Firewall requirements for mental health organization using DSL

I am trying to figure out the requirements for a firewall for my company. I am part of a mental health organization. We currently have a DSL line coming into our main office with a LinkSys DSL router. My understanding is that the router provides a NAT firewall. Is that sufficient? Also, we have a modem that accesses some of our database from remote locations. How do we secure (or can we) the modem access?

NAT is a good start for "firewalling" your Internet connection. NAT can help conceal your internal network configuration and help restrict incoming and outgoing traffic, but it's certainly not a complete solution. NAT has some drawbacks, such as not being able to log all connections effectively (since they are being translated) and interfering with VPN connections (although this is fixed with the NAT Traversal standard). In addition, NAT firewalls typically do not inspect the data in the packets passing thru it, potentially allowing malicious attacks to occur over your open ports without your knowledge.

The best bang for your HIPAA compliance buck may be to install host-based firewall/intrustion-prevention software like BlackICE or similar on your Windows-based servers (at a minimum) and optimally on your Windows-based workstations as well -- that is if you use Windows. There are other options for other platforms. This software will not only act as a firewall, but it will cut off any malicious attacks or intrusions that make it through the firewall/NAT combination in real-time. In a small office setting, with logging turned on, this can help fulfill several of the Security Rule requirements.

Also, keep in mind that just because you have a firewall or host-based intrusion detection system, the modem on your network could still be a huge vulnerability. A couple of quick tips would be to make it policy that the claims/modem software is not loaded except for when you need to send a claim and that the modem cannot receive incoming calls by any other means. This needs to be tested from the outside to verify this is the case. In addition, call-back verification, strong passwords and encryption (if available) are other best practices for dialup connections. You might consider encouraging your vendor to eventually eliminate the modem/dialup requirement and instead communicate via an encrypted SSL link over the Internet. An improperly configured modem and its associated application(s) can completely negate any other technologies, policies and procedures that you've implemented to protect patient privacy and keep PHI confidential.