Problem solve Get help with specific problems with your technologies, process and projects.

Firewall requirements for mental health organization using DSL

I am trying to figure out the requirements for a firewall for my company. I am part of a mental health organization. We currently have a DSL line coming into our main office with a LinkSys DSL router. My understanding is that the router provides a NAT firewall. Is that sufficient? Also, we have a modem that accesses some of our database from remote locations. How do we secure (or can we) the modem access?

NAT is a good start for "firewalling" your Internet connection. NAT can help conceal your internal network configuration and help restrict incoming and outgoing traffic, but it's certainly not a complete solution. NAT has some drawbacks, such as not being able to log all connections effectively (since they are being translated) and interfering with VPN connections (although this is fixed with the NAT Traversal standard). In addition, NAT firewalls typically do not inspect the data in the packets passing thru it, potentially allowing malicious attacks to occur over your open ports without your knowledge.

The best bang for your HIPAA compliance buck may be to install host-based firewall/intrustion-prevention software like BlackICE or similar on your Windows-based servers (at a minimum) and optimally on your Windows-based workstations as well -- that is if you use Windows. There are other options for other platforms. This software will not only act as a firewall, but it will cut off any malicious attacks or intrusions that make it through the firewall/NAT combination in real-time. In a small office setting, with logging turned on, this can help fulfill several of the Security Rule requirements.

Also, keep in mind that just because you have a firewall or host-based intrusion detection system, the modem on your network could still be a huge vulnerability. A couple of quick tips would be to make it policy that the claims/modem software is not loaded except for when you need to send a claim and that the modem cannot receive incoming calls by any other means. This needs to be tested from the outside to verify this is the case. In addition, call-back verification, strong passwords and encryption (if available) are other best practices for dialup connections. You might consider encouraging your vendor to eventually eliminate the modem/dialup requirement and instead communicate via an encrypted SSL link over the Internet. An improperly configured modem and its associated application(s) can completely negate any other technologies, policies and procedures that you've implemented to protect patient privacy and keep PHI confidential.

For more information on this topic, visit these other SearchSecurity.com resources:
  • Ask the Expert: Necessity of a firewall for office using modem to send electronic claims
  • News & Analysis: Firewall best practices
  • Tech Tip: Performing firewall maintenance

  • This was last published in April 2003

    Dig Deeper on Network device security: Appliances, firewalls and switches

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.