Atlantic.Net Blog

Why WAF Configuration Matters for the Healthcare Industry

Brandon Schroth
by Atlantic.Net (11 posts) under HIPAA Compliant Hosting

Preparedness of the healthcare industry to protect patient data

The newly connected nature of the healthcare industry means patient data can be accessed at any time and anywhere. However, this also means traditional defensive measures that have kept healthcare organizations and patient data protected from hackers until now, have weakened.

Many healthcare organizations protected their data by putting firewalls around their network and limiting the traffic from the internet allowed into that network.

This is no longer a viable option due to the rise of electronic medical record-keeping — and also certain healthcare acts that require a patient’s direct access through a healthcare organization’s content management system.

Simply limiting network traffic is no longer a practical, secure method of keeping intruders out. That’s where WAFs (Web Application Firewalls) come in.

Role of WAFs beyond compliance

Many companies end up adopting a WAF into their cybersecurity strategy because of compliance requirements. With stringent requirements for HIPAA compliance leading the way for healthcare data protection, healthcare organizations are no exception.

However, WAFs are often deployed with “out of the box” policies and then left alone. In other words, a hospital will sometimes install an on-premises WAF, configure it once, and then ignore it.

Due to this lack of WAF configuration, many WAFs may not be providing the full amount of protection that hospitals, clinics, and others are expecting. In their minds, a WAF should not only help meet compliance requirements but also protect healthcare and patient data as best as they can.

Problems created by not configuring a WAF

A WAF operates through a set of rules often called policies. These policies dictate how the WAF detects and blocks certain attacks to protect applications; custom WAF rules are available for this reason.

While some WAFs are able to update policies automatically to address the growing complexity and ambiguity surrounding the current cybersecurity threat landscape, reviewing these policies is highly recommended for peak performance.

It’s important to note that whether healthcare organizations are working with a managed service provider to deploy a WAF or working directly with an on-premises WAF, the configuration is key. Take a look at some of the reasons why:

1. Meet compliance requirements

One of the most obvious reasons why an improperly configured WAF may concern healthcare organizations is related to compliance requirements. Fortunately, healthcare organizations can configure a WAF to meet their specific needs.

For example, current standards upheld by HIPAA include specific technical provisions for protecting healthcare data. One technical safeguard required is access control, in which an entity “must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).”

In order to meet this requirement, WAF administrators can go in and can define access rules by creating explicit actions for requests that meet various conditions (specific IP addresses, regions, URLs, etc.). Then, these rule actions can be set to allow, detect, or block incoming requests.

2. Block new threats

Without the proper configuration, new threats can come through the WAF and possibly generate high false positives, which can ultimately affect overall performance. This means configuration is needed to optimize the WAF’s ability to block attacks that are common among healthcare organizations.

For example, to prevent attacks like ransomware, a proper configuration in the WAF is necessary — more specifically a policy or rule associated with file uploads. This WAF policy prevents uploading of malicious files and blocks the upload of files that can be executed on the web server.

3. Reduce latency

Like many other businesses, healthcare organizations want to provide a seamless experience for website visitors. Any delay or latency as caused by the WAF can negatively impact the end-user experience.

Because the inspection of requests and responses is inherently compute-intensive, WAFs may introduce latency depending on the policy complexity and the applications in use. This also means too many WAF configurations can result in latency.

Administrators for healthcare organizations should carefully review WAF configurations, as this may not always mean the suggested WAF policies will consolidate with the existing ones.

WAF configuration example

To illustrate further why WAF configuration matters to healthcare organizations, take a look at the following example: A local clinic that only works with patients within its state could choose to configure a WAF in a way that blocks traffic from the rest of the world to prevent unauthorized access from these countries. This WAF configuration would also help reduce the traffic that goes through the WAF, thereby increasing its performance.

WAFs can be complex to deploy given that healthcare organizations may need to establish efficient policies to effectively protect healthcare data. However, considering that the healthcare industry is a prime target among hackers, healthcare organizations should fine-tune the WAF to meet their security needs and periodically review the rules to keep performance in check as well.

Author: Karen Cruz

Karen is the Digital Marketing Manager at Cloudbric, a cloud WAF vendor based out of Seoul that brings enterprise-level security to the forefront of small to mid-sized businesses.

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award
Inc 500
Global Infosec 2021
28 Year logo
Ehla Badges 2021 Winner
Made In USA

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


Recent Posts

How to Install Sails.js Framework with Nginx on Oracle Linux 8
How to Install OTRS on Oracle Linux 8
How to Install and Configure Caddy Web Server with PHP on Oracle Linux 8
How to Install and Use PIP Python Package Manager on Oracle Linux 8
How to Install FTP Server with ProFTPD on Oracle Linux 8

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2008 Lookout Dr,

Dallas, Texas 75044

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom