I have been hearing so much lately about security, specifically about firewalls. I'm in a small office with four workstations, one server, no e-mail, an ISDN Internet connection and a modem on the server. Do I need a firewall? I haven't allowed incoming VPN connections, and the modem is only used for sending electronic claims. I just want to make sure I'm doing exactly what I need to do!
You're ISDN connection might have "firewall" technologies built into it. Check your manual or contact your ISP to see if it is performing packet filtering and/or network address translation. These two are a good start. If it doesn't support at least one of these, the best practice for this situation would be to install a low cost firewall. You can get a hardware solution from SonicWall, Netscreen, etc. The best bang for your buck may very be to install host-based firewall/intrustion-prevention software like BlackICE on your server (at a minimum) and optimally on your workstations as well. This software will not only act as a firewall, but it will cut off any malicious attacks or intrusions in real-time.
Remember, HIPAA is not about technology, and information security is not just about firewalls. General best practices (and HIPAA requirements) are to implement the proper technologies, policies and procedures that make up an overall secure infrastructure. This includes the proper system access controls and authentication, as well as policies and procedures outlining the who, what, when, where, why and how you're protecting protected health information (PHI).
Also, keep in mind that just because you have a firewall (hardware like SonicWall, Netscreen, etc., or software like BlackICE), the modem on your server could still be a huge vulnerability. A couple of quick tips would be to make sure the claims/modem software is not loaded except for when you need to send a claim and that the modem cannot receive incoming calls by any other means -- this needs to be tested from the outside to verify this is the case. An improperly configured modem and its associated application(s) can completely negate any other technologies, policies and procedures that you've implemented to protect patient privacy and keep PHI confidential.
For more information on this topic, visit these other SearchSecurity.com resources:
Dig Deeper on Network Device Management
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.