|
NAT is a good start for "firewalling" your Internet connection. NAT can
help conceal your internal network configuration and help restrict
incoming and outgoing traffic, but it's certainly not a complete
solution. NAT has some drawbacks, such as not being able to log all
connections effectively (since they are being translated) and
interfering with VPN connections (although this is fixed with the NAT
Traversal standard). In addition, NAT firewalls typically do not inspect
the data in the packets passing thru it, potentially allowing malicious
attacks to occur over your open ports without your knowledge.
The best bang for your HIPAA compliance buck may be to install
host-based firewall/intrustion-prevention software like BlackICE or
similar on your Windows-based servers (at a minimum) and optimally on
your Windows-based workstations as well -- that is if you use Windows.
There are other options for other platforms. This software will not only
act as a firewall, but it will cut off any malicious attacks or
intrusions that make it through the firewall/NAT combination in
real-time. In a small office setting, with logging turned on, this can
help fulfill several of the Security Rule requirements.
Also, keep in mind that just because you have a firewall or host-based
intrusion detection system, the modem on your network could still be a huge
vulnerability. A couple of quick tips would be to make it policy that
the claims/modem software is not loaded except for when you need to send
a claim and that the modem cannot receive incoming calls by any other
means. This needs to be tested from the outside to verify this is the
case. In addition, call-back verification, strong passwords and
encryption (if available) are other best practices for dialup
connections. You might consider encouraging your vendor to eventually
eliminate the modem/dialup requirement and instead communicate via an
encrypted SSL link over the Internet. An improperly configured modem and
its associated application(s) can completely negate any other
technologies, policies and procedures that you've implemented to
protect patient privacy and keep PHI confidential.
For more information on this topic, visit these other SearchSecurity.com resources:
Ask the Expert: Necessity of a firewall for office using modem to send electronic claims
News & Analysis: Firewall best practices
Tech Tip: Performing firewall maintenance
|
