Home  ›  News

News

Upcoming cybersecurity clinics, events, and opportunities

August 10, 2025

Undergraduate Research Project: Zscaler for Secure HIPAA IoT Edge Legacy Devices (ZSHIELD)

On January 6, 2025 [1], the U.S. Department of Health and Human Services (HHS) [2] proposed the first major update to the HIPAA Security Rule since 2013, mandating encryption, multi-factor authentication, network segmentation, and continuous monitoring for electronic protected health information (ePHI).

A notable challenge lies in the Security Rule’s carve-out, or gap in coverage, for certain FDA-regulated medical devices lacking the capability to implement encryption. Partners at Morgan Lewis [3] reported many FDA-regulated medical devices remain in use today, including pre-2023 glucose monitors, infusion pumps, and IV controllers. ICDC researchers [4] emphasize that developing countries face significant challenges in adopting robust cybersecurity measures due to budgetary limitations, particularly among small and medium-sized enterprises (SMEs). Many frequently used medical devices cannot be quickly upgraded to support encryption and remain in use for years due to high cost and the need to maintain care continuity. This mismatch between device lifespans (10–15 years) and software support cycles (3–5 years) creates a persistent security risk.

Cyber-criminals have great financial incentives to target electronic protected health information (ePHI). According to Reuters [5], stolen ePHI is worth more to hackers than the value of a stolen credit card. Infographic produced by Binary Defense [6].

Healthcare breaches are already at record levels, according to the National Advisor for Cybersecurity and Risk at the American Hospital Association [7], with ransomware attacks blending encryption, data theft, and extortion. According to Reuters [5], stolen ePHI can fetch thousands of dollars per record, a stronger financial incentive than a stolen credit card.

In June 2025, healthcare-related data breaches exposed more than 7 million individuals’ records—well above the 12-month median of 4.7 million per month. Source: HIPAA Journal [8].

For security in today’s modern cyber threat landscape, the HIPAA carve-out for legacy devices cannot be treated as a safe haven. Instead, residental devices require tailored defense-in-depth safeguards; complete with micro-segmentation, zero-trust access controls, continuous monitoring, and rapid incident containment; specifically tailored for deployment in non-hospital environments. Without such measures, the convergence of legacy device vulnerabilities, AI-driven attack automation, and the expanding mIoT footprint will create a persistent, high-value target zone for cyber adversaries.

Most wireless medical devices, such as Continuous Glucose Monitors (CGMs) do not connect directly to the internet; instead, they transmit glucose data to the user’s smartphone via Bluetooth, and the phone’s internet connection (Wi-Fi or cellular) determines whether and how the data is shared with cloud services, healthcare providers, or remote monitoring apps. Source: Cleveland Clinic, 2024 [9].

The ZSHIELD Approach

As shown in the diagram above, residential and community users can use a mobile SD-WAN router (such as Banana Pi R3) with multiple, redundant links (4G LTE, 5G, and Internet VPN) to securely route traffic towards the destination (healthcare provider or cloud) with Zscaler’s Client Connect. Figure inspired by Lanner Electronics [10].
ZSHIELD (Zscaler for Secure HIPAA IoT Edge Legacy Devices) is our proof-of-concept gateway solution for protecting vulnerable medical IoT (mIoT) devices in homes, clinics, and community care settings. Bridging reproducible, open-source hardware (e.g., Banana Pi R3 [11]) and Zscaler’s Client Connector [12], ZSHIELD delivers:

  • Micro-segmentation & Zero Trust [12] isolation of devices
  • HIPAA-compliant encryption [13] for all outbound traffic
  • Data loss prevention (DLP) [12] with evolving threat detection
  • Redundant 4G/5G failover [11] for care continuity
  • Reproducible builds [11][14] for consistent, auditable security
The Banana Pi R3 single-board computer (SBC) features multiple dedicated network interfaces, including eth1 and lan0 for WAN connectivity, and lan1–lan5 for LAN connections. Integrated wireless interfaces provide dual-band support, with ra0 for 2.4 GHz and rax0 for 5 GHz operation. Image adapted from Banana Pi Wiki [24].

Overview

Figure Credit: Zscaler [15].

The Zscaler Client Connector [12] acts as the secure traffic broker for all electronic Protected Health Information (ePHI) flows leaving or traversing the ZSHIELD network gateway. It ensures encryption in transit, policy enforcement, and threat prevention—critical to meeting the 2025 HIPAA Security Rule updates requiring mandatory encryption, multi-factor authentication, network segmentation, and continuous monitoring.

Ali, et. al demonstrates the possibility of fog-supported IoT-enabled healthcare infrastructures for hospitals and senior housing communities [16].

Hospitals and clinical environments often leverage Fog IoT network architecture to secure mIoT devices. Prior research [16] has shown the possibility of power-efficient fog-based healthcare IoT for senior housing. ZSHIELD advances the compliance and security side for residential and community care environments, ensuring even frequently-used legacy devices meet modern defense-in-depth standards.

Reproducible configuration and infrastructure management with Linux tools. Image credit: Hoogendoorn, 2016 [17].

Pin the Zscaler Client Connector Linux client [14] with a reproducible configuration, and ensure deterministic, version-controlled builds that can be identically deployed across development, testing, and production gateways for consistent security enforcement.

Image Credit: Inland Cyber Defense Clinic and Zscaler [18].

Zscaler’s Data Loss Prevention (DLP) [18] policy provides the following benefits and allows you to: Monitor, prevent, or block the leakage of sensitive data on endpoints (i.e., through printing, saving to removable storage, saving to network shares, or uploading to personal cloud storage accounts). Use Zscaler custom and predefined DLP engines to detect and take action on sensitive data. Monitor sensitive data and enforce endpoint DLP rules even when an endpoint doesn’t have a network connection.

Why It Matters

Two-thirds of healthcare now occurs outside traditional hospitals, according to the U.S. National Academy of Medicine [19]. In the accompanying figure, the orange third represents conventional hospital and clinic settings, while the blue two-thirds illustrate the environments where most health-related and everyday human experiences take place—homes, workplaces, and community spaces. In these settings, AI-enabled mIoT devices such as smartphones, wearables, and connected health monitors continuously collect health-relevant data.

Medical AI IoT Communications Beyond Hospital and Clinic. Image Credit: National Academy of Medicine [19].

When paired with intelligent communication and analysis, mIoT data streams enable personalized, real-time interventions and support broader public and environmental health monitoring. Securing these endpoints at the home and community level is critical to safeguarding patient safety, protecting data privacy, and ensuring regulatory compliance. ZSHIELD demonstrates that modern security controls can be extended to legacy systems, reducing costs while raising the security baseline across residential and community care environments.

Interested in securing the future of our digital systems? Design, deploy, and secure today’s Internet of Things, from smart home devices to small-board computers in IST 360: Internet of Things – A Hands-On Approach at Claremont Graduate University, Fall 2025. →

References:

[1] HHS, HIPAA Security Rule To Strengthen Cybersecurity, 2025.
[2] OCR, HIPAA Security Rule NPRM, 2025.
[3] Levin & Seeley, Aging Technology, Emerging Threats, Morgan Lewis, 2025.
[4] Uwaoma & Enkhtaivan, Affordability of Cybersecurity Costs, 2024.
[5] Humer & Finkle, Your Medical Record is Worth More to Hackers, Reuters, 2014.
[6] Binary Defense, Healthcare and Cybersecurity, 2024.
[7] Riggi, 3 Must-Know Cyber and Risk Realities, American Hospital Association, 2025.
[8] HIPAA Journal, June 2025 Healthcare Data Breach Report.
[9] “Continuous Glucose Monitor (CGM),” Cleveland Clinic. Accessed: Aug. 10, 2025.
[10] Lanner Electronics, SD-WAN Enables Failover Connectivity for Mobile Health Units, 2025.
[11] Banana Pi Wiki, BPI-R3 Documents and Specifications, 2025.
[12] Zscaler, Zscaler Client Connector, 2025.
[13] Zscaler, HIPAA + Zscaler, 2025.
[14] Zscaler, Customizing Zscaler Client Connector Install Options for Linux, 2025.
[15] Zscaler, Healthcare Cybersecurity Partnership, 2025.
[16] Ali et al., Power-Aware Fog Supported IoT Network for Healthcare, 2023.
[17] Hoogendoorn, Maarten, “A step towards the future of configuration and infrastructure management with Nix,” 2016.
[18] Zscaler, Data Protection Best Practices in Healthcare, 2024.
[19] National Academy of Medicine, Advancing Artificial Intelligence in Health Settings Outside the Hospital and Clinic, 2020.
[20] CGU, IST 360: Internet of Things – A Hands-On Approach, 2025.

Categories

Share