Problem solve Get help with specific problems with your technologies, process and projects.

Necessity of a firewall for office using modem to send electronic claims

I have been hearing so much lately about security, specifically about firewalls. I'm in a small office with four...

workstations, one server, no e-mail, an ISDN Internet connection and a modem on the server. Do I need a firewall? I haven't allowed incoming VPN connections, and the modem is only used for sending electronic claims. I just want to make sure I'm doing exactly what I need to do!

You're ISDN connection might have "firewall" technologies built into it. Check your manual or contact your ISP to see if it is performing packet filtering and/or network address translation. These two are a good start. If it doesn't support at least one of these, the best practice for this situation would be to install a low cost firewall. You can get a hardware solution from SonicWall, Netscreen, etc. The best bang for your buck may very be to install host-based firewall/intrustion-prevention software like BlackICE on your server (at a minimum) and optimally on your workstations as well. This software will not only act as a firewall, but it will cut off any malicious attacks or intrusions in real-time.

Remember, HIPAA is not about technology, and information security is not just about firewalls. General best practices (and HIPAA requirements) are to implement the proper technologies, policies and procedures that make up an overall secure infrastructure. This includes the proper system access controls and authentication, as well as policies and procedures outlining the who, what, when, where, why and how you're protecting protected health information (PHI).

Also, keep in mind that just because you have a firewall (hardware like SonicWall, Netscreen, etc., or software like BlackICE), the modem on your server could still be a huge vulnerability. A couple of quick tips would be to make sure the claims/modem software is not loaded except for when you need to send a claim and that the modem cannot receive incoming calls by any other means -- this needs to be tested from the outside to verify this is the case. An improperly configured modem and its associated application(s) can completely negate any other technologies, policies and procedures that you've implemented to protect patient privacy and keep PHI confidential.

For more information on this topic, visit these other SearchSecurity.com resources:
  • Strom's Security Tool Shed: SonicWall: Solid as a rock
  • Scheier's Security Product Roundup: HIPAA compliance: Tools alone aren't enough
  • News & Analysis: HIPAA compliance doesn't come in a box

  • This was last published in February 2003

    Dig Deeper on Network device security: Appliances, firewalls and switches

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.