HIPAA and medical devices: what hardware can — and can't — claim

The HIPAA Security Rule defines administrative, physical, and technical safeguards for protected health information. The technical safeguards focus on access control, audit controls, integrity, and transmission security. The rule is intentionally technology-neutral — it describes outcomes, not how to achieve them.

On a hospital network, the technology choices that fulfil those outcomes are layered. Identity-aware access for clinical applications. Encrypted transmission. Audit logging on EHR queries. Network segmentation between clinical, administrative, and biomedical device tiers. Physical isolation of specific maintenance paths sits inside that stack — it is one technical control, not the whole compliance answer.

Biomedical devices — imaging systems, infusion pumps, lab analysers — are long-lived, often unpatched, and frequently vendor-controlled. A vendor's maintenance VPN into a hospital imaging suite is a category of access that is hard to make HIPAA-conservative through software controls alone. The vendor's home network and the hospital network are connected, the credentials are scoped 'to the imaging tier', and the practical reality is that the vendor can see more than the imaging tier most of the time.

Physically separating the maintenance path solves this differently. The line to the imaging controller is closed except during scheduled vendor work. The hospital network and the vendor's network are not connected during the 90% of the time the line is down — not because policy says so, but because the cable is electrically open.

Physical isolation contributes most directly to access control and audit controls. The maintenance window's relay log is part of the access record — open at 03:11, close at 04:46, originating phone number on the open command. It is not 'access controls' in the OAuth sense, but it is the kind of artefact an OCR auditor can verify against the documented maintenance schedule.

The control does not, on its own, fulfil HIPAA. It contributes alongside identity-based access, encrypted transmission, segmentation, and the usual audit logging. The honest framing is 'supports the technical safeguards' — not 'HIPAA compliant'.

AGN1 is not a HIPAA-certified device. There is no such certification for individual hardware components. A vendor that markets a HIPAA-certified router or HIPAA-certified switch is misrepresenting how the rule works.

What AGN1 is, is a technical control that hospitals can include in their own HIPAA risk analysis. The hospital's compliance program is what fulfils HIPAA. The hardware is part of that program. Documentation should reflect that — and avoid borrowing certification language from a rule that does not certify individual products.