why sms is not hipaa compliant
TRANSCRIPT
SECURITY VULNERABILITIES
PHYSICAL SECURITY The physical security of the phone or other mobile device itself represents the greatest vulnerability for information being inappropriately accessed. In a default configuration, devices do not require a user to authenticate with security credentials to access device applications and data. Additionally, information is stored in clear text, or unencrypted, in the native messaging application where it can be readily accessed, manipulated and/or removed. Finally, if a device is lost or stolen, there is no way to remotely lock or wipe data to prevent unauthorized access.
EAVESDROPPING During OTA transmission, the signal - including voice and text data - is optionally encrypted (meaning it is up to the specific carrier) using a weak and broken stream cipher (A5/1 or A5/2). Both A5/1 and the encryption algorithm used to secure GPRS (General Packet Radio Service) have been broken within the last couple of years, demonstrating the susceptibility of these transmissions to eavesdropping.
INTERCEPTIONAs the SMS message is sent from the base station to the MSC and then on to the SMSC, it passes over the carrier’s network unencrypted, making it susceptible to interception.
A
G
B
F
C
E
STORE & FORWARDWhen the SMS message arrives at the SMSC, a copy is stored in clear text on the carrier’s server where it is held for the “validity period”, pending successful delivery of the message. While the GSM implementation of SMS allows the sender’s SMSC to deliver the message directly to the recipient’s MSC, CDMA (which includes both Sprint and Verizon networks in the US) requires a copy of the message to be sent to the recipient’s SMSC where a copy of the message is also stored and forwarded. This means that for messages sent within CDMA or across networks (GSM <-> CDMA) at least two copies of the message are retained in clear text, accessible by carrier personnel with SMSC access. Finally, even more copies of the message may be stored if one or more SMS gateways are used to facilitate message delivery across carriers using incompatible technologies.
D
WHY SMS IS NOT HIPAA COMPLIANT**or, more accurately, “Why SMS does not support HIPAA compliance
The message is processed by the base station and transmitted to the recipient’s handset.
Sender submits text message, which contains the short message (SM) text, destination address, and address of the SMS Center (SMSC); handset sends the message over the air (OTA).
Signal received by tower and processed by the base station and then sent to the Mobile Switching Center (MSC).
MSC routes the message to the SMSC identified in the message.
The SMSC stores a copy of the message where it is retained for a period of time known as the “validity period”. The SMSC simultane-ously attempts to deliver a copy of the message to the recipient. In order to locate the recipient, the SMSC sends a routing request to the Home Location Register (HLR). The HLR locates the recipient and sends correct routing information back to the SMSC.
TYPICAL DATA FLOW OF A TEXT MESSAGE OVER A GSM NETWORK
The SMSC then forwards the message to the recipient’s servicing MSC. The MSC will request the recipient’s current location from the Visitor Location Register.
The MSC routes the messageto the correct base station.
This diagram has been simplified to illustrate the movement of text message data through a typical GSM (Global System for Mobile Communications) network. In particular, the message acknowledgement process as well as routing requests through the Home Location Register (HLR) and the Visitor Location Register (VLR) have been omitted.
1 4
23
56
7
BASESTATION
MOBILESWITCHING
CENTER
SMSCENTER
MOBILESWITCHING
CENTERBASE
STATION
© 2012 qliqSoft, Inc. All rights reserved.
According to the HIPAA Security Rule, Covered Entities and Business Associates acting on their behalf are required to implement a number of technical and non-technical safeguards if they transmit or otherwise maintain electronic protected health information (ePHI). As a result, if a member of a Covered Entity or one of its Business Associates uses SMS-based text messaging to transmit PHI, then the Covered Entity or Business Associate is required to comply with the safeguards outlined in the Security Rule.
Based on the security vulnerabilities described above, Covered Entities and Business Associates confront the following compliance challenges when sending PHI via SMS:
ADMINISTRATIVE SAFEGUARD CHALLENGES
applied across all of the organizations involved in the transmission and delivery of SMS messages.
ePHI with regard to access and audit controls, or personnel management. In SMS systems, there is no reliable means of identification of ePHI, and therefore no reliable means of segregation of the data for the purpose of focusing security controls. This condition also makes fulfillment of the required terms for Business Associate Agreements not feasible.
WHY SMS IS NOT HIPAA COMPLIANT**or, more accurately, “Why SMS does not support HIPAA compliance
HIPAA CONSIDERATIONS
PHYSICAL SAFEGUARD CHALLENGES
controls without defeating the core purpose of consumer wireless communications
compliance, however infrastructure beyond the domain of the core facility, third-party providers and non-regulated facilities in foreign countries cannot be reliably managed.
TECHNICAL SAFEGUARD CHALLENGES
not be implemented across heterogeneous networks and a disparate subscriber base.
© 2012 qliqSoft, Inc. All rights reserved.