can we) the modem access?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

NAT is a good start for "firewalling" your Internet connection. NAT can help conceal your internal network configuration and help restrict incoming and outgoing traffic, but it's certainly not a complete solution. NAT has some drawbacks, such as not being able to log all connections effectively (since they are being translated) and interfering with VPN connections (although this is fixed with the NAT Traversal standard). In addition, NAT firewalls typically do not inspect the data in the packets passing thru it, potentially allowing malicious attacks to occur over your open ports without your knowledge.

The best bang for your HIPAA compliance buck may be to install host-based firewall/intrustion-prevention software like BlackICE or similar on your Windows-based servers (at a minimum) and optimally on your Windows-based workstations as well -- that is if you use Windows. There are other options for other platforms. This software will not only act as a firewall, but it will cut off any malicious attacks or intrusions that make it through the firewall/NAT combination in real-time. In a small office setting, with logging turned on, this can help fulfill several of the Security Rule requirements.

Also, keep in mind that just because you have a firewall or host-based intrusion detection system, the modem on your network could still be a huge vulnerability. A couple of quick tips would be to make it policy that the claims/modem software is not loaded except for when you need to send a claim and that the modem cannot receive incoming calls by any other means. This needs to be tested from the outside to verify this is the case. In addition, call-back verification, strong passwords and encryption (if available) are other best practices for dialup connections. You might consider encouraging your vendor to eventually eliminate the modem/dialup requirement and instead communicate via an encrypted SSL link over the Internet. An improperly configured modem and its associated application(s) can completely negate any other technologies, policies and procedures that you've implemented to protect patient privacy and keep PHI confidential.

For more information on this topic, visit these other SearchSecurity.com resources:
  • Ask the Expert: Necessity of a firewall for office using modem to send electronic claims
  • News & Analysis: Firewall best practices
  • Tech Tip: Performing firewall maintenance


    This was first published in April 2003