Auditor Tips: Firewall Best Practices

*This article was taken from our HIPAA Guide. For more information on this topic, download our free HIPAA Guide.

“Review firewall rules and configuration regularly and remove rules that are no longer needed.”

Healthcare organizations of all sizes use firewalls to protect the perimeter of their sensitive networks. Smaller organizations sometimes don’t have in-house personnel familiar with proper firewall configuration practices. If this is the case, a third party provider should be engaged to provide assistance, rather than simply deploying a minimal configuration firewall.

It may seem obvious, but your firewall should only permit traffic that is necessary. Rules should be as specific as possible for your network(s); no unnecessary source IP addresses, destination IP addresses, or ports/services should be allowed into or out of your sensitive networks. For example, if you have third parties that remotely support your network(s), limit the IP addresses that they can use to connect. Review your firewall rules and configuration regularly, and be diligent about removing rules that are no longer needed.

Strict attention needs to be given to monitor the logs and alerts your firewall generates. Often, the volume of log data can be overwhelming, but it’s important (and required) to review firewall logs in order to identify patterns and activity that indicate attempts to breach security. There are many great log monitoring solutions available to help organizations handle large volumes of log data and identify events that may require you to take action. Take time to shop options and find a solution that works best for you.

For firewall implementation and maintenance, remember to follow these important practices:

• Assign someone to be responsible for maintaining and updating a securely-configured firewall
• Always change the default usernames and passwords before putting a firewall into production. Use only passwords that are long, complex, and unique.
• Keep your firewall firmware/software updated. Replace your firewall before the vendor ends support for it.
• Write strict firewall rules. Be very specific about which traffic should be allowed, and deny all other traffic.
• Monitor and respond to logs in a timely manner.
• Review firewall configurations frequently and adjust as necessary.

Maintain a detailed firewall configuration standard and follow it. When firewall responsibility assignments change or a new firewall needs to be configured quickly, documentation can be the difference between success and failure.