Case Study – No firewall equals expensive HIPAA violation

In this week’s case study we will be discussing firewalls and why they are important. HIPAA requires that Covered Entities and Business Associates have reasonable and appropriate network security to protect patient data. Usually this refers to the NIST Cybersecurity Framework for keeping a network secure. The NIST Framework specifies a list of what are considered best practices for network security. While having a firewall is not expressly mandated by HIPAA, since firewalls are a crucial and central part to network protection, not having one becomes a HIPAA violation. Our Case Study today will illustrate how seriously the US Department of Health and Human Services (HHS) considers a firewall to be.

What happened?

Idaho State University had to pay a fine of $400,000 for a series of things. But the one that stood out the most was they didn’t have a firewall in place. For a period of 10 months, they operated without a firewall in place. Here is the interesting part. HHS OCR didn’t find any indication that any patient data was ever compromised. This shows that HHS OCR was so concerned about not having a firewall in place that they were willing to fine for it. The simple fact of not having firewalls in place was considered a breach for HHS OCR and therefore, a HIPAA violation.

The result

Idaho State University was fined $400,000 and put on a corrective program to get the issues fixed.

What is a firewall?

A firewall is hardware device (and in some cases, a software program) that separates one network from the Internet. It then watches all traffic coming and going for signs of attacks. It can also watch for large amounts of data leaving a network such as in the case of a breach. If an attacker is trying to steal patient records, a monitored firewall will see that.

Modern firewalls are known as Unified Threat Management devices. This means that they are more than just firewalls. They will also include Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). There can also be other services provided such as spam filtering, Virtual Private Network (VPN) access, and traffic filtering.

Firewalls are the first step to keeping attackers out of a network.

firewall, Unified Threat Management

Why is not having a firewall a HIPAA violation?

Since HIPAA requires that a Covered Entity or Business Associate to all reasonable and appropriate steps to protect Protected Health Information (PHI), this means that sites must use firewall technology. The confusion often comes in when practices purchase consumer grade routers that claim firewall technology built it. These devices offer little protection and will not keep out attackers. They certainly weren’t designed to protect networks that contain PHI.

In addition, the firewalls must be monitored. Not monitoring a firewall is like having an alarm system that doesn’t call the police when it goes off. Its virtually useless. Watching the log files for signs of an attack can help prevent attacks from being successful.

Since firewalls are an integral part of network security, you can’t achieve HIPAA compliance without one. Not having one becomes a HIPAA violation by itself.

Summary

HIPAA is about protecting patient data so that providers can offer care. As we have moved more towards a digital future, more and more of this data is in an electronic format and therefore, easy for attackers to steal in bulk. To prevent this, HIPAA requires reasonable and appropriate measures be taken to protect this data. One of these is the installation and monitoring of a firewall. Not having a firewall in a practice is a HIPAA violation. Idaho State University found that out and it cost them $400,000. Don’t make the same mistake. Install a firewall at your office and make sure that someone is monitor it.