Albert is correct. One class of covered entity is the Hybrid. A firewall can be used to create the barrier which supports the hybrid definition. Assuming that the other barriers of servers, desktops, and physical partitioning with access control also are in place.
Tim McGuinness, Ph.D. HIPAA Help Now Inc. (www.hipaahelpnow.com) [EMAIL PROTECTED] -----Original Message----- From: Oriol, Albert [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 15, 2002 12:26 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; Debbie R. Linger Subject: RE: Questions on firewalls Adding to David's definition, just want to comment that a firewall can create a demarcation point between two subnets within a private network, where the levels of trust are not homogeneous. So basically, what I'm trying to say is that a firewall isn't just something (HW or SW) to separate an organization's network from the outside world. It can be used internally to compartmentalize portions of an internal network based on distinct sensitivity levels and risks a. Albert Oriol, CHE, CISSP The Children's Hospital, Denver (303) 861 6094 "Knowledge is the most democratic source of power" -- Alvin Toffler -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 08, 2002 8:54 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; Debbie R. Linger Subject: Re: Questions on firewalls REF: Firewall Here is my definition: FIREWALL: A device that creates a demarcation point between a private local area network (LAN) and a public wide area network (WAN). Firewalls can provide 1) either packet filtering capabilities to deny or permit various TCP/IP packets, or 2) can act as an application proxy that permits or denies certain application-oriented communications (such as HTTP, SMTP, FTP, etc.). The firewall's configuration can create a "demilitarize zone" (DMZ), that creates a boundary between the public WAN and private LAN. An "appliance" firewall is a device specifically marketed to be used for the above stated purpose. The appliance firewall can be considered a stand-alone piece of hardware and software. These firewalls are self-contained devices that operate as a "black box". However, the firewall application is a software application embedded in many routing components, that are configured with firewall capabilities turned on. Example, a Cisco router can have access control lists implemented, which is the configuration of embedded software. Here again the firewall appears as a stand-alone black box. Thinking of a firewall as "software" is generally incorrect and can get you into trouble. True, some purists will argue that it is nothing more than software; but, not in the managerial sense. From a HIPAA compliance perspective I would suggest that it should be thought of in the "black box" context. "Policies and procedures" can not accomplish a firewall function. Firewalls can implement these policies; but, policies alone do nothing to filter packets or applications. Think of the firewall as the device that implements the polices. David Sweigert, M.Sci., CCNA, CISSP State IT Security Policy Officer Department of Administrative Services http://www.ohio.gov/itp "HIPAA Office Assistant DHS" To: [EMAIL PROTECTED] <[EMAIL PROTECTED] cc: "Debbie R. Linger" <[EMAIL PROTECTED]> us> Subject: Questions on firewalls 08/08/2002 10:09 AM May I please have answers to the following questions at your earliest convenience? 1.) What is the definition of a firewall? Is a firewall an actual piece of software or can it be accomplished by Policies and Procedures and limited access? 2.) Can one facility be considered as a health plan and a health provider? Is it a requirement that they are considered one or the other? Thank you for your help, Theresa Sack HIPAA Office Assistant [EMAIL PROTECTED] (701) 328-1479 The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. CONFIDENTIALITY NOTICE: The information contained in this message is legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the author immediately by replying to this message and delete the original message. Thank you. The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
