WHY SMS IS NOT HIPAA COMPLIANT *

*or, more accurately, Why SMS does not support HIPAA compliance

TYPICAL DATA FLOW OF A TEXT MESSAGE OVER A GSM NETWORK

This diagram has been simplified to illustrate the movement of text message data through a typical GSM (Global System for Mobile Communications) network. In particular, the message acknowledgement process as well as routing requests through the Home Location Register (HLR) and the Visitor Location Register (VLR) have been omitted.

Sender submits text message, which contains the short message (SM) text, destination address, and address of the SMS Center (SMSC); handset sends the message over the air (OTA).

Signal received by tower and processed by the base station and then sent to the Mobile Switching Center (MSC).

The SMSC stores a copy of the message where it is retained for a period of time known as the validity period The SMSC simultane. ously attempts to deliver a copy of the message to the recipient. In order to locate the recipient, the SMSC sends a routing request to the Home Location Register (HLR). The HLR locates the recipient and sends correct routing information back to the SMSC.

The MSC routes the message to the correct base station.

MSC routes the message to the SMSC identified in the message.

The SMSC then forwards the message to the recipients servicing MSC. The MSC will request the recipients current location from the Visitor Location Register.

The message is processed by the base station and transmitted to the recipients handset.

BASE STATION

MOBILE SWITCHING CENTER

SMS CENTER

MOBILE SWITCHING CENTER

BASE STATION

SECURITY VULNERABILITIES
A G

PHYSICAL SECURITY The physical security of the phone or other mobile device itself represents the greatest vulnerability for information being inappropriately accessed. In a default configuration, devices do not require a user to authenticate with security credentials to access device applications and data. Additionally, information is stored in clear text, or unencrypted, in the native messaging application where it can be readily accessed, manipulated and/or removed. Finally, if a device is lost or stolen, there is no way to remotely lock or wipe data to prevent unauthorized access. EAVESDROPPING During OTA transmission, the signal - including voice and text data - is optionally encrypted (meaning it is up to the specific carrier) using a weak and broken stream cipher (A5/1 or A5/2). Both A5/1 and the encryption algorithm used to secure GPRS (General Packet Radio Service) have been broken within the last couple of years, demonstrating the susceptibility of these transmissions to eavesdropping.

C E D

INTERCEPTION As the SMS message is sent from the base station to the MSC and then on to the SMSC, it passes over the carriers network unencrypted, making it susceptible to interception. STORE & FORWARD When the SMS message arrives at the SMSC, a copy is stored in clear text on the carriers server where it is held for the validity period, pending successful delivery of the message. While the GSM implementation of SMS allows the senders SMSC to deliver the message directly to the recipients MSC, CDMA (which includes both Sprint and Verizon networks in the US) requires a copy of the message to be sent to the recipients SMSC where a copy of the message is also stored and forwarded. This means that for messages sent within CDMA or across networks (GSM <-> CDMA) at least two copies of the message are retained in clear text, accessible by carrier personnel with SMSC access. Finally, even more copies of the message may be stored if one or more SMS gateways are used to facilitate message delivery across carriers using incompatible technologies.
2012 qliqSoft, Inc. All rights reserved.

B F

WHY SMS IS NOT HIPAA COMPLIANT *

*or, more accurately, Why SMS does not support HIPAA compliance

HIPAA CONSIDERATIONS
According to the HIPAA Security Rule, Covered Entities and Business Associates acting on their behalf are required to implement a number of technical and non-technical safeguards if they transmit or otherwise maintain electronic protected health information (ePHI). As a result, if a member of a Covered Entity or one of its Business Associates uses SMS-based text messaging to transmit PHI, then the Covered Entity or Business Associate is required to comply with the safeguards outlined in the Security Rule. Based on the security vulnerabilities described above, Covered Entities and Business Associates confront the following compliance challenges when sending PHI via SMS: PHYSICAL SAFEGUARD CHALLENGES controls without defeating the core purpose of consumer wireless communications

compliance, however infrastructure beyond the domain of the core facility, third-party providers and non-regulated facilities in foreign countries cannot be reliably managed.

TECHNICAL SAFEGUARD CHALLENGES ADMINISTRATIVE SAFEGUARD CHALLENGES applied across all of the organizations involved in the transmission and delivery of SMS messages. not be implemented across heterogeneous networks and a disparate subscriber base.

ePHI with regard to access and audit controls, or personnel management. In SMS systems, there is no reliable means of identification of ePHI, and therefore no reliable means of segregation of the data for the purpose of focusing security controls. This condition also makes fulfillment of the required terms for Business Associate Agreements not feasible.

2012 qliqSoft, Inc. All rights reserved.