Consumer Routers Don’t Protect Your Practice’s PHI

Firewalls are something a lot of people just don’t understand. They know they need one, but don’t know exactly what they do. To make matters more confusing, the word firewall has been overused and diluted by tech companies because many consumer routers are advertised as firewalls. Medical practices need firewalls to achieve HIPAA compliance by protecting network access to PHI. However, many practices are using consumer routers in place of real firewalls. These devices offer nearly zero protection and usually accidents waiting to happen. Read on to find out how one popular brand of consumer routers leave your network wide open to attacks from cybercriminals.

Linksys routers leak like a submarine with screen doors

Security researchers recently discovered flaws in the Linksys brand of consumer routers. Linksys devices can be purchased online at Amazon or in stores such as BestBuy or Walmart. They are extremely common and widely installed. The flaw caused the routers to leak information such as every device that ever connected to them, those device’s unique names, and the operating system they used.

The researchers used a search engine called Binary Edge. This search engine searches the Internet for connected devices such as routers, baby cams, and webcams. Using Binary Edge, researchers were able to identify almost three dozen different models of Linksys routers that had a serious vulnerability. On their first scan, they located 25,617 Linksys devices with the vulnerability.

This vulnerability would allow attackers to, over time, build a list of users that access a device. Combined with other information, this would allow those users to be tracked. It also gives up valuable information to an attacker like the operating systems used which means that they can better tailor their attacks to those systems.

However, the leaked information gave away one more very useful piece of information: whether or not the default administrator password for the device had been changed. If the password hasn’t been changed, then an attacker can gain full control over the device.

Game over for network security.

Just how bad can consumer routers be?

In a recent study by The American Consumer Institute, they found that 83% of all devices had multiple vulnerabilities. In fact, they found that each router averaged 172 vulnerabilities PER DEVICE. Many of these vulnerabilities gave the attacker complete access to the device,  offering no protection.

While HIPAA regulations don’t ever mention the word firewall, HHS has fined sites for not having a firewall. This means that by default a quality firewall is required to protect patient data. This can’t be solved by using a low-cost consumer router. In fact, using one means that an entity can’t achieve HIPAA compliance.

What do small practices need to do?

A business grade firewall is required for you to achieve HIPAA compliance. These next-generation devices bundle several security devices into one and are known as Unified Threat Management (UTM) devices. UTMs will have firewall technology along with Intrusion Detection and Prevention components. These will make breaking into your network from the Internet much more difficult to an attacker.

In addition, firewalls create a lot of logs that must be monitored for signs of attacks. Having a firewall and not reviewing these log files is like having an alarm system with no monitoring service. When the alarm goes off, no one hears it making it pretty useless. Same for firewalls. You have to review the logs and make sure that everything is good.

If you are using a consumer router from a company such as Linksys, its time to replace it. Consider a device using pfSense to protect your practice. pfSense devices are inexpensive and offer an impressive amount of tools to protect your practice.