Network packet captures present an interesting problem for HIPAA compliance, but they don’t have to be one that causes headaches.
When it comes to securing electronic assets, packet captures are often overlooked more than other network and IT related resources. This is because they tend to be esoteric - compliance officers don’t need or want to have packets on their minds. Also, the methods through which they are obtained trend towards creating local, unaccountable copies of the traffic going over your network. Capture tools like Wireshark are run on individual workstations where the captures are saved locally, and require replication of resources like decryption keys when doing analysis.
HIPAA and packet captures
If you’re a medical facility, managed service provider for healthcare, or developer of cloud solutions for the industry, you’ve probably faced HIPAA compliance but may not have applied the thought process to network traces. The parts of HIPAA relevant to packet capture security include sections on workstation use and security, device and media controls (including rules for backup and storage), access controls to electronic resources, and a section that addresses transmission security, which requires encryption of those record during transmission. This puts packet capture in a unique place - since they contain all of the transmitted data, they could be considered to be the electronic records themselves, and representative of the transmission of those records.
Today, captures can come from any number of sources: firewalls, security appliances, data centers, network switches and gateways, or Wi-Fi APs. Perhaps your IT team has already moved towards some cloud-managed solution for your network, especially for Wi-Fi. Many of these solutions (like Meraki or Aerohive) contain embedded packet capture capability. While the ability to do remote capture on these endpoints is extremely powerful, there’s a need to make sure that these captures are transferred, stored, and accessed in a compliant way.
The Need to Collaborate
Analyzing and troubleshooting network issues isn’t easy, and it’s usually helpful to have more than one set of eyes looking at a problem. Packet captures are the absolute go-to for resolving most issues; but collaborating with the rest of the team is difficult. This often results in packet capture files sent as email attachments, or replicated on many different workstations or flash drives. This creates a compliance risk if these assets aren’t accounted for when the time comes.
It is possible to mitigate some of this risk by using a centralized file store, but unless that system is controlled by you, you’ll have to rely on the cloud service’s HIPAA compliance. In addition, packet captures require specialized tools to view and analyze, often preventing the use of centralized file stores entirely or creating complicated permission schemes - you may want users to be able to access the files for analysis, but not ever download the files locally.
Keeping packet captures secure
What can you do to stay secure when using packet captures?
1. Control who is capturing and which tools they are using
It’s a good idea to use a dedicated tool for performing packet captures that can be standardized across your organization. If your infrastructure makes use of Meraki, Aerohive, or other networking equipment that has embedded packet capture functions, it may be the easiest way to implement this. If Wireshark is really your only option, keep a record of which stations have Wireshark installed and which are allowed to take captures.
2. Keep your saved network data in a single, secured, access controlled location
Using a file repository that is specialized to work with packet captures will help you meet privacy and security concerns around who can access packet capture data, who can transfer it, and who can perform analysis on these files that may contain sensitive patient information. Choose a system that can be deployed on your own network, like CloudShark, to have the added benefit of being in control of your own compliance. Tools you have full control over give you the flexibility to tailor the access conditions to your needs.
It’s also important to put in place policies that require users of capture tools to upload captures to that repository, or use tools that do so automatically. Lastly, it’s critical that any local copies of captures are deleted after they are created and transferred.
3. Use a browser-based or shared analysis tool
Passing around captures in emails is inefficient (and maybe the worst security risk there is), and it's tedious to describe the exact analysis you've already done on a capture that is in a file store.
Using a tool that lets analysis be done on captures in your centralized repository directly helps mitigate this. A browser-based system like CloudShark can make collaboration easy by eliminating specialized applications, allowing packet analysis to be shared directly through a URL, and by empowering users to perform their analysis while still keeping the original data safe and secure.
Ultimately, it’s about policy
This problem of loose packet captures exists for nearly all organizations. However, if you are a company in the healthcare industry, and must already take steps to be HIPAA compliant, it is even more imperative that you have a network analysis policy that complies with privacy regulations. Even though you may have policies in place for all of the other requirements around the privacy and security of medical records, packet capture is not something that comes to the forefront of most compliance policies.
Using a tools like CloudShark makes these policies even easier to adhere to. A centralized repository that works well with remote capture tools and allows for simple, web-based collaboration makes for a better experience for both compliance and IT teams, and is a safer solution for customer privacy.
Are you in a field that requires HIPAA compliance or deals with captures in a regulatory environment? Talk to us and we’ll show you how CloudShark can streamline your network analysis and give you piece of mind when it comes to patient privacy at the packet level.