Note: We here at CloudShark aren’t HIPAA experts, we just think its neat to talk about. Don’t take this as “official” advice.
Recently we’ve been having some “water-cooler” (we don’t have a water cooler, it’s actually a shark tank) discussion around the security of packet captures in general, and naturally, how that applies to regulations like HIPAA, the “Health Insurance Privacy and Accountability Act”.
HIPAA and packet captures
The relevant parts of HIPAA to packet capture security include sections on workstation use and security, device and media controls (including rules for backup and storage), access controls to electronic resources, and a section that addresses transmission security, which requires encryption of those record during transmission. This puts packet capture in a unique place - since they contain all of the transmitted data, they could be considered to be both the electronic records themselves, and representative of the transmission of those records.
More importantly, however, is that packet capture is more prone to “shadow IT” behavior than other network and IT related resources. This is first because they tend to be esoteric - CIO/CCO’s don’t need or want to have packets on their minds - they have bigger fish to fry. Also, the methods through which they are obtained trend towards creating local, unaccountable copies of the traffic going over your network. Capture tools like Wireshark usually run on workstations where the captures are saved locally, and require replication of resources like RSA keys when doing analysis.
So, what can you do to stay compliant when dealing with packet captures?
Control who is capturing with which tools
Not everyone needs to install Wireshark. Use dedicated tools that do packet capture, or keep record of which workstations have Wireshark or are allowed to take captures.
Use a capture repository
Just like a file store, but less tedious, use a tool like CloudShark to keep all your captures in one place that can be secured. Put in place policies that require users of capture tools to upload captures to that repository, or use tools that do that automatically. Make sure any local copies of captures are deleted.
Use a web-based or shared analysis tool
The great thing about CloudShark is that you can do packet capture analysis without tools that are installed on every workstation, but moreoever, you don’t need to pass around capture files via email or try to describe the exact analysis you’ve already done on a capture that is in a file store. Of all of these practices, passing around capture files over email is extremely insecure and will guarantee that uncontrolled copies of capture files exist.
Get a hold on your shadow IT
This problem of loose packet capture exists for nearly all organizations. However, if you are a company in the health care industry, and must already take steps to be HIPAA compliant, it is even more imperative that you lock down a seemingly innocuous practice. Even though you may have policies in place to comply with all of the other requirements on the privacy and security of medical records, packet capture is not something that comes to the forefront of most compliance policies.
Remember, the default network capture duplicates every bit and byte - anyone can download a medical record straight out of a capture file if it was being sent during the capture. Many IT offices run inventory scans to detect these files on mobile assets, but a medical file hidden in a capture file will easily, even accidentally remain hidden from view. A good-intentioned employee wants to catch up on some network diagnostics over the weekend but loses their laptop on the bus ride home. Was the capture file encrypted by the disk operating system? Or was it just a URL to a system under lock and key back at the office?