HIPAA and firewalls

Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

Hello all. I was trying to connect a few radiology offices in a HIPAA
compliant manner using VPN. We were considering hardware firewalls
from Watchguard, Netgear, SonicWall, just read something about
NetScreen, don't know anything yet about HP. The offices are connected
using 768k upload DSL, which I presume is the bottleneck. I have read
previous posts on older equipment, but haven't seen anything
discussing 2004 equipment. I wondered what you all thought out there?

1. Which products would be the most cost-effective, given all the
different plans and service and upgrade stuff?

2. Why do the little boxes cost so darn much? They cost way more than
the computers you are trying to protect. I guess the data is
invaluable, but still...

3. What do you experts think about those arrangements where you buy
hours of telephone tech support to walk you through an install
yourself? Much cheaper than an on-site install. Is the end result as
reasonable? Or at least satisfactory?

4. There are all of these different kinds of authentication - user,
login, certificate. What do I really need? Different vendors all give
you different information.

Thanks,
Irwin
17 answers Last reply
More about hipaa firewalls
  1. Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

    On 9 May 2004 17:47:13 -0700, ebct@yahoo.com (Irwin) wrote:

    >Hello all. I was trying to connect a few radiology offices in a HIPAA
    >compliant manner using VPN. We were considering hardware firewalls
    >from Watchguard, Netgear, SonicWall, just read something about
    >NetScreen, don't know anything yet about HP.

    I'll assume that you want to terminated the VPN with a VPN router and
    not a server. It would be nice to know the number of machines at each
    end of the VPN as many vendor license their routers based upon the
    number of "users".

    >The offices are connected
    >using 768k upload DSL, which I presume is the bottleneck.

    Yep. The slowest speed at BOTH ends of the link is the limiting
    factor. For a while, the local DSL was 1500/128 kbits/sec. Two of
    these DSL lines resulted in performance identical to 128/128 ISDN
    lines. Recently, this has been increased to 1500/256 kbits/sec.
    Where did you find an xxxx/768 kbits/sec line? ADSL or SDSL?

    > I have read
    >previous posts on older equipment, but haven't seen anything
    >discussing 2004 equipment. I wondered what you all thought out there?

    Buying the latest greatest often enlists you in the vendors beta test
    and debugging program. Are you sure you want the latest greatest?

    >1. Which products would be the most cost-effective, given all the
    >different plans and service and upgrade stuff?

    Service plans and upgrades imply that you're buying into some kind of
    service contract. This is the way Watchguard and Sonicwall operate.
    They license by the number of users, which can be increased from the
    base 10 user system to whatever your budget can afford. You need to
    purchase an annual contract to obtain updates and support. While this
    may have been a proper way to fund development in the past, methinks
    this is a bad and expensive method of purchasing a router. You need
    an "appliance", not a relationship.

    >2. Why do the little boxes cost so darn much? They cost way more than
    >the computers you are trying to protect. I guess the data is
    >invaluable, but still...

    Trivia: If you find the data sheet online, and it takes more than a
    dozen clicks to find the price, they're not interested in selling you
    a product. They're selling a relationship or re-selling the
    relationship through an authorized dealer.

    There's no reason for such VPN routers to be expensive. The need to
    fund development and for the vendor to pay license fees to technology
    owners, was the prime culprit in the past. There's nothing magic
    about IPSec VPN's that justify the current level of pricing other than
    users continue to pay high prices for user count based licenses.

    There are several VPN routers that do not count users and are quite
    economical. Details to follow.

    >3. What do you experts think about those arrangements where you buy
    >hours of telephone tech support to walk you through an install
    >yourself? Much cheaper than an on-site install. Is the end result as
    >reasonable? Or at least satisfactory?

    If the router requires a tech support walk through on installation,
    then the manual is badly written (Sonicwall), the web based
    configuration is overly obfuscated (Watchguard), or the router is
    infested with features of dubious value (Cisco). I've purchased
    support services from Sonicwall, Watchguard, and a Cisco reseller in
    the past. Only the Cisco reseller was worth the expense.

    What I do is setup all the routers in my palatial office on a
    dedicated LAN. I temporarily assign fixed IP addresses to the WAN
    side of each router so they can communicate without the internet being
    involved. I connect various laptops, junk PC's, and IP configurable
    junk laying around the office for testing on each router. I do the
    configuration, and test the hell out of it. It's important to be sure
    that various Windoze services (master browser) function. When happy,
    I ship the routers pre-configured to the remote offices for
    installation.

    I will confess that I did read the manual, an un-natural act that I
    only perform under duress and only after first blundering through the
    VPN configuration exercise through Learn By Destroying(tm). It's
    somewhat complicated, but once the buzzwords and technology is
    understood, it's fairly simple.

    Here's a sample configuration for a Dlink DI-804HV VPN router:
    http://support.dlink.com/faq/view.asp?prod_id=1295
    http://support.dlink.com/faq/view.asp?prod_id=1383
    Think you can handle that yourself?

    Basically, the VPN is setup in 5 steps.
    1. Setup the WAN side for whatever DSL connection you're using.
    2. Setup the LAN side for local connectivity. Test for internet
    access. This is the same as any non-VPN router.
    3. Setup the method of key exchange (IKE). I prefer pre-shared keys
    because of the simplicity. Each tunnel should have a different
    pre-shared key to avoid confusion.
    4. Setup the method of encryption. DES and Triple DES are the usual
    choices.
    5. Setup the method of authentication. MD5 and SHA are the common
    choices.
    6. Setup the miscellaneous options such as passing NETBIOS
    broadcasts.
    7. Test by pinging the opposite private LAN. Test for windoze
    (NETBIOS) connectivity with:
    net view
    \\server_name
    Network neighborhood

    If you approach the setup from the top down, in the above order, life
    will be easier.

    Incidentally, one potential screwup is to assign the same Class C
    network IP block to both sides of the VPN tunnel. Don't do that. Use
    different blocks such as:
    192.168.1.xxx one end of tunnel
    192.168.2.xxx other end of tunnel
    This way, it's obvious where a machine is located and also avoids
    duplicate IP address headaches. That means do NOT use the default IP
    address for the LAN side of the router as supplied by the
    manufacturer.

    >4. There are all of these different kinds of authentication - user,
    >login, certificate. What do I really need? Different vendors all give
    >you different information.

    Sigh. Keep it simple. You don't need certificates unless your into
    the ultimate in security. Pre-shared keys are good enough. I do use
    certificates for mobile and hostile sites (don't ask), where hacking
    is a potential problem. However, I've had more security issues with
    copies of the certificates being "borrowed" than with pre-shared keys
    that cannot be extracted from the router configuration.

    For encryption, I'm partial to DES instead of 3DES because it's
    generally less overhead. If you ping a workstation through the tunnel
    and compare performance between DES and 3DES, there's usually a few
    milliseconds difference. If you're worried about someone sniffing
    your traffic, and decrypting it, go for 3DES. If your router supports
    AES, that's even better (and slower).

    Authentication method is just a hash code. I use MD5 because everyone
    supports it. Same with mobile IPSec clients. SHA-1 is probably more
    secure.

    Routers that do NOT have a user license limit are my preference. That
    means:
    Linksys
    http://www.linksys.com/products/group.asp?grid=34&scid=29
    Dlink
    http://www.dlink.com/products/category.asp?cid=9
    Netgear
    http://www.netgear.com/products/routers/firewallvpn.php

    None of the above (to the best of my knowledge) have user license
    counts and additional user count charges. However, they do have
    limited number of tunnels and users. Generally, 253 users and 8-32
    tunnels are common. Make sure you obtain these limits from the vendor
    before buying. You'll need at least 1 tunnel between each office and
    one additional tunnel for mobile (remote admin or home) users.

    I've used Linksys BEFVP41 ($90) , DLink DI-804HV ($50), Netgear
    FVS318 ($140) and some others. I do NOT consider these to be
    expensive. When I had a performance problem with BEFVP41 routers and
    determined it to be a firmware issue, I simply purchased a different
    pair of routers until Linksys could fix things (which they did after
    about 3 months).

    Compare those prices with the Sonicwall TELE3, which costs $500 for 10
    users to start, costs approx $50/user to upgrade (ouch), but does have
    some nifty features (V.90 modem fallback). However, to keep the user
    count low, you need to subnet your LAN's, keeping the print servers
    outside the routers LAN netmask or they will be counted as a user.


    --
    Jeff Liebermann jeffl@comix.santa-cruz.ca.us
    150 Felker St #D 831-336-2558
    Santa Cruz CA 95060 AE6KS
  2. Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

    On 9 May 2004 17:47:13 -0700, ebct@yahoo.com (Irwin) wrote:

    >...What do you experts think about ...

    I think you need to hire a experienced network consultant who does this
    sort of thing.
  3. Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

    >
    > 2. Why do the little boxes cost so darn much? They cost way more than
    > the computers you are trying to protect. I guess the data is
    > invaluable, but still...


    How expensive??? 400 bucks gets you a pix 501 which is fine for a 768K
    circuit and can handle about 3mbit of encrypted traffic


    > 3. What do you experts think about those arrangements where you buy
    > hours of telephone tech support to walk you through an install
    > yourself? Much cheaper than an on-site install. Is the end result as
    > reasonable? Or at least satisfactory?
    >

    Are they actually paying you as IT consultant???
  4. Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

    On Mon, 10 May 2004 00:14:51 -0400, "Mike Harrison" <mharrison@aol.com>
    wrote:

    >
    >>
    >> 2. Why do the little boxes cost so darn much? They cost way more than
    >> the computers you are trying to protect. I guess the data is
    >> invaluable, but still...
    >
    >
    >How expensive??? 400 bucks gets you a pix 501 which is fine for a 768K
    >circuit and can handle about 3mbit of encrypted traffic

    or $500 for a Netscreen 5GT at the main office, which handles upwards of
    20Mbit/sec of 3DES VPN, and 10 simultaneous VPN connections, then $400 or
    so each for NetScreen "Hardware Security Clients" at each branch office.
    Properly configured by someone who knows what they are doing, this would
    make the LANs at each location fully connected into a wide area network
    (WAN). If you have more than 10 branch offices, you need the next model
    up for the central office.

    you don't need to mess with all that external authentication server stuff
    if you only have a few offices, a few netscreens and no more than maybe
    100 remote users who use software VPN occasionally, the 5GT can manage
    themselves via a web-based admin interface. Naturally, you can make this
    as fancy and complicated as you want.
  5. Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

    "Mike Harrison" <mharrison@aol.com> writes:

    > >
    > > 2. Why do the little boxes cost so darn much? They cost way more than
    > > the computers you are trying to protect. I guess the data is
    > > invaluable, but still...
    >
    >
    > How expensive??? 400 bucks gets you a pix 501 which is fine for a 768K
    > circuit and can handle about 3mbit of encrypted traffic

    Find a few used CryptoCluster 500's on eBay for a lot less than that
    for the lot, get a very resilient solution with failover and load
    balancing that works.

    -jav
  6. Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

    Irwin <ebct@yahoo.com> writes:

    > 2. Why do the little boxes cost so darn much? They cost way more than
    > the computers you are trying to protect.

    Take a look at Snap Gear -

    http://www.cyberguard.com/snapgear/

    Among other things they have a firewall on an ethernet card
    that may be useful to you.

    Some of your other questions would be best pursued in comp.dcom.vpn.

    Billy Y..
  7. Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

    In ba.internet John R Pierce <spam@is.invalid> wrote:
    : On 9 May 2004 17:47:13 -0700, ebct@yahoo.com (Irwin) wrote:

    :>...What do you experts think about ...

    : I think you need to hire a experienced network consultant who does this
    : sort of thing.

    I'd second that, particularly if you've got some potential liability when it
    comes to medical records and privacy law.

    --
    Dane Jasper Sonic.net, Inc.
    (707)522-1000
    mailto:dane@sonic.net http://www.sonic.net/

    Key fingerprint = A5 D6 6E 16 D8 81 BA E9 CB BD A9 77 B3 AF 45 53
  8. Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

    Actually, I started by trying to hire one. I have interviewed and
    gotten bids from several, and they are all over the map. High price,
    low price, max security, others who say you can do well with less.
    Can't get a consistent answer or trend from anyone. Not that I really
    expect to get a consistent answer from my post either, but it is not
    as simple as pick a consultant. You basically have to know something
    to decide which consultant to use. So, what is your opinion?

    IMF


    John R Pierce <spam@is.invalid> wrote in message news:<vlst90l8vt4ipoqmfb5losmqldpirq8rt9@news.lmi.net>...
    > On 9 May 2004 17:47:13 -0700, ebct@yahoo.com (Irwin) wrote:
    >
    > >...What do you experts think about ...
    >
    > I think you need to hire a experienced network consultant who does this
    > sort of thing.
  9. Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

    In article <a02856e1.0405091647.70658c8c@posting.google.com>,
    ebct@yahoo.com says...
    > Hello all. I was trying to connect a few radiology offices in a HIPAA
    > compliant manner using VPN. We were considering hardware firewalls
    > from Watchguard, Netgear, SonicWall, just read something about
    > NetScreen, don't know anything yet about HP. The offices are connected
    > using 768k upload DSL, which I presume is the bottleneck. I have read
    > previous posts on older equipment, but haven't seen anything
    > discussing 2004 equipment. I wondered what you all thought out there?

    We do this exact type of work all over the US, this is a very common
    practice in the medical and all other types of business.

    > 1. Which products would be the most cost-effective, given all the
    > different plans and service and upgrade stuff?

    Cost effective has many paths - I look at cost effective as being
    something I can install and forget for months on end. I install
    WatchGuard units everywhere.

    A typical solution would include a Firebox 1000 or a Firebox 2500 at the
    main office and then SOHO6tc or 700 units at the other locations -
    depends on the number of users (the SOHO units have a per-connection
    cost, the 700,1000,2500 don't have a limitation on user counts).

    You can setup a Branch Office VPN tunnel in about 10 minutes if you have
    some experience, creating the rules to limit access by user/system can
    take longer.

    > 2. Why do the little boxes cost so darn much? They cost way more than
    > the computers you are trying to protect. I guess the data is
    > invaluable, but still...

    I consider the level of protection to be about right for the cost. There
    are sub $1000 units out there, but when you start looking at the company
    backing them, the included features, how much for support and upgrades,
    availability of third-party support, ease of use, etc... I install the
    WG units unless a clients requests something else.

    > 3. What do you experts think about those arrangements where you buy
    > hours of telephone tech support to walk you through an install
    > yourself? Much cheaper than an on-site install. Is the end result as
    > reasonable? Or at least satisfactory?

    I think that it's a mistake to not get a professional firewall person in
    to do the install. Doing a generic install can leave you with many
    issues that you may not see for months and then it's too late.

    > 4. There are all of these different kinds of authentication - user,
    > login, certificate. What do I really need? Different vendors all give
    > you different information.

    If you are doing a main off to branch office setup then all you need is
    the firewall to firewall VPN tunnels setup and treat the entire thing as
    one big lan.

    If you can't get fixed IP addresses for each location you're going to
    have problems with tunnels, get a fixed IP at every location. One other
    thing, DSL is problematic, we've never had a DSL install where the
    tunnel stayed up longer than 1 week without having to auto-reconnect.
    Our Road Runner Business class connections go many months before any
    auto-reconnect (if at all), and a T1 or fractional T1 is almost always
    perfect.

    Setting up the VPN tunnels between offices is the proper way to do it
    regardless of what type of business you have. It protects the users and
    data. If your remote office VPN can force all outbound traffic through
    the tunnel to the home office you can get an added benefit of being able
    to centrally filter and monitor all traffic, but it will mean that you
    need a faster connection between the offices in order to not slow down
    the remote users.

    One thing I like about the WG firewall units (the 700 and above) is that
    they have both Web and SMTP filters that when properly configured
    eliminate most of the problems with bad web sites (block lists and
    removal of active-x, scripting) and virus infected attachments (by
    extension). In the last year, with one large client, not one virus
    infected email made it past the firewall for the AV software to havet o
    deal with.

    Get a firewall professional to install your firewalls, you won't be
    sorry.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  10. Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

    On or about 05/10/2004 04:52 AM PDT, Irwin wrote:
    > John R Pierce <spam@is.invalid> wrote in message news:<vlst90l8vt4ipoqmfb5losmqldpirq8rt9@news.lmi.net>...
    >
    >>On 9 May 2004 17:47:13 -0700, ebct@yahoo.com (Irwin) wrote:
    >>
    >>
    >>>...What do you experts think about ...
    >>
    >>I think you need to hire a experienced network consultant who does this
    >>sort of thing.
    >
    > Actually, I started by trying to hire one. I have interviewed and
    > gotten bids from several, and they are all over the map. High price,
    > low price, max security, others who say you can do well with less.
    > Can't get a consistent answer or trend from anyone. Not that I really
    > expect to get a consistent answer from my post either, but it is not
    > as simple as pick a consultant. You basically have to know something
    > to decide which consultant to use. So, what is your opinion?
    >
    > IMF
    >
    >

    If I may,

    I think you should look for someone whose integrity and competence you
    can personally verify, if not the consultant himself, then someone who
    can advise you in selecting a consultant from experience, or knows
    someone who can, and so on.

    In other words, you probably "know someone who knows someone" who is
    a satisfied customer, at least.

    You can simulate the same process on the Internet by googling for the
    history of statements made by and about people who advise you here, but
    the results probably won't be as reliable.

    --
    Phil Nelson
  11. Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

    "Irwin" <ebct@yahoo.com> wrote in message
    news:a02856e1.0405091647.70658c8c@posting.google.com...

    > 4. There are all of these different kinds of authentication - user,
    > login, certificate. What do I really need? Different vendors all give
    > you different information.

    In our setup we use RSA Smart Tokens with rolling hashed passwords and pins,
    a Cisco VPN client with 168-bit encryption and SPI turned on by default, and
    Cisco VPN servers. This is probably overkill but it appears to be secure.
  12. Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

    Your radiology lab should be associated with one or more hospitals. I
    suggest contacting the IT Departments of those hospitals for referrals
    to external consultants.

    Irwin wrote:
    > Actually, I started by trying to hire one. I have interviewed and
    > gotten bids from several, and they are all over the map. High price,
    > low price, max security, others who say you can do well with less.
    > Can't get a consistent answer or trend from anyone. Not that I really
    > expect to get a consistent answer from my post either, but it is not
    > as simple as pick a consultant. You basically have to know something
    > to decide which consultant to use. So, what is your opinion?
    >
    > IMF
    >
    >
    > John R Pierce <spam@is.invalid> wrote in message news:<vlst90l8vt4ipoqmfb5losmqldpirq8rt9@news.lmi.net>...
    >
    >>On 9 May 2004 17:47:13 -0700, ebct@yahoo.com (Irwin) wrote:
    >>
    >>
    >>>...What do you experts think about ...
    >>
    >>I think you need to hire a experienced network consultant who does this
    >>sort of thing.
    >
  13. Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

    Leythos wrote:
    > One thing I like about the WG firewall units (the 700 and above) is that
    > they have both Web and SMTP filters that when properly configured
    > eliminate most of the problems with bad web sites (block lists and
    > removal of active-x, scripting) and virus infected attachments (by
    > extension). In the last year, with one large client, not one virus
    > infected email made it past the firewall for the AV software to havet o
    > deal with.

    I prefer componentization. Seperating the content inspection system from
    the VPN server insulates the VPN server from potential bugs (hence
    potential vulnerabilities to compromise) in the SMTP and HTTP
    inspection/extraction code. I recognize, Leythos, you are sensitive to
    Irwin's recurring mention of price, but considering HIPAA, I thought it
    prudent to mention.
  14. Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

    In article <40ABC827.2070009@SpamAvoidance.net>,
    SpamAvoidance@SpamAvoidance.net says...
    > Leythos wrote:
    > > One thing I like about the WG firewall units (the 700 and above) is that
    > > they have both Web and SMTP filters that when properly configured
    > > eliminate most of the problems with bad web sites (block lists and
    > > removal of active-x, scripting) and virus infected attachments (by
    > > extension). In the last year, with one large client, not one virus
    > > infected email made it past the firewall for the AV software to havet o
    > > deal with.
    >
    > I prefer componentization. Seperating the content inspection system from
    > the VPN server insulates the VPN server from potential bugs (hence
    > potential vulnerabilities to compromise) in the SMTP and HTTP
    > inspection/extraction code. I recognize, Leythos, you are sensitive to
    > Irwin's recurring mention of price, but considering HIPAA, I thought it
    > prudent to mention.

    Good thoughts. I use a mail server in my DMZ running AV/Exchange
    filtering for RBL, Attachments, etc....

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  15. HIPAA (Health Information Portability and Accountability Act) is a federal law that protects health information. Federal standards are now in place that ensure patients have access to their own medical records while adding new responsibilities to those charged with protecting this information.

    For those in the business of providing access to information, these regulations are the proverbial double-edged sword. If patients now have expanded access to their own medical data, the quickest, cheapest and most convenient manner to provide this information is electronically through the internet. So those involved in designing web applications and hosting web sites can expect to see new HIPAA related opportunities. However, with these new opportunities come new responsibilities. The security provisions detailed in HIPAA are exacting. Working within the scope of HIPAA places an onus on web designers to ensure that potentially sensitive medical information is kept private.
    ----------------------------------------
    -------------------------
    thomas
    -----------------
    hipaa-hipaa
  16. The above statement is seen to be contradictory. The situation is very critical and need an experience complainer to resolve it.
    Barbara Brown
    hippa
  17. The above statement is seen to be contradictory. The situation is very critical and need an experience complainer to resolve it.
    Barbara Brown
    hippa
Ask a new question

Read More

Firewalls Networking