The HIPAA Security Rule and HIPAA Firewall Controls
Under the technical safeguard requirements of the HIPAA Security Rule, covered entities must implement policies and procedures to protect electronic protected health information (ePHI) from improper alteration or destruction. HIPAA firewall controls are used to provide such protection. Proper firewall use can help to ensure that a covered entity’s network does not fall victim to unauthorized access that might compromise the confidentiality, integrity, or availability of ePHI.
What are HIPAA Firewall Controls?
Firewall controls are network security systems that monitor and control incoming and outgoing network traffic. Network traffic is data that moves across a network at a given point of time.
Outbound firewall controls ensure that healthcare organization employee computers can only access those websites necessary for employees for their job functions.
For example, if an employee is a receptionist, and that person’s role requires access to company email, the firewall controls for his or her computer can be configured to allow access to company email servers, but to block access to sites to which the employee’s job role does not require – such as, for example, Facebook or Twitter. Limiting access to only those websites and functions necessary for the employee to perform his or her job role limits the ability of the employee to access websites that may expose the computer to malicious software.
Under the HIPAA Security Rule, rules can be created for HIPAA firewall controls, such that each employee’s computer will be configured with the appropriate amount of network access. For example, in contrast to the limited Internet access a receptionist might need, a healthcare provider (i.e., a physician or a nurse) might require extended Internet access – to conduct research, for example. Firewall rules can be created that allow the healthcare provider to have more robust access, and the receptionist to have less robust access; indeed, firewall control roles can be created for every job title, to ensure each employee is given appropriate access based on his or her role.
Using HIPAA firewall controls ensures that only those individuals who are authorized to access ePHI, and who have a need for such access, are able to obtain such access. Firewalls use a type of authentication known as identity-based authentication to ensure only those employees authorized to access ePHI may do so. Identity-based authentication is a mechanism that verifies an individual’s identity. Authentication requires the individual to provide information that is known only to the user (such as a PIN #, code, or token).
HIPAA firewall controls are a necessary component to maintaining HIPAA compliance and securing your organization. Failure to implement HIPAA firewall controls can put your organization at risk for costly healthcare breaches and HIPAA fines.