// My company has a VERY distributed user base with many people // working from small satellite sites and/or from home. I would // love suggestions for a PC level firewall that would protect
why only a pc level firewall? // from intrusions and also whether hardware v. software solutions // would be best. We deal with medical records so privacy of the // data is imperative. Then the HIPAA regs will force you to do more than just get a pc firewall. // // The basic case scenario is a user working from home and // connecting to the internet via cable/dsl/dial-up via an ISP to // access mail (webaccess) and upload or download data(via SSL to // our public web server) that may contain patient information. While a pc firewall is a good idea, it will not satisfy HIPAA. You have a couple of options as to what you can do about this. I am very concerned about the uploading/downloading from a public web server to a home system. Very scary. The first (and I recommend this) is a router to router VPN connection. You could also do this with a Win2K RRAS box on the server end and a router on the other end. In an emergency you could use a VPN connection from a system (say a laptop) instead of a router. I would discourage this, though. Make sure that the router can be restricted as far as who admins it. Users should not be able to change anything on the router. The second option would be to set up a Citrix server and have only connections through the Citrix secure client. You could also move your office to thin clients making security even tighter. The only drawback to this is that it is expensive. It is the superior solution. Tarantella might work, but I have never worked with it, so I can not say for certain. You also need to trash all of your insecure operating systems. Any system that does not require a login is not acceptable (a real login, Win95/98/ME are not real logins). One of the nice things about Citrix is that is does not matter the system it is on, security is handled at the server and data is handled the same way on all clients. Data can be viewed but is not saved on the local system. I would suggest immediately moving to encrypted email for all interoffice email, and any external email that deals with patients. At the very least use a secure email setup. I would also not allow access to Exchange via Outlook Web Access. Use the VPN and have them log into the domain. I would also archive ALL email that goes through Exchange. You might consider automatic carbon of all email to an Exchange mail box that is controlled by the CEO or CIO (if you have one). You also need to examine your procedures in the office. Who is allowed to look at files, do you have logging enabled, who now has access, who should not have it that does, etc.... Are you using Microfour's Practice Studio? If you are then you have some gaping security holes. Microfour feels the need to share out the C: drive without any password, and no restrictions. I have battled these jokers about this on several occasions. I have had to actually go behind them and unshared the drive only to find they dialed in the doctor/recep/nurse whatever gave the admin password and they reshared it. After speaking to them about this and explaining the issues this caused, I was told: "That computer is for our use. It does not matter what you want to do. We will do with it what we want. You should not be putting anything else on this system." PC firewall suggestions (please remember that this will only stop attacks on a system, and there should not be any information stored there anyway): 1) BlackIce - best for Novices, and reliable. Can eventually be integrated into a larger system later (if you go with the Real Secure version). 2) Tiny Personal Firewall - can be very confusing and mistake prone if not managed by a knowledgeable person. Remote admin with an admin only option. 3) Sygate personal firewall - have not used it personally, but have heard good things. 4) Zone Alarm - alarm is right. Until Steve Gibson stops flogging this product I will never recommend it. Every person I know who has used it has had problems. I have a major problem with this product in that it appears to try to be all things to all people which never works. 5) Norton personal firewall - well it is a Symantec product. I don't like them and will not use them. I don't need software on my system to download products, especially with out my permission. They think otherwise. Again have seen many problems with this product. Support is a joke. 6) McAfee - well they had a good line of e-e-ppliances, but as per SOP they ruined the business. They can never seem to get their act together. Support is worse than a joke. If you have a good idea and want it to fail, sell it to McAfee.