Protecting ePHI Using Ionic Machina

Machina allows developers to control access to sensitive data by implementing compliance controls as global policy that is enforced in real-time as data access requests happen. We do this by combining attribute-based access controls with rich policy expression mechanisms, backed by a decision engine that validates and logs every request giving pure auditability of all controls.

Consider a healthcare organization where numerous third parties are accessing sensitive clinical, financial, and operational data daily. Current manual risk management processes cannot keep pace with the exponential growth in cyber threats due to the proliferation of cloud applications and internet-connected devices.

With an increasing number of internal and external resources potentially accessing PHI, a scalable and sustainable policy enforcement process needs to be in place to allow for full visibility and control of data access. Rather than just giving individual access to files containing PHI, we distribute keys with metadata that describes the data as being PHI. Further, we add attributes describing the type of data contained within each field. Now, policies built by policy administrators can control access to specific patient data based on conditions like location, device, group or role in accordance with HIPAA's regulations.

This example focuses on a patient who visits a physician for the first time. The patient schedules an appointment online, providing basic billing and medical history information. Following the office visit, the provider submits a claim to the insurance provider, including the office visit notes as evidence of the care provided to the patient. The provider also sends a prescription to the patient to treat a condition diagnosed during the office visit. Finally, the insurer reviews the claim and determines the patient’s financial responsibility to the provider.

The example highlights how quickly policy can be implemented to restrict unnecessary and unauthorized access to PHI fields – notice that data access and handling policies are globally expressed and do not require the developer to hard code these policies. The developer simply tags data with key attributes, which enables the policy engine to interpret and enforce policies associated with those attributes.

Next Steps