Breaches can result in hefty costs. Penalties can range from $100 to $50,000 per violation or record, meaning even a small practice of 300 patients could pay out a minimum of $30,000 in fines.
Avoiding a data breach begins with a hardware firewall, say information technology experts. Not to be confused with software loaded onto individual workstations as firewalls, “a hardware firewall is your own private security firm that protects all your internet traffic entrance and exit doors,” says Curtis Woods with Integrated Solutions in Birmingham.
The hardware device connects between a practice’s internal server and their internet connection, serving as a gatekeeper. “It monitors traffic going in and out to make sure it’s not compromised,” says Aaron Woods, also with Integrated Solutions. “It inspects every piece of traffic to make sure it’s allowed through.”
Too many healthcare practices, however, never use the entire protective abilities of their firewall. “Everybody understands you need some sort of protection from the internet. And that’s a firewall,” says Russ Dorsey with Kassouf & Co. “But what it should really do is help you control what your users are able to do.”
Recent publicized security breaches, from Target to the federal government, were not firewall penetrations. “They were people getting malware on their computers by going to websites they were not supposed to go to or opening emails they were not supposed to open,” Dorsey says.
Malware - most of which derives from the Eastern Bloc and Africa - becomes active by downloading needed programming from its home website. “The firewall stops that process by blocking its access to websites outside the U.S.,” Dorsey says. “So bad email can still come through, but if your firewall is set up as a malware filter, it can prevent bad email from turning into a disaster.”
Firewalls can also block employees from accessing sites that may be prone to malware or simply time-wasters, such as Facebook and EBay. “That can increase productivity,” Dorsey says. “The office then builds a culture where the internet is not a playground anymore.”
Not all firewalls come with a content filtering capability. However, a separate piece can be purchased to enhance existing devices.
Healthcare organizations can also use firewalls to establish secure connections with third-party vendors. These virtual private networks (VPN) allow for HIPAA-compliant transmission of protected healthcare information (PHI), such as x-rays and lab results. “It’s like talking through the internet over a secure tunnel,” Aaron Woods says. Setting up a VPN on a firewall will require configuration by an IT provider.
IT professionals can also configure firewalls for a practice’s intranet servers to block external access. "Internet traffic is routed through ports. Web traffic goes through port 80,” says Alan Callahan with Dataperk. “If you didn’t have a firewall, someone could access your server from the outside going through port 80. But if you’re blocking that port, they cannot gain access.”
Firewalls cost anywhere from $750 to $25,000 for massive office environments with many needs. For a typical clinic of two to five physicians and 30 staff, the cost runs about $1,500.
Along with the purchase price, the devices require an annual subscription fee by the manufacturer for service and software upgrades. “That annual fee generally runs about 20 percent of the purchase price,” Curtis Woods says.
When choosing a new firewall, practices should ensure it can handle the amount of data being transferred to avoid slowing their internet traffic. “Especially in these days of high-speed internet connections,” says Jason Williams with VentureNet. “A lot of firewalls can’t handle the data speed.” The average healthcare practice likely runs at least 10,000 to 20,000 connections.
Generally after about five years, manufacturers stop supporting a model or releasing firmware updates for it. “It can also tell you when it’s failing,” Williams says. “Set the log to send an email if it detects issues. If you get errors, forward them to your IT person and let them look at it.”
Firewalls are only the first line of defense, warn IT experts. “You can’t lock a firewall down too tight or good stuff won’t come through and the user will never see it,” Curtis Woods says. “You still need good anti-virus software at your servers and desktops.”
Dorsey says devices and software take your security only so far. Regularly training employees in security protocols should be required. “The best firewall cannot protect you against bad practices by users.”