Ask the Expert

Necessity of a firewall for office using modem to send electronic claims

I have been hearing so much lately about security, specifically about firewalls. I'm in a small office with four workstations, one server, no e-mail, an ISDN Internet connection and a modem on the server. Do I need a firewall? I haven't allowed incoming VPN connections, and the modem is only used for sending electronic claims. I just want to make sure I'm doing exactly what I need to do!


    Requires Free Membership to View

You're ISDN connection might have "firewall" technologies built into it. Check your manual or contact your ISP to see if it is performing packet filtering and/or network address translation. These two are a good start. If it doesn't support at least one of these, the best practice for this situation would be to install a low cost firewall. You can get a hardware solution from SonicWall, Netscreen, etc. The best bang for your buck may very be to install host-based firewall/intrustion-prevention software like BlackICE on your server (at a minimum) and optimally on your workstations as well. This software will not only act as a firewall, but it will cut off any malicious attacks or intrusions in real-time.

Remember, HIPAA is not about technology, and information security is not just about firewalls. General best practices (and HIPAA requirements) are to implement the proper technologies, policies and procedures that make up an overall secure infrastructure. This includes the proper system access controls and authentication, as well as policies and procedures outlining the who, what, when, where, why and how you're protecting protected health information (PHI).

Also, keep in mind that just because you have a firewall (hardware like SonicWall, Netscreen, etc., or software like BlackICE), the modem on your server could still be a huge vulnerability. A couple of quick tips would be to make sure the claims/modem software is not loaded except for when you need to send a claim and that the modem cannot receive incoming calls by any other means -- this needs to be tested from the outside to verify this is the case. An improperly configured modem and its associated application(s) can completely negate any other technologies, policies and procedures that you've implemented to protect patient privacy and keep PHI confidential.


For more information on this topic, visit these other SearchSecurity.com resources:
  • Strom's Security Tool Shed: SonicWall: Solid as a rock
  • Scheier's Security Product Roundup: HIPAA compliance: Tools alone aren't enough
  • News & Analysis: HIPAA compliance doesn't come in a box


    This was first published in February 2003

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: