Device Authority recognizes that regulatory compliance is a big driving factor behind the adoption of the Internet of Things. Our core solutions built within our IoT Security Automation Platform can enable compliance and manage risk for:
HIPPA - Health Insurance Portability and Accountability
GDPR - General Data Protection Regulation
Digital Data Shredding
Evolving Regulatory Landscape
HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.
Leveraging AES 256 and other widely adopted standards, Device Authority’s end-to-end encryption is not only considered a Safe Harbor to the HIPAA regulations but also provides a way to dynamically authenticate devices which helps eliminates the overhead and costs typically associated with managing keys and certificates.
Device Authority’s IoT Security Automation Platform provides a trust anchor on the device using its unique patented dynamic key generation capability. This binds the authentication key to the DNA of the hardware of the device so it cannot be spoofed and eliminates the vulnerabilities associated with stored static keys and credentials.
Companies who work in, or are planning entry into the Internet of Things (IoT) should be conscious of future changes to the EU data protection regime, General Data Protection Regulation (GDPR), which will apply from May 2018 and may have a substantial impact on their business model and the design of their products, processes and devices.
Device Authority's IoT Security Automation Platform helps with compliance in regards to the changes associated with GDPR.
There are five key changes which have relevance to the Internet of Things, as outlined below.
- Security Breaches
- A major privacy concern for IoT devices is hackers and security breaches
- GDPR introduces a mandatory notification; personal data breaches must be reported within 72 hours
- There is doubt whether IoT devices obtain quality consent from users in relation to the processing of data
- GDPR will require data controllers to show consent has been given by way of a clear positive act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of his or her personal data
- Privacy by design and privacy by default
- GDPR will put these two concepts on firm legislative footing
- Adopt significant technical and organizational measures to demonstrate compliance with GDPR
- Conduct data protection impact assessments
- Enhanced data subject rights
- An express right to be forgotten
- Data portability rights
- The right to object to automated decision making
- Important for the design of IoT devices – necessary capabilities have to be built in
- Processing personal data relating to children
- GDPR makes it impossible for children 12 and under to consent on their own behalf
Recently established in July 2016, the EU-US Privacy Shield (aka Safe Harbor 2.0) creates stronger regulations on US companies to protect Europeans' personal data.
Privacy Shield was approved by both the EU and the US governments to serve as a valid cross-border mechanism for transferring personal data from the EEA to the US after Safe Harbor (the prior program) was invalidated by the European of Justice last October 2015.
A quick fact sheet produced by the European Commission can bring you up to speed on what it all means.
It is broken into four parts:
- Commercial Sector
- US Government
For European individuals it means more transparency about data transfers to the US, and stronger data protection.
DIGITAL DATA SHREDDING
Customers operating within the confines of regulatory frameworks such as those established by the Health Insurance Portbility and Accountability Act of 1996 (HIPAA) or the more recent Health Information Technology for Economic and Clinical Health (HITECH) will be all too aware of the requirements governing the security of patient data. Perhaps less well known are the requirements surrounding the secure destruction of Protected Health Information (PHI) and the responsibility placed on sub-contractors to satisfy their regulatory obligations.
The relevant extract from the US Department of Health and Human Services (HSS) reads as follows:
“Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies: Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.”
The full guidance provided by HSS the can be found here: http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
The IoT introduces a whole range of additional challenges within the context of the above. Companies that contract with HIPAA-covered entities—and the companies that are downstream contractors for these companies—all face HIPAA compliance obligations and potential enforcement. Imagine for one moment the complexity of compliance within the supply chain of a connect healthcare device such as a portable oxygen concentrator or mobile insulin pump. Healthcare professionals downloading patient data, Maintenance and Service operations accessing patient connected devices for hardware diagnostics, device lifecycles as they move from one patient to another and that’s before we even start to think about the storage of historical PHI data in the Cloud.
Customers utilising Device Authority’s security platform not only enjoy the benefits of transport independent end-to-end security for their data and the strongest possible authentication of devices and services but also have access to our Digital Data Shredding (DDS) functionality. DDS delivers permanent erasure of all encrypted data associated with an individual device, regardless of where the data resides, all at the push of a single button.
EVOLVING REGULATORY LANDSCAPE
Regulatory compliance is a huge driving factor behind IoT Adoption. We have already seen how the Energy Act (2007) in the U.S. Accelerated efforts to monitor energy consumption. Nearly a decade later, the installed bases of remote-capable meters with SMART grid app support is expected to reach 450+ million in 2016 and t more than double by 2020, making it a leading IoT device.
Consider the Drug Supply Chain Act. This legislation gives the drug manufacturers until late 2017 electronically transfer and store transaction histories for their prescription drugs, including shipment information across their distribution supply chain. The law is designed to thwart counterfeit drugs which could cost the industry $75 billion+ annually.