PDA

View Full Version : HIPAA Compliant Firewall Router Suggestions


Computer Chip
09-29-2009, 10:25 PM
I am helping a chiroprator friend to set up a small office lan. Right now she is till using dialup for internet access (imagin e that)

I need suggestions on hardware Router firewall Wireless AP that are HIPAA compliant.

Thanks

angry_geek
09-29-2009, 10:39 PM
The actual wording in the HIPAA guidelines involving electronic security is somewhat lacking. I do a lot of doctor's offices, and I have a general method for most of them. As far as the router/firewall, I typically use a sonicwall or watchguard unit. If they can't afford this, go with a WRT54GL unit and run dd-wrt or tomato. I like to keep the wireless ap seperate from the router, so, if I'm using a WRT54GL, I turn off the wifi. For medical offices, I like to use an A based wireless network with WPA2. You can use G, but you'll have better range with A. Plus, most people don't have A adapters in their computers.

basic
09-29-2009, 11:14 PM
Another vote for using SonicWall.

Computer Chip
09-29-2009, 11:28 PM
Ok, it sounds like Sonic Wall is the way to go. This is a simple peer to peer network. No VPN is needed. Any suggestions on the actual model. Do these include a router/ DHCP server or does the router need to be installed downstream the Firewall?

rtrice81
09-30-2009, 03:00 AM
A sonicwall is a great box, it does many things at the min. It does router firewall and dhcp

it will also run ids, spam filter and cfs

Cue
09-30-2009, 10:39 AM
The actual wording in the HIPAA guidelines involving electronic security is somewhat lacking. I do a lot of doctor's offices, and I have a general method for most of them. As far as the router/firewall, I typically use a sonicwall or watchguard unit. If they can't afford this, go with a WRT54GL unit and run dd-wrt or tomato. I like to keep the wireless ap seperate from the router, so, if I'm using a WRT54GL, I turn off the wifi.

I vote for DD-WRT, it has excellent features and there is an excellent community of help.
Note, I don't know anything about "HIPAA", but I can guess your feature needs.
For medical offices, I like to use an A based wireless network with WPA2. You can use G, but you'll have better range with A. Plus, most people don't have A adapters in their computers.
I don't agree with this, A is 5ghz and has much lower penetration then 2.4ghz and shorter range.
I don't like WPA2, I have had some computers wireless that have problems with it, they sometimes seem to loose their connection.

Blues
09-30-2009, 01:31 PM
I vote for DD-WRT, it has excellent features and there is an excellent community of help.
Note, I don't know anything about "HIPAA", but I can guess your feature needs.

I don't agree with this, A is 5ghz and has much lower penetration then 2.4ghz and shorter range.
I don't like WPA2, I have had some computers wireless that have problems with it, they sometimes seem to loose their connection.

DD-WRT I think is a valid option if they are not willing to put in the money but you could just as easily find and configure a linux OS on a box with dual nics to make a nice firewall.

When you say A has lower penetration are you talking signal strength or market saturation? I think that the uncommon nature of it to be a plus to a business concerned with security it keeps people off who generally shouldn't be on.

Cue
09-30-2009, 02:14 PM
DD-WRT I think is a valid option if they are not willing to put in the money but you could just as easily find and configure a linux OS on a box with dual nics to make a nice firewall.

When you say A has lower penetration are you talking signal strength or market saturation? I think that the uncommon nature of it to be a plus to a business concerned with security it keeps people off who generally shouldn't be on.

Well, maybe not as easily. Linux is a bitch to handle compared to a nice GUI :)

I meant signal strength.
But using WPA encryption is security enough in my option. Relaying on 5GHz as a security measure is not so secure.
Anyone that can crack WPA can easily do it on 5ghz as well.

Blues
09-30-2009, 02:25 PM
Linux can have a nice GUI Linux is just the underlying structure not the interface. I certainly did not mean to imply using unencrypted unsecured A wireless I simply mean that its uncommon nature is something of an extra level of security.

Computer Chip
09-30-2009, 04:20 PM
Thanks everyone, We have decided to go with the sonicwall. I care because my SS# is in her patient database too. LOL

angry_geek
09-30-2009, 05:53 PM
Well, maybe not as easily. Linux is a bitch to handle compared to a nice GUI :)

I meant signal strength.
But using WPA encryption is security enough in my option. Relaying on 5GHz as a security measure is not so secure.
Anyone that can crack WPA can easily do it on 5ghz as well.

HIPAA is a thorn in the side for every medical office in the US. It's better to have a little more than a little less security. A is far less common than G, and most people don't have adapters in their machines. Therefore, most people will never know the network is there. You do usually get better range from A access points as there is less interference from other devices and it uses more power. WPA is not nearly as easy to crack as WEP. WPA2 just puts that little bit more out there for security. Yes, sometimes WPA2 has issues with certain adapters, but not most A adapters. Remember, he's not setting up a coffee shop; it's a medical office with a lot of important data floating around.

Cue
09-30-2009, 07:02 PM
Linux can have a nice GUI Linux is just the underlying structure not the interface. I certainly did not mean to imply using unencrypted unsecured A wireless I simply mean that its uncommon nature is something of an extra level of security.

Linux CAN have that, but.
Is there any free Linux PC based router/Firewall out there, GUI?

I know you did not mean that, I meant that someone that can hack WPA2, would have 5ghz, and a nica limo to sit in while he cracked WPA2 :)

Some idiot that simply sees some 5ghz network there and tries to access it, could not, never.

Cue
09-30-2009, 07:04 PM
Thanks everyone, We have decided to go with the sonicwall. I care because my SS# is in her patient database too. LOL

Nice :D

Good choice.
To bad that I have to deal with the cheapest companies here in Iceland. So I can never have anything that lovely.

Cue
09-30-2009, 07:05 PM
HIPAA is a thorn in the side for every medical office in the US. It's better to have a little more than a little less security. A is far less common than G, and most people don't have adapters in their machines. Therefore, most people will never know the network is there. You do usually get better range from A access points as there is less interference from other devices and it uses more power. WPA is not nearly as easy to crack as WEP. WPA2 just puts that little bit more out there for security. Yes, sometimes WPA2 has issues with certain adapters, but not most A adapters. Remember, he's not setting up a coffee shop; it's a medical office with a lot of important data floating around.

Yea, I guess its true.
Even Microwaves use the 2.4 ghz spectrum.

Computer Chip
09-30-2009, 08:26 PM
Does anyone know what the yearly subscription price is for the AV, AS and intrusion service. I can't find the price anywhere.

Blues
09-30-2009, 08:27 PM
Linux CAN have that, but.
Is there any free Linux PC based router/Firewall out there, GUI? I couldn't answer that as I don't setup free firewalls I haven't even ever found a need to bother with DD-WRT would at home but being cheap and not wanting to risk bricking my router I haven't yet.

e2346437
10-01-2009, 02:24 AM
Wow, wireless in a medial office? Really? The local HIPAA expert here in my town told me years ago that any wireless AP in a medical office will result in an automatic failure of any HIPAA evaluation. As there isn't a single type of wireless encryption that hasn't been cracked, I can see why.

angry_geek
10-01-2009, 03:34 AM
Wow, wireless in a medial office? Really? The local HIPAA expert here in my town told me years ago that any wireless AP in a medical office will result in an automatic failure of any HIPAA evaluation. As there isn't a single type of wireless encryption that hasn't been cracked, I can see why.

The HIPAA expert in your town is a moron if he truly spouts that nonsense. Nearly every medical office, clinic, and hospital in the US, if not the world, rely heavily on wireless networking. Doctors and nurses have laptops and tablets, drug dispensing units in some hospitals talk to the databases wirelessly, PDAs, etc. The actual HIPAA phrasing is something along the lines of you need to make a reasonable attempt at data security. If someone wants to hack a network badly enough, and has the skills, they will get into the network.

basic
10-02-2009, 12:08 AM
The HIPAA expert in your town is a moron if he truly spouts that nonsense. Nearly every medical office, clinic, and hospital in the US, if not the world, rely heavily on wireless networking. Doctors and nurses have laptops and tablets, drug dispensing units in some hospitals talk to the databases wirelessly, PDAs, etc. The actual HIPAA phrasing is something along the lines of you need to make a reasonable attempt at data security. If someone wants to hack a network badly enough, and has the skills, they will get into the network.

I second the moron notion. The expert is probably a victim of his/her own ignorance. Unless a wired network is completely disconnected from the internet, it is just as susceptible to being compromised by a user that doesn't know how to properly secure their network.

e2346437
10-07-2009, 01:52 PM
Come on folks, "moron" is a pretty harsh word. "Misinformed" would be much nicer really, if your position is to disagree. The person I'm referring to is an MD, and the local hospital that he works in is part of a larger chain. Their system-wide policy is zero-wireless networking, although they do have a 900mhz telemetry network.

My own position is that I will never recommend a wireless AP in a medical setting.

rusty.nells
10-07-2009, 02:34 PM
My own position is that I will never recommend a wireless AP in a medical setting.

With all of the tablets/devices in use, that may be impractical for some organizations.