The HIPAA Of Things
There is a massive effort underway to move healthcare out of big expensive hospital settings and into outpatient clinics, doctors’ offices and even our homes. Even within hospitals, medical devices are being connected in manners never before possible in order to provide higher levels of care.
All of these efforts have serious implications in terms of protecting our information and that falls under the HHS HIPAA regulations. In January the FDA released guidelines that essentially pushes HIPAA compliance out to the medical device endpoints.
We have been stating over and over that Phantom is different, that we provide complete security and not a series of one-off hacks. To drive this point home, we wanted to explore what it means to be HIPAA-compliant, show how Phantom supports this compliance and challenge you to show us anything else in the market that comes close to what we offer the IoT.
HIPAA breaks down into 4 main categories: privacy, hacking protection, controlled access and workforce compliance. We will examine each one in turn.
The first part of HIPAA states that an entity must:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
This part of HIPAA is probably the easiest to support as it broadly breaks down into protecting data in transit from the point where the data is collected/stored to some other endpoint. And yet that has implications in IoT security that are mostly glossed over these days. To properly enforce HIPAA, the data must be encrypted, really, and the medical device endpoint and then securely transmitted “usually over multiple mediums” to a cloud in many cases.
Take, as one example, a simple Bluetooth-enabled diagnostic tool such as a thermometer. In order to protect that data, the information has to flow over Bluetooth to a local computer and then be transmitted, usually over a local WiFi connection, to a local server. Finally the data is transmitted from the local server, usually an EHR repository, to a cloud and that often goes over the Internet. Think about the options for protection today and it becomes clear that no single solution exists to protect data all the way through these endpoints.
Phantom, on the other hand, works over Bluetooth, WiFi and the Internet and works from the medical devices through the local laptop to the local servers and to the cloud. With Phantom, a single administrative interface can provide policy-based control that ensures full privacy of the collected data all the way through this chain.
This part of HIPAA, on the other side of the spectrum, is probably the most difficult to maintain int the IoT as it states that compliance equates to the ability to detect and respond to new attacks on systems conveying, storing or processing health-related data. In mainstream systems, with updateable software (like your computer), this process is challenging but not impossible.
But how about medical devices? They run embedded software “many without an operating system anywhere in sight” and they are inherently static and not easy to update, if updating is at all possible. In fact, many medical devices lack the basic hardware required to support the standard encryption for Privacy and will need to be replaced if a vendor goes down that road. (For the record, Phantom can enforce privacy without requiring hardware changes in most cases).
How can systems that are never meant to change adapt to new threats? And if you somehow can change these systems, existing security forces those changes to occur in patient-facing code and that could mean going through a compliance review (think years) just to respond to a new attack.
This is where Phantom really shines as we provide an independent layer of protection that can be updated at any time even on embedded systems. Since we are independent of the patient-facing software, we do not incur compliance hits. Given the fact that our entire behavioral set sits in policies, changing how Phantom functions in order to overcome a new exploits reduces to simple configuration changes.
We particularly enjoy this part of HIPAA as it completely obviates the use of any other â€œsecurityâ€ in the IoT space. The statute states that an entity must:
3. Protect against reasonably anticipated, impermissible uses or disclosures;
This part of HIPAA can be thought of as the Active Directory part of the rules. If you consider your business network, you log into your computer to prove who you are (authentication) and then you are provided with a set of rules that determine what data you are allowed to access (authorization). These are two of the Triple Aâ€™s for all modern enterprise security system (auditing will be discussed in the next section) and they are crucial for HIPAA compliance in modern, non-IoT systems.
Now look in the IoT and try to find anything on the market that provides device-level authentication and authorization from medical device endpoint to the cloud, go ahead we will wait.
It does not exist and that is because nothing on the market offers a true security solution (and, no, encryption is NOT complete protection!).
Phantom, on the other hand, does provide direct device-to-device authentication and a comprehensive authorization component that locks down communications to whatever degree is required. With Phantom, HIPAA controlled access rules can be enforced even when no humans are around and devices are running the show. By the way, almost all modern IoT hacks occur due to a lack of authentication and authorization â€“ NOT due to poor encryption.
To this end you can think of Phantom as the Active Directory for The IoT.
The last part of the HIPAA rules state that an entity must:
4. Ensure compliance by their workforce.
In enterprise security terminology, this part of the rules is enforced through auditing which you can think of as the process by which your phone company determines how many minutes you used last month. In non-IoT systems, auditing is supporting through auditing servers that receive messages from service-providing applications stating that a given service was provided to a given user. While we have issues with Triple A services in general, and the lack of guaranteed delivery for auditing in particular, that is beyond the scope of this post.
In regards to HIPAA, auditing provides a mechanism to track the flow of patient data in a system and to ensure that the data is not shared or viewed by unauthorized people. These audit trails are essential for HIPAA compliance and yet how can an IoT system possibly support this requirement when there are no auditing servers in sight?
Phantom actually provides an intricate reporting system that sits underneath healthcare software and that can support auditing throughout a system. Since Phantom travels over any medium, there are no barriers to tracking data flow and since Phantom is policy-based, where reporting data is stored, transmitted and aggregated can be adjusted on the fly for performance and connectivity reasons. Best of all, since Phantom sits on all endpoints, auditing can be evolved from the current well I sent IoT paradigm into a guaranteed delivery solution that can verify not only the sending of data but also the integrity and reception of that data at a given target endpoint.
So there is a basic overview of HIPAA and how Phantom can support those rules in the IoT now show us any other solution on the market that can do the same thing.