Patrick Domingues

Do you know what firewalls to use to be HIPAA compliant? Is your Network Secure? How is your organization doing with logging? If you don’t know the answer to these questions, you’re not alone.

I am going to bluntly state that medical offices need to have a UTM Firewall  (Unified Threat Manager Firewall) appliance. These types of Firewalls will make it more simpler for you to pass a HIPAA audit. Inspectors from Health and Human Services (HHS) Office of Civil Rights (OCR) check that patient health information (PHI) is secure in its storage, transference, and disposal. A firewall allows or denies access to anywhere PHI is kept.

Your Firewalls should have application-level inspection

To protect PHI data the UTM Firewall can authenticate access within applications that healthcare uses to provide care. In networking terms, layer 7 of the OSI is the application layer. The UTM firewall is smart enough to protect PHI data within applications that medical professionals use.

The UTM Firewall should be configured to block file transfers and peer-to-peer exchanges outside of the designated applications and storage media. Staff might try to extract PHI data from one application and add it to another storage space and the UTM Firewall will block that.

Some of the best UTM Firewalls used in healthcare

• SonicWall TZ
• Untangle
• Sophos XG
• Fortinet FortiGate
• Cisco ASA

Best Practice, Separate HIPAA and non-HIPAA into VLANs

UTM Firewalls have the power to use VLANs to separate users and endpoints that access medical systems with PHI data. The firewall routes traffic between VLANs. Below I have an example of how VLANS can isolate access to other networks or resources. 

Security checklist for communications

Not a comprehensive list, but common procedures for security include:

• Block ICMP ping requests
• Disable remote upgrade features
• Enable IP address filtering
• Enable MAC address filtering
• Shut down any open ports
• Block connections to the LAN from the Internet
• Enabling Malware and Spyware Packet Inspection
• Enabling Content Filtering
• Enabling Intrusion Prevention System

HIPAA dictates that you must have firewall logs

The HIPAA dictates that you must have logging, auditing, and monitoring access to PHI data. UTM Firewalls have an extensive ability to log and capture all traffic on the network however since UTM Firewall storage space can be limited you will need an onsite storage server or use a cloud solution.

UTM Firewall Conclusion 

UTM Firewalls simply make your life easier for your Practice and IT Staff to manage and to quickly move towards achieving HIPAA Compliance.

• Tackling Shadow IT: The Unseen Network Security Risk
• How to Spot and Report Cybercrime Effectively
• IT Management Strategies For Startups
• 3 Common Mistakes in IT Operations You Can’t Afford to Make
• How Generative AI Impacts Email Security