Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Why SMS is not HIPAA compliant


Published on

Is SMS HIPAA compliant?

Published in: Health & Medicine
  • Be the first to comment

Why SMS is not HIPAA compliant

  1. 1. WHY SMS IS NOT HIPAA COMPLIANT * *or, more accurately, “Why SMS does not support HIPAA compliance This diagram has been simplified to illustrate the movement of text message data through a typical GSM (Global System TYPICAL DATA FLOW OF A TEXT MESSAGE OVER A GSM NETWORK for Mobile Communications) network. In particular, the message acknowledgement process as well as routing requests through the Home Location Register (HLR) and the Visitor Location Register (VLR) have been omitted.1 Sender submits text message, which contains the short message (SM) text, destination address, and address of the SMS Center (SMSC); handset sends the message over the air (OTA). 4 The SMSC stores a copy of the message where it is retained for a period of time known as the “validity period” The SMSC simultane- . ously attempts to deliver a copy of the message to the recipient. In order to locate the recipient, the SMSC sends a routing request to the 6 Home Location Register (HLR). The HLR locates the recipient and sends The MSC routes the message correct routing information back to the SMSC. 2 to the correct base station. Signal received by tower and processed by the base station and then sent to the 5 Mobile Switching Center (MSC). The SMSC then forwards the message to 7 the recipient’s servicing MSC. The MSC will The message is processed by the 3 MSC routes the message to the SMSC identified in the message. request the recipient’s current location from the Visitor Location Register. base station and transmitted to the recipient’s handset. SMS CENTER MOBILE MOBILE BASE SWITCHING SWITCHING BASE STATION STATION CENTER CENTER SECURITY VULNERABILITIESA PHYSICAL SECURITY C INTERCEPTION The physical security of the phone or other mobile device itself represents the greatest As the SMS message is sent from the base station to the MSC and then on to the SMSC, it passesG vulnerability for information being inappropriately accessed. In a default configuration, devices E over the carrier’s network unencrypted, making it susceptible to interception. do not require a user to authenticate with security credentials to access device applications and data. Additionally, information is stored in clear text, or unencrypted, in the native messaging application where it can be readily accessed, manipulated and/or removed. Finally, if a device is D STORE & FORWARD lost or stolen, there is no way to remotely lock or wipe data to prevent unauthorized access. When the SMS message arrives at the SMSC, a copy is stored in clear text on the carrier’s server where it is held for the “validity period”, pending successful delivery of the message. While the GSM implementation of SMS allows the sender’s SMSC to deliver the message directly to the EAVESDROPPING recipient’s MSC, CDMA (which includes both Sprint and Verizon networks in the US) requires a copyB of the message to be sent to the recipient’s SMSC where a copy of the message is also stored and During OTA transmission, the signal - including voice and text data - is optionally encrypted (meaning it is up to the specific carrier) using a weak and broken stream cipher (A5/1 or A5/2). forwarded. This means that for messages sent within CDMA or across networks (GSM <-> CDMA) atF Both A5/1 and the encryption algorithm used to secure GPRS (General Packet Radio Service) least two copies of the message are retained in clear text, accessible by carrier personnel with have been broken within the last couple of years, demonstrating the susceptibility of these SMSC access. Finally, even more copies of the message may be stored if one or more SMS gateways transmissions to eavesdropping. are used to facilitate message delivery across carriers using incompatible technologies. © 2012 qliqSoft, Inc. All rights reserved.
  2. 2. WHY SMS IS NOT HIPAA COMPLIANT * *or, more accurately, “Why SMS does not support HIPAA compliance HIPAA CONSIDERATIONSAccording to the HIPAA Security Rule, Covered Entities and Business Associates acting on PHYSICAL SAFEGUARD CHALLENGEStheir behalf are required to implement a number of technical and non-technical safeguardsif they transmit or otherwise maintain electronic protected health information (ePHI). As a controls without defeating the core purpose of consumer wireless communicationsresult, if a member of a Covered Entity or one of its Business Associates uses SMS-based textmessaging to transmit PHI, then the Covered Entity or Business Associate is required tocomply with the safeguards outlined in the Security Rule. compliance, however infrastructure beyond the domain of the core facility, third-party providers and non-regulated facilities in foreign countries cannot be reliably managed.Based on the security vulnerabilities described above, Covered Entities and BusinessAssociates confront the following compliance challenges when sending PHI via SMS: TECHNICAL SAFEGUARD CHALLENGESADMINISTRATIVE SAFEGUARD CHALLENGES not be implemented across heterogeneous networks and a disparate subscriber base. applied across all of the organizations involved in the transmission and delivery of SMS messages. ePHI with regard to access and audit controls, or personnel management. In SMS systems, there is no reliable means of identification of ePHI, and therefore no reliable means of segregation of the data for the purpose of focusing security controls. This condition also makes fulfillment of the required terms for Business Associate Agreements not feasible. © 2012 qliqSoft, Inc. All rights reserved.