comp.jpg

Responding to changing compliance frameworks 

Regulatory compliance both powers and restricts how organisations can best harness the Internet of Things 

With a strategic approach, the IoT can enable you to meet regulatory demands more efficiently and more flexibly than ever before. Device Authority’s core solutions, all built within our IoT Security Automation Platform, can enable compliance and manage risk for:

  • HIPPA: Health Insurance Portability and Accountability
  • GDPR: General Data Protection Regulation
  • Privacy Shield
  • Digital Data Shredding

We are proud to operate at the forefront of the evolving regulatory landscape, and continually update our offering in line with changing compliance frameworks.

HIPAA, Health Insurance Portability & Accountability Act

KeyScaler, provides end-to-end data encryption for personal health data (PHI)

HIPAA, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that the required physical, network, and process security measures are in place and followed.

Device Authority’s IoT Security Automation Platform, KeyScaler, provides end-to-end data encryption for PHI data, both at rest and while it is in transit.

Leveraging AES 256 and other widely adopted standards, Device Authority’s end-to-end encryption is not only considered a Safe Harbor to the HIPAA regulations but also provides a way to dynamically authenticate devices which helps eliminates the overhead and costs typically associated with managing keys and certificates.

KeyScaler provides a trust anchor on the device using its unique patented dynamic key generation capability. This binds the authentication key to the DNA of the hardware of the device so it cannot be spoofed and eliminates the vulnerabilities associated with stored static keys and credentials. 


HIPAA_compliant_image4.jpg
how-comply-gdpr.jpg

General Data Protection Regulation (GDPR)

KeyScaler helps with compliance in regards to GDPR

The EU’s General Data Protection Regulation (GDPR) will come into force in May 2018. It applies not only to any company operating within the EU, but also to any company with EU residents among its customers or service users. 

There are five key changes which have relevance to the Internet of Things, as outlined below.

  1. Security Breaches: A major privacy concern for IoT devices is hackers and security breaches. The GDPR introduces a mandatory notification; personal data breaches must be reported within 72 hours.
  2. Consent: There is doubt whether IoT devices obtain quality consent from users in relation to the processing of data. The GDPR requires data controllers to show consent has been given by way of a clear positive act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of his or her personal data.
  3. Privacy by design and privacy by default: The GDPR will put these two concepts on firm legislative footing. Organisations must adopt significant technical and organisational measures to demonstrate compliance with the GDPR, and conduct data protection impact assessments.
  4. Enhanced data subject rights: An express right to be forgotten, data portability rights, and the right to object to automated decision making are all included. This is important for the design of IoT devices as the necessary capabilities must be built from the start.
  5. Processing personal data relating to children: The GDPR makes it impossible for children aged 12 and under to consent on their own behalf

EU-US Privacy Shield

KeyScaler enables end-to-end data protection

Established in July 2016, the EU-US Privacy Shield (aka Safe Harbor 2.0) creates stronger regulations on US companies to protect Europeans' personal data. Privacy Shield was approved by both the EU and the US governments to serve as a valid cross-border mechanism for transferring personal data from the EEA to the US after Safe Harbor (the prior program) was invalidated by the European of Justice last October 2015.

A fact sheet produced by the European Commission is broken into four parts:

  • Commercial Sector
  • US Government
  • Redress
  • Monitoring

Essentially, American companies need to self certify, display privacy policy on their website, respond quickly to complaints and comply with European Data Protection Authorities.

For European individuals it means more transparency about data transfers to the US, and stronger data protection.

KeyScaler enables data protection through its end-to-end and policy-driven encryption.

privacy.jpg

Digital Data Shredding

Device Authority customers have access to our Digital Data Shredding functionality

There are specific requirements regarding the secure destruction of Protected Health Information (PHI), with additional responsibility placed on sub-contractors to satisfy their regulatory obligations.

The relevant extract from the US Department of Health and Human Services (HSS) reads as follows:

“Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies: Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.”

The full guidance provided by HSS the can be found here: http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html

The IoT introduces a whole range of additional challenges within this context. Companies that contract with HIPAA-covered entities – and the companies that are downstream contractors for these companies – all face HIPAA compliance obligations and potential enforcement. Imagine for one moment the complexity of compliance within the supply chain of a connect healthcare device such as a portable oxygen concentrator or mobile insulin pump. Healthcare professionals downloading patient data, maintenance and service operations accessing patient connected devices for hardware diagnostics, device lifecycles as they move from one patient to another and that’s before we even start to think about the storage of historical PHI data in the cloud.

Customers utilising Device Authority’s security platform not only enjoy the benefits of transport independent end-to-end security for their data and the strongest possible authentication of devices and services but also have access to our Digital Data Shredding (DDS) functionality. DDS delivers permanent erasure of all encrypted data associated with an individual device, regardless of where the data resides, all at the push of a single button.

Recommended Reading

What’s in a Name? Privacy Shield Replaces Safe Harbor

Challenges for an increasingly-connected world--the Internet of Things

Data Privacy Q&A: EU-US Privacy Shield