With a strategic approach, the IoT can enable you to meet regulatory demands more efficiently and more flexibly than ever before. Device Authority’s core solutions, all built within our IoT Security Automation Platform, can enable compliance and manage risk for:
We are proud to operate at the forefront of the evolving regulatory landscape, and continually update our offering in line with changing compliance frameworks.
HIPAA, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that the required physical, network, and process security measures are in place and followed.
Device Authority’s IoT Security Automation Platform, KeyScaler, provides end-to-end data encryption for PHI data, both at rest and while it is in transit.
Leveraging AES 256 and other widely adopted standards, Device Authority’s end-to-end encryption is not only considered a Safe Harbor to the HIPAA regulations but also provides a way to dynamically authenticate devices which helps eliminates the overhead and costs typically associated with managing keys and certificates.
KeyScaler provides a trust anchor on the device using its unique patented dynamic key generation capability. This binds the authentication key to the DNA of the hardware of the device so it cannot be spoofed and eliminates the vulnerabilities associated with stored static keys and credentials.
The EU’s General Data Protection Regulation (GDPR) will come into force in May 2018. It applies not only to any company operating within the EU, but also to any company with EU residents among its customers or service users.
There are five key changes which have relevance to the Internet of Things, as outlined below.
Established in July 2016, the EU-US Privacy Shield (aka Safe Harbor 2.0) creates stronger regulations on US companies to protect Europeans' personal data. Privacy Shield was approved by both the EU and the US governments to serve as a valid cross-border mechanism for transferring personal data from the EEA to the US after Safe Harbor (the prior program) was invalidated by the European of Justice last October 2015.
A fact sheet produced by the European Commission is broken into four parts:
For European individuals it means more transparency about data transfers to the US, and stronger data protection.
KeyScaler enables data protection through its end-to-end and policy-driven encryption.
There are specific requirements regarding the secure destruction of Protected Health Information (PHI), with additional responsibility placed on sub-contractors to satisfy their regulatory obligations.
The relevant extract from the US Department of Health and Human Services (HSS) reads as follows:
“Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies: Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.”
The full guidance provided by HSS the can be found here: http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
The IoT introduces a whole range of additional challenges within this context. Companies that contract with HIPAA-covered entities – and the companies that are downstream contractors for these companies – all face HIPAA compliance obligations and potential enforcement. Imagine for one moment the complexity of compliance within the supply chain of a connect healthcare device such as a portable oxygen concentrator or mobile insulin pump. Healthcare professionals downloading patient data, maintenance and service operations accessing patient connected devices for hardware diagnostics, device lifecycles as they move from one patient to another and that’s before we even start to think about the storage of historical PHI data in the cloud.
Customers utilising Device Authority’s security platform not only enjoy the benefits of transport independent end-to-end security for their data and the strongest possible authentication of devices and services but also have access to our Digital Data Shredding (DDS) functionality. DDS delivers permanent erasure of all encrypted data associated with an individual device, regardless of where the data resides, all at the push of a single button.