Protecting ePHI Using Ionic Machina
Machina allows developers to control access to sensitive data by implementing compliance controls as global policy that is enforced in real-time as data access requests happen. We do this by combining attribute-based access controls with rich policy expression mechanisms, backed by a decision engine that validates and logs every request giving pure auditability of all controls.
Consider a healthcare organization, where a patient visits a physician for the first time and must send a completed medical history to the physician in advance. Following the office visit, the physician wants to submit a reimbursement to the insurance provider, including the office visit notes as evidence of the care provided to the patient. The physician also sends a prescription to the patient for prescriptions to treat a condition diagnosed during the office visit. Finally, the insurance provider reviews the office visit notes and sends back a claim response to the physician with their reimbursement decision.
Rather than just giving individual access to each of these files involved, we'll distribute keys with metadata that describes the data as being PHI. Further, we'll add attributes describing the type of data contained within each field. Now, policies built by policy administrators can control access to specific patient data based on conditions like location, device, group or role in accordance with HIPAA's regulations
This example implements a policy that denies access to patient data such as medical history information, that is not required to process the insurance claim. Notice that data access and handling policies are globally expressed and do not require the developer to hard code these policies.
The developer merely needs to tag data using key attributes and lets the policy engine interpret and enforce policies associated with those attributes.