Menu
What's new
By:
Filters Better Search

[MOOT] True firewall needed for HIPAA compliance?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Jonnie Cache

Jonnie Cache

Occasional Visitor
I’m an attorney and we have an IT company we work with for my law firm. They are trying to tell us that with HIPAA, because we often deal with medical records, we have to have a very expensive firewall instead of just a router. Does anyone know if this is true? I know nothing about HIPAA as that’s not the kind of law I practice. But, I feel like our IT company is trying to get us to spend money that we don’t need to spend.

Is it really a requirement or merely a “best practice”?
 
The firewall itself is usually just one part of being HIPAA compliant. You don't "require" a big fancy firewall for HIPAA compliance. You should just require a properly managed firewall....but more importantly, you need properly defined processes and procedures on how you handle that data when storing, transmitting, and processing it. This includes encryption, proper access controls, and many other items.

If you are using a consumer grade "router" with no outbound firewall controls in place, then yes, you should find a better solution. However keep in mind this is usually where you bring in outside experts to review your entire environment if HIPAA compliance is a concern.
 
Thanks for the information. I guess I'm not sure if we are even a covered entity under HIPAA. From what I can tell, we are not because we don't regularly deal with medical records. I'll have to do some more research on that issue.

In terms of the "router", I was considering an Ubiquiti Unifi Router Pro as opposed to a multi-thousand dollar firewall appliance.
 
I would review the HIPAA statutes, and determine if you're a covered entity - if so, then it is a review of lifecycle of the documents and workflows that touch those documents.

HIPAA is more than just the "firewall" but all the other protections that be to be put in place to ensure HIPAA conformance...

Privilege follows the document, not the intent, so if working with medical records...
 
Jonnie Cache said:
Thanks, we are not a covered entity.
Click to expand...

Fair enough - look at HIPAA as a policy framework - probably best practice for other activities, much of it is common sense stuff. Much like Payment Card's, legal, etc...

Since your IT provider/consultant brought it up - invite them in, asking for specific recommendations

Sounds like they might be on the sharper end - sound them out and make decisions from there.
 
And if they are pushing a fancy firewall, ask for more details of why they feel that is required. Some of the newer fancy firewalls really are darn fancy. WebURL filtering, IPS, and other goodies. However it all depends on what your budget is and if you have the skill sets in-house or contracted out to manage them. But if it is just for the ability to control network flows in and out...the Ubiquiti will be just fine.
 
Really, it is about security more than anything else. We need to keep our client data secure, of course. That that is preventing hackers from accessing our network. I guess that means IPS. Second most important is to preventing problems such as viruses, malware, etc., which cost us downtime and money to fix them.
 
Jonnie Cache said:
Really, it is about security more than anything else. We need to keep our client data secure, of course. That that is preventing hackers from accessing our network. I guess that means IPS. Second most important is to preventing problems such as viruses, malware, etc., which cost us downtime and money to fix them.
Click to expand...

Most of what you just lists is more about client controls than network controls. All controls are important since they provide multiple layers of security. Although many businesses are using more and more SaaS/IaaS offerings like AWS, Google, or o365, so user education on how to protect their credentials and data become even more critical since all of that is now outside your firewall boundaries.


Sent from my iPhone using Tapatalk
 
Yeah, we use Office365 for Exchange hosting, and Clio (SaaS) for our practice management. But, we haven’t really found a good cloud solution for our file storage. Pros and cons of accessibility, security groups, sharing files, etc. For now, we will keep storing our files locally with cloud backup.
 
Not sure if the OneDrive offering has changed much, but with you already having some o365 services, it may be worth looking at. The company I work for has moved to the GSuite and we use GDrive for the majority of our data. It has a steep learning curve to re-work various workflows/processes and such, but very easy to use and generally affordable.
 
As an attorney, you know that all these 'compliance' frameworks are just to keep everyone on the good side of the legal fence in case things go wrong (kind of like insurance).

If you feel you're being pushed by your IT company as they see you as a 'cash cow'. Get a second opinion. You wouldn't have surgery without a second opinion, and any significant change in IT should be treated the same.

PCI compliance, HIPAA, etc., all have public documents for their frameworks that you can download and read for yourself. A lot of times you already have the compliance via office policies or can easily comply by changing small things in office workflow/procedures. As sfx2000 mentioned above, HIPAA, like other compliance frameworks, aren't just one piece of equipment. And even with the right equipment, just changing one little thing can put you out of compliance.

If it makes you feel any better, I've seen that most doctor's offices don't even follow their own HIPAA guidelines that they require you to sign. And they don't seem to be getting into hot water, so I think your firm will be fine even without HIPAA compliance. :cool:
 
Samir said:
If it makes you feel any better, I've seen that most doctor's offices don't even follow their own HIPAA guidelines that they require you to sign. And they don't seem to be getting into hot water, so I think your firm will be fine even without HIPAA compliance. :cool:
Click to expand...

Most firms likely have stricter guidelines for document handling in any event, so it's generally a document review for HIPAA just in case...

Box does offer tailored solutions for HIPAA, Legal, and other applications...
 
You must log in or register to reply here.

Similar threads

M
Need some advice for new router location in parents house
Replies
6
Views
563
glens
G
H
Wanting to upgrade….. what’s my best option?!
Replies
16
Views
2K
Tech9
Tech9
D
Help finding a solution for novice looking to up their network gear
Replies
2
Views
917
Donkomo
D
D
References or Recommendations for Better Home Network Security
Replies
8
Views
4K
mib
M
Viktor Jaep
VPNMON [RELEASE] VPNON v1.2 - Script discontinued - please use VPNMON-R2 from here forward...
Replies
10
Views
4K
Viktor Jaep
Viktor Jaep
Similar threads
Thread starter Title Forum Replies Date
N Is it possible to get some kind of hardware firewall which only allows outbound connections on a whitelist? Routers 17
Maverick009 Upgraded Opnsense Firewall Router hardware Routers 36
slackjaw99 Is this micro firewall appliance on Amazon TGTBT??? Routers 6

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 721 (members: 26, guests: 695)
Top