Why WAF Configuration Matters for the Healthcare Industry

Preparedness of the healthcare industry to protect patient data

The newly connected nature of the healthcare industry means patient data can be accessed at any time and anywhere. However, this also means traditional defensive measures that have kept healthcare organizations and patient data protected from hackers until now, have weakened.

Many healthcare organizations protected their data by putting firewalls around their network and limiting the traffic from the internet allowed into that network.

This is no longer a viable option due to the rise of electronic medical record-keeping — and also certain healthcare acts that require a patient’s direct access through a healthcare organization’s content management system.

Simply limiting network traffic is no longer a practical, secure method of keeping intruders out. That’s where WAFs (Web Application Firewalls) come in.

Role of WAFs beyond compliance

Many companies end up adopting a WAF into their cybersecurity strategy because of compliance requirements. With stringent requirements for HIPAA compliance leading the way for healthcare data protection, healthcare organizations are no exception.

However, WAFs are often deployed with “out of the box” policies and then left alone. In other words, a hospital will sometimes install an on-premises WAF, configure it once, and then ignore it.

Due to this lack of WAF configuration, many WAFs may not be providing the full amount of protection that hospitals, clinics, and others are expecting. In their minds, a WAF should not only help meet compliance requirements but also protect healthcare and patient data as best as they can.

Problems created by not configuring a WAF

A WAF operates through a set of rules often called policies. These policies dictate how the WAF detects and blocks certain attacks to protect applications; custom WAF rules are available for this reason.

While some WAFs are able to update policies automatically to address the growing complexity and ambiguity surrounding the current cybersecurity threat landscape, reviewing these policies is highly recommended for peak performance.

It’s important to note that whether healthcare organizations are working with a managed service provider to deploy a WAF or working directly with an on-premises WAF, the configuration is key. Take a look at some of the reasons why:

1. Meet compliance requirements

One of the most obvious reasons why an improperly configured WAF may concern healthcare organizations is related to compliance requirements. Fortunately, healthcare organizations can configure a WAF to meet their specific needs.

For example, current standards upheld by HIPAA include specific technical provisions for protecting healthcare data. One technical safeguard required is access control, in which an entity “must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).”

In order to meet this requirement, WAF administrators can go in and can define access rules by creating explicit actions for requests that meet various conditions (specific IP addresses, regions, URLs, etc.). Then, these rule actions can be set to allow, detect, or block incoming requests.

2. Block new threats

Without the proper configuration, new threats can come through the WAF and possibly generate high false positives, which can ultimately affect overall performance. This means configuration is needed to optimize the WAF’s ability to block attacks that are common among healthcare organizations.

For example, to prevent attacks like ransomware, a proper configuration in the WAF is necessary — more specifically a policy or rule associated with file uploads. This WAF policy prevents uploading of malicious files and blocks the upload of files that can be executed on the web server.

3. Reduce latency

Like many other businesses, healthcare organizations want to provide a seamless experience for website visitors. Any delay or latency as caused by the WAF can negatively impact the end-user experience.

Because the inspection of requests and responses is inherently compute-intensive, WAFs may introduce latency depending on the policy complexity and the applications in use. This also means too many WAF configurations can result in latency.

Administrators for healthcare organizations should carefully review WAF configurations, as this may not always mean the suggested WAF policies will consolidate with the existing ones.

WAF configuration example

To illustrate further why WAF configuration matters to healthcare organizations, take a look at the following example: A local clinic that only works with patients within its state could choose to configure a WAF in a way that blocks traffic from the rest of the world to prevent unauthorized access from these countries. This WAF configuration would also help reduce the traffic that goes through the WAF, thereby increasing its performance.

WAFs can be complex to deploy given that healthcare organizations may need to establish efficient policies to effectively protect healthcare data. However, considering that the healthcare industry is a prime target among hackers, healthcare organizations should fine-tune the WAF to meet their security needs and periodically review the rules to keep performance in check as well.

Author: Karen Cruz

Karen is the Digital Marketing Manager at cloudbric.com, a cloud WAF vendor based out of Seoul that brings enterprise-level security to the forefront of small to mid-sized businesses.