Sign in with
Sign up | Sign in
Your question

HIPAA and firewalls

Last response: in Networking
Share
Anonymous
May 9, 2004 9:47:13 PM

Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

Hello all. I was trying to connect a few radiology offices in a HIPAA
compliant manner using VPN. We were considering hardware firewalls
from Watchguard, Netgear, SonicWall, just read something about
NetScreen, don't know anything yet about HP. The offices are connected
using 768k upload DSL, which I presume is the bottleneck. I have read
previous posts on older equipment, but haven't seen anything
discussing 2004 equipment. I wondered what you all thought out there?

1. Which products would be the most cost-effective, given all the
different plans and service and upgrade stuff?

2. Why do the little boxes cost so darn much? They cost way more than
the computers you are trying to protect. I guess the data is
invaluable, but still...

3. What do you experts think about those arrangements where you buy
hours of telephone tech support to walk you through an install
yourself? Much cheaper than an on-site install. Is the end result as
reasonable? Or at least satisfactory?

4. There are all of these different kinds of authentication - user,
login, certificate. What do I really need? Different vendors all give
you different information.

Thanks,
Irwin

More about : hipaa firewalls

Anonymous
May 9, 2004 11:45:49 PM

Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

On 9 May 2004 17:47:13 -0700, ebct@yahoo.com (Irwin) wrote:

>Hello all. I was trying to connect a few radiology offices in a HIPAA
>compliant manner using VPN. We were considering hardware firewalls
>from Watchguard, Netgear, SonicWall, just read something about
>NetScreen, don't know anything yet about HP.

I'll assume that you want to terminated the VPN with a VPN router and
not a server. It would be nice to know the number of machines at each
end of the VPN as many vendor license their routers based upon the
number of "users".

>The offices are connected
>using 768k upload DSL, which I presume is the bottleneck.

Yep. The slowest speed at BOTH ends of the link is the limiting
factor. For a while, the local DSL was 1500/128 kbits/sec. Two of
these DSL lines resulted in performance identical to 128/128 ISDN
lines. Recently, this has been increased to 1500/256 kbits/sec.
Where did you find an xxxx/768 kbits/sec line? ADSL or SDSL?

> I have read
>previous posts on older equipment, but haven't seen anything
>discussing 2004 equipment. I wondered what you all thought out there?

Buying the latest greatest often enlists you in the vendors beta test
and debugging program. Are you sure you want the latest greatest?

>1. Which products would be the most cost-effective, given all the
>different plans and service and upgrade stuff?

Service plans and upgrades imply that you're buying into some kind of
service contract. This is the way Watchguard and Sonicwall operate.
They license by the number of users, which can be increased from the
base 10 user system to whatever your budget can afford. You need to
purchase an annual contract to obtain updates and support. While this
may have been a proper way to fund development in the past, methinks
this is a bad and expensive method of purchasing a router. You need
an "appliance", not a relationship.

>2. Why do the little boxes cost so darn much? They cost way more than
>the computers you are trying to protect. I guess the data is
>invaluable, but still...

Trivia: If you find the data sheet online, and it takes more than a
dozen clicks to find the price, they're not interested in selling you
a product. They're selling a relationship or re-selling the
relationship through an authorized dealer.

There's no reason for such VPN routers to be expensive. The need to
fund development and for the vendor to pay license fees to technology
owners, was the prime culprit in the past. There's nothing magic
about IPSec VPN's that justify the current level of pricing other than
users continue to pay high prices for user count based licenses.

There are several VPN routers that do not count users and are quite
economical. Details to follow.

>3. What do you experts think about those arrangements where you buy
>hours of telephone tech support to walk you through an install
>yourself? Much cheaper than an on-site install. Is the end result as
>reasonable? Or at least satisfactory?

If the router requires a tech support walk through on installation,
then the manual is badly written (Sonicwall), the web based
configuration is overly obfuscated (Watchguard), or the router is
infested with features of dubious value (Cisco). I've purchased
support services from Sonicwall, Watchguard, and a Cisco reseller in
the past. Only the Cisco reseller was worth the expense.

What I do is setup all the routers in my palatial office on a
dedicated LAN. I temporarily assign fixed IP addresses to the WAN
side of each router so they can communicate without the internet being
involved. I connect various laptops, junk PC's, and IP configurable
junk laying around the office for testing on each router. I do the
configuration, and test the hell out of it. It's important to be sure
that various Windoze services (master browser) function. When happy,
I ship the routers pre-configured to the remote offices for
installation.

I will confess that I did read the manual, an un-natural act that I
only perform under duress and only after first blundering through the
VPN configuration exercise through Learn By Destroying(tm). It's
somewhat complicated, but once the buzzwords and technology is
understood, it's fairly simple.

Here's a sample configuration for a Dlink DI-804HV VPN router:
http://support.dlink.com/faq/view.asp?prod_id=1295
http://support.dlink.com/faq/view.asp?prod_id=1383
Think you can handle that yourself?

Basically, the VPN is setup in 5 steps.
1. Setup the WAN side for whatever DSL connection you're using.
2. Setup the LAN side for local connectivity. Test for internet
access. This is the same as any non-VPN router.
3. Setup the method of key exchange (IKE). I prefer pre-shared keys
because of the simplicity. Each tunnel should have a different
pre-shared key to avoid confusion.
4. Setup the method of encryption. DES and Triple DES are the usual
choices.
5. Setup the method of authentication. MD5 and SHA are the common
choices.
6. Setup the miscellaneous options such as passing NETBIOS
broadcasts.
7. Test by pinging the opposite private LAN. Test for windoze
(NETBIOS) connectivity with:
net view
\\server_name
Network neighborhood

If you approach the setup from the top down, in the above order, life
will be easier.

Incidentally, one potential screwup is to assign the same Class C
network IP block to both sides of the VPN tunnel. Don't do that. Use
different blocks such as:
192.168.1.xxx one end of tunnel
192.168.2.xxx other end of tunnel
This way, it's obvious where a machine is located and also avoids
duplicate IP address headaches. That means do NOT use the default IP
address for the LAN side of the router as supplied by the
manufacturer.

>4. There are all of these different kinds of authentication - user,
>login, certificate. What do I really need? Different vendors all give
>you different information.

Sigh. Keep it simple. You don't need certificates unless your into
the ultimate in security. Pre-shared keys are good enough. I do use
certificates for mobile and hostile sites (don't ask), where hacking
is a potential problem. However, I've had more security issues with
copies of the certificates being "borrowed" than with pre-shared keys
that cannot be extracted from the router configuration.

For encryption, I'm partial to DES instead of 3DES because it's
generally less overhead. If you ping a workstation through the tunnel
and compare performance between DES and 3DES, there's usually a few
milliseconds difference. If you're worried about someone sniffing
your traffic, and decrypting it, go for 3DES. If your router supports
AES, that's even better (and slower).

Authentication method is just a hash code. I use MD5 because everyone
supports it. Same with mobile IPSec clients. SHA-1 is probably more
secure.

Routers that do NOT have a user license limit are my preference. That
means:
Linksys
http://www.linksys.com/products/group.asp?grid=34&scid=...
Dlink
http://www.dlink.com/products/category.asp?cid=9
Netgear
http://www.netgear.com/products/routers/firewallvpn.php

None of the above (to the best of my knowledge) have user license
counts and additional user count charges. However, they do have
limited number of tunnels and users. Generally, 253 users and 8-32
tunnels are common. Make sure you obtain these limits from the vendor
before buying. You'll need at least 1 tunnel between each office and
one additional tunnel for mobile (remote admin or home) users.

I've used Linksys BEFVP41 ($90) , DLink DI-804HV ($50), Netgear
FVS318 ($140) and some others. I do NOT consider these to be
expensive. When I had a performance problem with BEFVP41 routers and
determined it to be a firmware issue, I simply purchased a different
pair of routers until Linksys could fix things (which they did after
about 3 months).

Compare those prices with the Sonicwall TELE3, which costs $500 for 10
users to start, costs approx $50/user to upgrade (ouch), but does have
some nifty features (V.90 modem fallback). However, to keep the user
count low, you need to subnet your LAN's, keeping the print servers
outside the routers LAN netmask or they will be counted as a user.




--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D 831-336-2558
Santa Cruz CA 95060 AE6KS
Anonymous
May 10, 2004 12:11:16 AM

Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

On 9 May 2004 17:47:13 -0700, ebct@yahoo.com (Irwin) wrote:

>...What do you experts think about ...

I think you need to hire a experienced network consultant who does this
sort of thing.
Related resources
Anonymous
May 10, 2004 4:14:51 AM

Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

>
> 2. Why do the little boxes cost so darn much? They cost way more than
> the computers you are trying to protect. I guess the data is
> invaluable, but still...


How expensive??? 400 bucks gets you a pix 501 which is fine for a 768K
circuit and can handle about 3mbit of encrypted traffic


> 3. What do you experts think about those arrangements where you buy
> hours of telephone tech support to walk you through an install
> yourself? Much cheaper than an on-site install. Is the end result as
> reasonable? Or at least satisfactory?
>

Are they actually paying you as IT consultant???
Anonymous
May 10, 2004 4:14:52 AM

Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

On Mon, 10 May 2004 00:14:51 -0400, "Mike Harrison" <mharrison@aol.com>
wrote:

>
>>
>> 2. Why do the little boxes cost so darn much? They cost way more than
>> the computers you are trying to protect. I guess the data is
>> invaluable, but still...
>
>
>How expensive??? 400 bucks gets you a pix 501 which is fine for a 768K
>circuit and can handle about 3mbit of encrypted traffic

or $500 for a Netscreen 5GT at the main office, which handles upwards of
20Mbit/sec of 3DES VPN, and 10 simultaneous VPN connections, then $400 or
so each for NetScreen "Hardware Security Clients" at each branch office.
Properly configured by someone who knows what they are doing, this would
make the LANs at each location fully connected into a wide area network
(WAN). If you have more than 10 branch offices, you need the next model
up for the central office.

you don't need to mess with all that external authentication server stuff
if you only have a few offices, a few netscreens and no more than maybe
100 remote users who use software VPN occasionally, the 5GT can manage
themselves via a web-based admin interface. Naturally, you can make this
as fancy and complicated as you want.
Anonymous
May 10, 2004 4:14:52 AM

Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

"Mike Harrison" <mharrison@aol.com> writes:

> >
> > 2. Why do the little boxes cost so darn much? They cost way more than
> > the computers you are trying to protect. I guess the data is
> > invaluable, but still...
>
>
> How expensive??? 400 bucks gets you a pix 501 which is fine for a 768K
> circuit and can handle about 3mbit of encrypted traffic

Find a few used CryptoCluster 500's on eBay for a lot less than that
for the lot, get a very resilient solution with failover and load
balancing that works.

-jav
Anonymous
May 10, 2004 5:06:47 AM

Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

Irwin <ebct@yahoo.com> writes:

> 2. Why do the little boxes cost so darn much? They cost way more than
> the computers you are trying to protect.

Take a look at Snap Gear -

http://www.cyberguard.com/snapgear/

Among other things they have a firewall on an ethernet card
that may be useful to you.

Some of your other questions would be best pursued in comp.dcom.vpn.

Billy Y..
Anonymous
May 10, 2004 8:13:38 AM

Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

In ba.internet John R Pierce <spam@is.invalid> wrote:
: On 9 May 2004 17:47:13 -0700, ebct@yahoo.com (Irwin) wrote:

:>...What do you experts think about ...

: I think you need to hire a experienced network consultant who does this
: sort of thing.

I'd second that, particularly if you've got some potential liability when it
comes to medical records and privacy law.

--
Dane Jasper Sonic.net, Inc.
(707)522-1000
mailto:D ane@sonic.net http://www.sonic.net/

Key fingerprint = A5 D6 6E 16 D8 81 BA E9 CB BD A9 77 B3 AF 45 53
Anonymous
May 10, 2004 8:52:30 AM

Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

Actually, I started by trying to hire one. I have interviewed and
gotten bids from several, and they are all over the map. High price,
low price, max security, others who say you can do well with less.
Can't get a consistent answer or trend from anyone. Not that I really
expect to get a consistent answer from my post either, but it is not
as simple as pick a consultant. You basically have to know something
to decide which consultant to use. So, what is your opinion?

IMF


John R Pierce <spam@is.invalid> wrote in message news:<vlst90l8vt4ipoqmfb5losmqldpirq8rt9@news.lmi.net>...
> On 9 May 2004 17:47:13 -0700, ebct@yahoo.com (Irwin) wrote:
>
> >...What do you experts think about ...
>
> I think you need to hire a experienced network consultant who does this
> sort of thing.
Anonymous
May 10, 2004 4:36:59 PM

Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

In article <a02856e1.0405091647.70658c8c@posting.google.com>,
ebct@yahoo.com says...
> Hello all. I was trying to connect a few radiology offices in a HIPAA
> compliant manner using VPN. We were considering hardware firewalls
> from Watchguard, Netgear, SonicWall, just read something about
> NetScreen, don't know anything yet about HP. The offices are connected
> using 768k upload DSL, which I presume is the bottleneck. I have read
> previous posts on older equipment, but haven't seen anything
> discussing 2004 equipment. I wondered what you all thought out there?

We do this exact type of work all over the US, this is a very common
practice in the medical and all other types of business.

> 1. Which products would be the most cost-effective, given all the
> different plans and service and upgrade stuff?

Cost effective has many paths - I look at cost effective as being
something I can install and forget for months on end. I install
WatchGuard units everywhere.

A typical solution would include a Firebox 1000 or a Firebox 2500 at the
main office and then SOHO6tc or 700 units at the other locations -
depends on the number of users (the SOHO units have a per-connection
cost, the 700,1000,2500 don't have a limitation on user counts).

You can setup a Branch Office VPN tunnel in about 10 minutes if you have
some experience, creating the rules to limit access by user/system can
take longer.

> 2. Why do the little boxes cost so darn much? They cost way more than
> the computers you are trying to protect. I guess the data is
> invaluable, but still...

I consider the level of protection to be about right for the cost. There
are sub $1000 units out there, but when you start looking at the company
backing them, the included features, how much for support and upgrades,
availability of third-party support, ease of use, etc... I install the
WG units unless a clients requests something else.

> 3. What do you experts think about those arrangements where you buy
> hours of telephone tech support to walk you through an install
> yourself? Much cheaper than an on-site install. Is the end result as
> reasonable? Or at least satisfactory?

I think that it's a mistake to not get a professional firewall person in
to do the install. Doing a generic install can leave you with many
issues that you may not see for months and then it's too late.

> 4. There are all of these different kinds of authentication - user,
> login, certificate. What do I really need? Different vendors all give
> you different information.

If you are doing a main off to branch office setup then all you need is
the firewall to firewall VPN tunnels setup and treat the entire thing as
one big lan.

If you can't get fixed IP addresses for each location you're going to
have problems with tunnels, get a fixed IP at every location. One other
thing, DSL is problematic, we've never had a DSL install where the
tunnel stayed up longer than 1 week without having to auto-reconnect.
Our Road Runner Business class connections go many months before any
auto-reconnect (if at all), and a T1 or fractional T1 is almost always
perfect.

Setting up the VPN tunnels between offices is the proper way to do it
regardless of what type of business you have. It protects the users and
data. If your remote office VPN can force all outbound traffic through
the tunnel to the home office you can get an added benefit of being able
to centrally filter and monitor all traffic, but it will mean that you
need a faster connection between the offices in order to not slow down
the remote users.

One thing I like about the WG firewall units (the 700 and above) is that
they have both Web and SMTP filters that when properly configured
eliminate most of the problems with bad web sites (block lists and
removal of active-x, scripting) and virus infected attachments (by
extension). In the last year, with one large client, not one virus
infected email made it past the firewall for the AV software to havet o
deal with.

Get a firewall professional to install your firewalls, you won't be
sorry.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
May 10, 2004 6:39:32 PM

Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

On or about 05/10/2004 04:52 AM PDT, Irwin wrote:
> John R Pierce <spam@is.invalid> wrote in message news:<vlst90l8vt4ipoqmfb5losmqldpirq8rt9@news.lmi.net>...
>
>>On 9 May 2004 17:47:13 -0700, ebct@yahoo.com (Irwin) wrote:
>>
>>
>>>...What do you experts think about ...
>>
>>I think you need to hire a experienced network consultant who does this
>>sort of thing.
>
> Actually, I started by trying to hire one. I have interviewed and
> gotten bids from several, and they are all over the map. High price,
> low price, max security, others who say you can do well with less.
> Can't get a consistent answer or trend from anyone. Not that I really
> expect to get a consistent answer from my post either, but it is not
> as simple as pick a consultant. You basically have to know something
> to decide which consultant to use. So, what is your opinion?
>
> IMF
>
>

If I may,

I think you should look for someone whose integrity and competence you
can personally verify, if not the consultant himself, then someone who
can advise you in selecting a consultant from experience, or knows
someone who can, and so on.

In other words, you probably "know someone who knows someone" who is
a satisfied customer, at least.

You can simulate the same process on the Internet by googling for the
history of statements made by and about people who advise you here, but
the results probably won't be as reliable.

--
Phil Nelson
May 11, 2004 12:42:04 AM

Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

"Irwin" <ebct@yahoo.com> wrote in message
news:a02856e1.0405091647.70658c8c@posting.google.com...

> 4. There are all of these different kinds of authentication - user,
> login, certificate. What do I really need? Different vendors all give
> you different information.

In our setup we use RSA Smart Tokens with rolling hashed passwords and pins,
a Cisco VPN client with 168-bit encryption and SPI turned on by default, and
Cisco VPN servers. This is probably overkill but it appears to be secure.
May 19, 2004 5:19:16 PM

Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

Your radiology lab should be associated with one or more hospitals. I
suggest contacting the IT Departments of those hospitals for referrals
to external consultants.

Irwin wrote:
> Actually, I started by trying to hire one. I have interviewed and
> gotten bids from several, and they are all over the map. High price,
> low price, max security, others who say you can do well with less.
> Can't get a consistent answer or trend from anyone. Not that I really
> expect to get a consistent answer from my post either, but it is not
> as simple as pick a consultant. You basically have to know something
> to decide which consultant to use. So, what is your opinion?
>
> IMF
>
>
> John R Pierce <spam@is.invalid> wrote in message news:<vlst90l8vt4ipoqmfb5losmqldpirq8rt9@news.lmi.net>...
>
>>On 9 May 2004 17:47:13 -0700, ebct@yahoo.com (Irwin) wrote:
>>
>>
>>>...What do you experts think about ...
>>
>>I think you need to hire a experienced network consultant who does this
>>sort of thing.
>
May 19, 2004 5:48:39 PM

Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

Leythos wrote:
> One thing I like about the WG firewall units (the 700 and above) is that
> they have both Web and SMTP filters that when properly configured
> eliminate most of the problems with bad web sites (block lists and
> removal of active-x, scripting) and virus infected attachments (by
> extension). In the last year, with one large client, not one virus
> infected email made it past the firewall for the AV software to havet o
> deal with.

I prefer componentization. Seperating the content inspection system from
the VPN server insulates the VPN server from potential bugs (hence
potential vulnerabilities to compromise) in the SMTP and HTTP
inspection/extraction code. I recognize, Leythos, you are sensitive to
Irwin's recurring mention of price, but considering HIPAA, I thought it
prudent to mention.
Anonymous
May 20, 2004 3:07:29 AM

Archived from groups: comp.security.firewalls,ba.internet,sci.med.transcription,microsoft.public.biztalk.accelerator.hipaa (More info?)

In article <40ABC827.2070009@SpamAvoidance.net>,
SpamAvoidance@SpamAvoidance.net says...
> Leythos wrote:
> > One thing I like about the WG firewall units (the 700 and above) is that
> > they have both Web and SMTP filters that when properly configured
> > eliminate most of the problems with bad web sites (block lists and
> > removal of active-x, scripting) and virus infected attachments (by
> > extension). In the last year, with one large client, not one virus
> > infected email made it past the firewall for the AV software to havet o
> > deal with.
>
> I prefer componentization. Seperating the content inspection system from
> the VPN server insulates the VPN server from potential bugs (hence
> potential vulnerabilities to compromise) in the SMTP and HTTP
> inspection/extraction code. I recognize, Leythos, you are sensitive to
> Irwin's recurring mention of price, but considering HIPAA, I thought it
> prudent to mention.

Good thoughts. I use a mail server in my DMZ running AV/Exchange
filtering for RBL, Attachments, etc....

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
March 30, 2009 6:16:57 PM

HIPAA (Health Information Portability and Accountability Act) is a federal law that protects health information. Federal standards are now in place that ensure patients have access to their own medical records while adding new responsibilities to those charged with protecting this information.

For those in the business of providing access to information, these regulations are the proverbial double-edged sword. If patients now have expanded access to their own medical data, the quickest, cheapest and most convenient manner to provide this information is electronically through the internet. So those involved in designing web applications and hosting web sites can expect to see new HIPAA related opportunities. However, with these new opportunities come new responsibilities. The security provisions detailed in HIPAA are exacting. Working within the scope of HIPAA places an onus on web designers to ensure that potentially sensitive medical information is kept private.
----------------------------------------
-------------------------
thomas
-----------------
hipaa-hipaa
April 5, 2009 4:53:42 AM


The above statement is seen to be contradictory. The situation is very critical and need an experience complainer to resolve it.
Barbara Brown
hippa
April 5, 2009 4:56:20 AM

The above statement is seen to be contradictory. The situation is very critical and need an experience complainer to resolve it.
Barbara Brown
hippa
!