Does your office use a consumer router from one of the following vendors as its access to the Internet?
A new report form The American Consumer Institute will make you wish you weren’t using one. A sampling of 186 routers were taken from the manufacturers above and they found an astonishing 83% were vulnerable to remote attack. This means attacks from outside your network, or across the Internet. A total of 32,003 vulnerabilities were found with an average of 172 PER router.
What this means is that just about any consumer router you can buy online, at Best Buy, Walmart, or similar locations is vulnerable.
What is a vulnerable consumer router?
This means that the router has a vulnerability that allows a remote attacker to compromise the device. This would allow remote attackers to gain access to your practice’s network. These devices weren’t designed with in depth logging or ways to alert users of an attack. An attacker would be able to bypass the router and steal ePHI without a practice ever knowing.
The main reason for these issues is that consumer routers were never intended to protect a business or practice. They were originally designed to provide internet access to a home. No effort was made to add security to these devices and, over time, the threats have become more plentiful and dangerous.
These devices are not firewalls and won’t protect you from the bad things on the Internet. For that, a business level firewall is required.
Another issue is that when these routers have updates, most practices don’t install them. That means that even though a vulnerability has been patched, most offices still run on unpatched software. Its not something most people think about, keeping their routers up to date.
What is a firewall?
Firewalls are central points for the the protection of computer networks. These devices are the gatekeepers to your network, protecting it from attacks from the Internet. While not specifically required under HIPAA law, HIPAA does require that all Covered Entities and Business Associates do what is reasonable and appropriate to protect electronic protected health information (ePHI). The Department of Health and Human Services (HHS) defaults to the NIST Cybersecurity Framework for network security recommendations. The NIST framework does require network firewalls to be in place. HHS may not require them, but they have fined Covered Entities for not using them. You can’t achieve HIPAA network security without a firewall. If you can’t have a secure network, then you can’t be HIPAA compliant.
Consumer routers are completely unsafe and should not be used for small businesses or practices. Especially not in cases where ePHI is involved. These devices have been found to contain, on average, 172 vulnerabilities per device. some of these vulnerabilities would give a remote attacker complete access to your network. 83% of the consumer routers tested were found to be vulnerable. Chances are, if you are using one, yours is vulnerable as well.
Here is a list of the consumer routers that were tested for this report: