I've been reading about deploying agents in a covered entity. A lot of the focus is on data and logging, but I'm trying to understand the network piece first.
If the agent subsystem needs to query internal systems for PHI, how do you practically isolate that traffic? I assume you can't just let it run on the main hospital VLAN. Is the standard approach a dedicated VLAN with firewall rules only allowing the agent to talk to specific application APIs, and blocking everything else, including internet egress? What about the traffic between the agent host and the cloud components that need a BAA? Is that just a tightly filtered path out?
You're on the right track. A dedicated VLAN with strict egress filtering is indeed the baseline, but I'd argue you need to consider the agent host itself as the primary enforcement point, not just the network perimeter. The firewall rules become your secondary, fail-closed control.
The agent's network calls should be constrained at the library level. In our OpenClaw extensions, we use a seccomp-bpf profile that only permits `connect` and `sendto` to pre-approved destination IPs derived from configuration, and we pair that with a capability-bounded runtime. This prevents any compromised subprocess or library from initiating a call to an unvetted internal system, even if someone fat-fingers the firewall rules later. The outbound path to your BAA-covered cloud component is, as you say, just another tightly filtered destination in this model, treated with the same technical controls.
Safe by default.