Medical offices need to have a firewall or UTM appliance in working order to pass a HIPAA audit. Inspectors from Health and Human Services (HHS) Office of Civil Rights (OCR) check that patient health information (PHI) is secure in its storage, transference, and disposal. A firewall allows or denies access to anywhere PHI is kept.
When is a UTM not HIPAA compliant?
Funny story. In 2013, HHS docked a medical center at Idaho State University $400K when staffers disconnected firewalls from the network and left servers with PHI data exposed for nearly a calendar year. The hospital kept UTMs in the server closet with the cables disconnected; auditors noticed and hit them with a fine.
If I had to guess, admins disconnected firewall because it slowed the network, or interfered with application performance.
Firewalls need to have application-level inspection
To protect PHI data, a UTM needs to authenticate access within applications healthcare uses to provide care. In networking terms, layer 7 of the OSI is the application layer. A firewall or UTM must be smart enough protect PHI data within applications that medical professionals use.
Firewalls use identity-based authentication to grant appropriate permissions for working with patient data. Authentication is tied to a password or PIN used logon to systems and applications that work with PHI data. If the network is accessed with a mobile devices, a common practice already, a MDM tool monitors suspicious activity and pushes timely AV and OS to mobile devices. Learn more on how MDM works alongside other security infrastructure.
A UTM should be configured to block file transfers and peer-to-peer exchanges outside of the designated applications and storage media. Staff might try to extract PHI data from one application to another storage medium—a UTM will block that.
Popular UTMs used in healthcare
Create Separate HIPAA and non-HIPAA VLANs
Not every endpoint communication needs deep packet inspection. That slows the network. Use VLANs to separate users and endpoints that access medical systems with PHI data. The firewall routes traffic between VLANs.
Security checklist for VLAN communications
Not a comprehensive list, but common procedures for security include:
- Block ICMP ping requests
- Disable remote upgrade features
- Enable IP address filtering
- Enable MAC address filtering
- Shut down any open ports
- Block connections to the LAN from the Internet
HIPAA mandates archiving firewall logs
HIPAA rules require logging, auditing, and monitoring access to PHI data. Since UTM storage space is limited you will need an onsite storage server or subscribe to a cloud service specializing in medical data log archival.