As you begin to establish your network security policy, you need to address several issues that deal primarily with internal users' ability to access Internet-based resources and services. Many users automatically assume that if they have a computer connected to a network, they must also have Internet access. Unfortunately, the insecurities and threats of cyberspace have made unrestricted access to the Internet a thing of the past in most organizations.
Before you begin planning your network policy, take a hard look at which Internet resources your company users need to do their jobs (such as access to e-mail or basic Web pages), as opposed to those resources they might like to have (such as access to streaming audio and video). Internet access is not an all-or-nothing entity; instead, it is comprised of innumerable individual information services. You are probably familiar with many of these services: Web, FTP, chat, instant messaging, newsgroups, e-mail, telnet, streaming audio, and video. Firewalls can be employed to individually grant or restrict traffic based on each of these services, and your network security policy should address usage of each service individually.
E-mail access
As e-mail becomes a more popular way to communicate to patients, pharmacists, and colleagues, you need to have appropriate policies in place to safeguard your network from threats. Although e-mail is the most widely used Internet information service, it has also become the most popular delivery mechanism for viruses, Trojan horses, and other malicious code attacks. Since the benefits of this communication vehicle can be a tremendous asset, it's important to think about how you can appropriately manage items such as encryptions, entity authentication, and message authentication, which are a requirement for HIPAA compliance.
E-mail primarily consists of three protocols: SMTP, POP3, and IMAP. SMTP (Simple Mail Transfer Protocol) is the protocol used by clients to submit outbound messages to e-mail servers, and by e-mail servers to move e-mail from server to server on its way to its destination (i.e., the recipient's e-mail inbox). E-mail clients use POP3 (Post Office Protocol version 3) and IMAP (Internet Message Access Protocol) to retrieve e-mail from an inbox on an e-mail server. POP3 is the more widely used, but IMAP natively supports encryption. You may want to write your network security policy so it requires the use of IMAP instead of POP3. You'll also need to specify that IMAP and SMTP should be allowed to pass through the firewall, although you may want to use content or source/destination filters to restrict abuses.
Another important aspect of e-mail you must consider is attachments. An attachment allows an e-mail message to deliver just about any object from the sender to the receiver. Unfortunately, an attachment can just as easily contain malicious code, such as a virus, as it can contain a harmless and useful document such as a patient inquiry. As part of your security policy, you should require, at the least, virus scanning on all IMAP and SMTP traffic. You may also need to consider whether to allow attachments at all. If your network and your data are highly sensitive and valuable, stopping attachments at the border firewall may be a worthwhile safeguard against damage, theft, and infection.
You should also consider the attachments that you allow out of your offices. For example, patient information that includes sensitive lab results may not be the best candidate for transfer via e-mail. You may want to limit the type of content that employees can send via e-mail to non-sensitive data.
Content filtering
Content filtering must be addressed in a network security policy. You must decide whether to allow all traffic through the firewall without restriction or to filter traffic based on a clearly defined set of acceptable use traffic and content rules. An acceptable use list tells users what they can and cannot do on the local network and on the Internet when using company equipment. To establish your acceptable use policy, create an exhaustive list of acceptable and unacceptable activities. Some items you might include are:
•
No patient lab results
•
No personal health information on government employees
•
No trafficking or trading in copy-protected files (such as audio and video)
•
No pornography
•
No mailing distribution lists originating from the local network
From this list, you can easily create firewall specific rules to control and manage inbound and outbound traffic. However, before you set up your content and traffic rules and configure your firewall appropriately, be sure you run the list of acceptable content by the people it will affect most—the organization's employees.
You may find that prohibiting certain kinds of content may have a negative affect on the way some employees do their jobs. This doesn't mean you have to change your security rules—you may be able to find other, more secure ways for employees to receive those files—but gathering input from employees early in the process will save you time in the end.
VPN access
As more and more health professionals become mobile and work from remote locations, Virtual Private Networks (VPNs) provide them a secure way to retrieve centrally stored information. VPNs are a means to establish a normal network connection between distant systems and allow remote users to connect to the office network without compromising network security. The remote user connects to the Internet via a local connection (modem dialup, cable, DSL, etc.), then establishes a VPN link with the network over the Internet.
If you have employees that need to work remotely—either from home or while on the road—then VPN is a necessary component of your network security system. As you begin to formulate a policy for VPN access, you'll need to define which VPN protocols are allowed and exactly who can use VPN connections.
A step in the right direction
While this list of Internet access issues are considerations to think about as you plan your security policy, it isn't exhaustive; however, it should give you a good idea of the main areas to contemplate. A thorough investigation of users' Internet access needs, balanced with your data security needs, will help your security policy begin to take shape.
To download the latest Adobe® Reader®, please go to the Adobe website at http://www.adobe.com. Adobe and Reader are trademarks of Adobe Systems Incorporated.
Printable version
