Firewalls are something a lot of people just don’t understand. They know they need one, but don’t know exactly what they do. To make matters more confusing, the word firewall has been overused and diluted by tech companies because many consumer routers are advertised as firewalls. Consumer routers are those that you can buy from BestBuy, Amazon, etc. like Linksys, Buffalo, TP-Link, and others. In addition, devices provided by internet service providers (ISPs) to connect to the Internet are advertised as routers and firewalls. Medical practices are required to have a firewall to achieve HIPAA compliance. A firewall is needed to satisfy part of the security rule. However, many practices are using consumer routers or ISP provided modems in place of real firewalls. These devices offer nearly zero protection and are usually accidents waiting to happen. Read on to find out how one popular brand of consumer routers leave your network wide open to attacks from cybercriminals.
Linksys routers leak like a submarine with screen doors
Security researchers recently discovered flaws in the Linksys brand of consumer routers. Because of their ease of purchase, they are extremely common in homes and businesses. The flaw caused the routers to leak valuable information to an attacker. This information includes a list of every device that has ever connected to them, the device’s unique name, and the operating system they used. This means that an attacker now knows what kinds of computers or devices you are using. This makes his attack much easier to achieve – if you know what to target, it makes attacking much easier.
The researchers used a search engine called Binary Edge. This search engine searches the Internet for connected devices such as routers, baby cams, and webcams. Using Binary Edge, researchers were able to identify almost three dozen different models of Linksys routers that had a serious vulnerability. On their first scan, they located 25,617 Linksys devices with the vulnerability.
This vulnerability would allow attackers to, over time, build a list of users that access a device. Combined with other information, this would allow those users to be tracked. It also gives up valuable information to an attacker like the operating systems used which means that they can better tailor their attacks to those systems.
However, the leaked information gave away one more very useful piece of information: whether or not the default administrator password for the device had been changed. If the password hasn’t been changed, then an attacker can gain full control over the device.
Game over for network security.
How many practices change the password when they set up their router for the first time?
Just how bad can consumer routers be?
In a recent study by The American Consumer Institute, they found that 83% of ALL devices had multiple vulnerabilities. In fact, they found that each router averaged 172 vulnerabilities PER DEVICE. Many of these vulnerabilities gave the attacker complete access to the device, offering no protection. Once an attacker has access to your router, he has complete control over your network.
While HIPAA regulations don’t ever mention the word firewall specifically, HHS has fined sites for not having a firewall. This means that by in practice, a quality firewall is required to protect patient data. This can’t be solved by using a low-cost consumer router. In fact, using one means that an entity can’t achieve HIPAA compliance.
What do small practices need to do?
A business-grade firewall is required for you to achieve HIPAA compliance. These next-generation devices bundle several security devices into one and are known as Unified Threat Management (UTM) devices. UTMs will have firewall technology along with Intrusion Detection and Prevention components. These will make breaking into your network from the Internet much more difficult to an attacker.
In addition, firewalls create a lot of logs that must be monitored for signs of attacks. Having a firewall and not reviewing these log files is like having an alarm system with no monitoring service. When the alarm goes off, no one hears it making it pretty useless. Same for firewalls. You have to review the logs and make sure that everything is good.
If you are using a consumer router from a company such as Linksys, its time to replace it. Consider a device using pfSense to protect your practice. pfSense devices are inexpensive and offer an impressive amount of tools to protect your practice.
In addition, firewalls need to be monitored. If no one is watching them, then it’s similar to having an alarm system that doesn’t call the police when you have a break-in. Firewalls produce logs and alerts. Whenever an attacker tries to access your network, there will be signs and clues. These clues will show up in the log file.
Firewalls can also help stop ransomware
Many common forms of ransomware run completely automated. They will scan internet IP addresses looking for networks with openings. Think of a burglar walking through a subdivision looking for houses that have open windows. He isn’t targeting any house, in particular, he just wants to get into a house through an open window. Ransomware works the same way. It isn’t trying to get into your practice specifically, it just wants in so the hacker can make money. If ransomware finds an open port (like the window for a burglar) then it begins to break in. If no one sees these attempts, the attack will continue until it is successful. However, if someone is watching, then it is easy to block the attack so that they ransomware won’t gain access.
The most common way this happens is that a practice sets up remote access for users, outside billing companies or remote employees. Rather than use a VPN, they set up access to go directly to their server through their router. This means once the ransomware is in, it usually gains access to the server. From there, the ransomware goes to work. It will encrypt all of the data it can find. By the time the practice notices, it is too late.
Firewalls are required for your practice to protect patient data. A consumer-grade router or one provided from your ISP isn’t going to get the job done. Invest in a quality business-grade device to ensure you are doing your part. Failing to do so is playing with fire and it is just a matter of time before your practice is attacked and breached.