Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Don't F it up: How to simplify your security de...

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Matheus Cardoso Matheus Cardoso
June 04, 2019
Technology
34
0

Don't F it up: How to simplify your security decisions and protect yourself when building a healthcare app

Avatar for Matheus Cardoso

Matheus Cardoso

June 04, 2019

More Decks by Matheus Cardoso

See All by Matheus Cardoso
Server-Side Swift with Vapor
Avatar for Matheus Cardoso cardoso
0
100
Going Open Source: Advantages and Lessons Learned
Avatar for Matheus Cardoso cardoso
0
45
ChatOps with Rocket.Chat & Python
Avatar for Matheus Cardoso cardoso
0
260

Other Decks in Technology

See All in Technology
Oracle AI Database@Google Cloud:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
6
1.6k
感情と身体を置き去りにしない、エンジニアの生きのこり方 ──いまから、ここから「自分の状態」を扱うという選択
Avatar for saori murooka saorimurooka
0
290
入門!AWS Blocks
Avatar for Yosuke Suzuki ysuzuki
1
180
FPC(フレキシブル)基板にZephyr実装してみた。
Avatar for misoji engineer iotengineer22
0
160
あなたの知らないPDFのアクセシビリティ
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
230
iAEONの段階的リアーキテクト戦略 / iAEON's_Gradual_Re-architecture_Strategy
Avatar for AEON aeonpeople
0
250
現場のトークンマネジメント
Avatar for dak2 dak2
1
170
2026年6月23日 Syncable Tech + Start Python Club にて
Avatar for Kimikazu Kato hamukazu
0
150
WebGIS AI Agentの紹介
Avatar for _shimizu _shimizu
0
520
GitHub Copilot app最速の発信の裏側
Avatar for tomokusaba tomokusaba
1
240
攻撃者視点で考えるDetection Engineering
Avatar for Ruslan Sayfiev cryptopeg
3
2.1k
20260619 私の日常業務での生成 AI 活用
Avatar for Masaru Ogura masaruogura
1
240

Featured

See All Featured
Chasing Engaging Ingredients in Design
Avatar for Sebastian Deterding codingconduct
0
220
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
32
2.9k
Skip the Path - Find Your Career Trail
Avatar for Mark Kilby mkilby
1
150
Tell your own story through comics
Avatar for letsgokoyo letsgokoyo
1
960
How GitHub (no longer) Works
Avatar for Zach Holman holman
316
150k
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
274
21k
Deep Space Network (abreviated)
Avatar for Tony Rice tonyrice
0
210
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
250
1.3M
The Hidden Cost of Media on the Web [PixelPalooza 2025]
Avatar for Tammy Everts tammyeverts
2
330
Building an army of robots
Avatar for Kyle Neath kneath
306
46k
Navigating Weather and Climate Data
Avatar for Ryan Abernathey rabernat
0
230
Put a Button on it: Removing Barriers to Going Fast.
Avatar for kastner kastner
60
4.3k

Transcript

  1. Don’t F it up! @ AltConf 2019 How to simplify

    your security decisions and protect yourself when building a healthcare App.

  2. Matheus Cardoso Developer Relations @ Virgil Security " Open Sourcerer

    @ GitHub.com/cardoso
  3. None

  4. Storage Transmission Passwords

  5. None

  6. Security? Cryptography? Regulations?

  7. $4 trillion +5% year fortune.com/2019/02/21/us-health-care-costs-2

  8. modernhealthcare.com

  9. modernhealthcare.com 28% of all VC in the U.S

  10. modernhealthcare.com

  11. modernhealthcare.com

  12. 2018 Was a Record Year for HIPAA Penalties gdsconnect.com/2018-was-a-record-year-for-hipaa-penalties

  13. $25 million in fines gdsconnect.com/2018-was-a-record-year-for-hipaa-penalties

  14. None

  15. (ePHI) Electronic Protected Health Information

  16. Securing ePHI HIPAA Compliance

  17. Securing ePHI Facility Access HIPAA Compliance

  18. Securing ePHI Facility Access Policies & Tracking HIPAA Compliance

  19. Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA

    Compliance

  20. Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA

    Compliance

  21. Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA

    Compliance

  22. hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

  23. Recent Examples

  24. techcrunch.com/2019/03/17/medical-health-data-leak

  25. techcrunch.com/2019/03/17/medical-health-data-leak Unsecured Elasticsearch Database

  26. techcrunch.com/2019/03/17/medical-health-data-leak Unsecured Elasticsearch Database 6 million health records exposed

  27. techcrunch.com/2019/03/17/medical-health-data-leak

  28. Medical records techcrunch.com/2019/03/17/medical-health-data-leak

  29. Medical records Doctor’s notes techcrunch.com/2019/03/17/medical-health-data-leak

  30. Medical records Doctor’s notes Prescriptions techcrunch.com/2019/03/17/medical-health-data-leak

  31. Medical records Doctor’s notes Prescriptions Illness information techcrunch.com/2019/03/17/medical-health-data-leak

  32. Medical records Doctor’s notes Prescriptions Illness information Blood test results

    techcrunch.com/2019/03/17/medical-health-data-leak

  33. techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test

    results Name, address, date of birth

  34. techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test

    results Name, address, date of birth Insurance information

  35. techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test

    results Name, address, date of birth Insurance information Payment data

  36. techcrunch.com/2019/03/17/medical-health-data-leak Doctor’s notes Prescriptions Illness information Blood test results Name,

    address, date of birth Insurance information Payment data Personal data

  37. techcrunch.com/2019/03/17/medical-health-data-leak Prescriptions Illness information Blood test results Name, address, date

    of birth Insurance information Payment data Personal data Information on children

  38. techcrunch.com/2019/03/17/medical-health-data-leak Prescriptions Illness information Blood test results Name, address, date

    of birth Insurance information Payment data Personal data Information on children ePHI

  39. newsroom.uw.edu/news/data-error-exposes-patient-information

  40. Exposed data to search engines during migration newsroom.uw.edu/news/data-error-exposes-patient-information

  41. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904

  42. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade

  43. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade

    1.7 million dollars in fines

  44. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade

    1.7 million dollars in fines Many more…

  45. DataBreachToday.com

  46. DataBreachToday.com HipaaJournal.com

  47. DataBreachToday.com HipaaJournal.com ocrportal.hhs.gov/ocr/ breach

  48. 80% of data breaches are by mistake databreachtoday.com/misconfiguration-leads-to-major-health-data-breach-a-12042

  49. 80% of data breaches are by mistake databreachtoday.com/misconfiguration-leads-to-major-health-data-breach-a-12042

  50. None

  51. if user.identity == "bob" { send(ePHI, to: user) }

  52. Data base API

  53. Data base API

  54. Data base API Securing the perimeter

  55. Data base API Data in plaintext ->

  56. theguardian.com/technology/2014/jun/06/heartbleed-openssl-bug-security-vulnerabilities

  57. xda-developers.com/user-data-leak-misconfigured-firebase-backends

  58. Heavy HHS fines

  59. Heavy HHS fines Data for ransom securelink.com/blog/healthcare-data-new-prize-hackers

  60. Heavy HHS fines Data for ransom securelink.com/blog/healthcare-data-new-prize-hackers Up to 250$/record

    www2.trustwave.com/Value-of-Data-Report_LP.html

  61. cyberscoop.com/yahoo-class-action-settlement-85m-data-breach-lawsuit

  62. cyberscoop.com/yahoo-class-action-settlement-85m-data-breach-lawsuit Heavy HHS fines Data for ransom Lawsuits …

  63. None
  64. None
  65. None

  66. apple.com/privacy/approach-to-privacy

  67. apple.com/privacy/approach-to-privacy

  68. None

  69. washingtonpost.com

  70. Data base API

  71. API

  72. API

  73. Ali Ali B Bo ( )

  74. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

  75. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    <- Encrypts <- Decrypts

  76. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice)

  77. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice)

  78. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

  79. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

  80. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) $&!@*#%?$&

  81. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) $&!@*#%?$&

  82. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) $&!@*#%?$&

  83. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

  84. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

  85. Public Key Service iOS Application IP Messaging

  86. Public Key Service iOS Application IP Messaging Generate Key Pair

    Encrypt/Decrypt

  87. Public Key Service iOS Application IP Messaging Generate Key Pair

    Encrypt/Decrypt Catalog/Distribute Public Keys

  88. Public Key Service iOS Application IP Messaging Generate Key Pair

    Encrypt/Decrypt Store/Transmit encrypted Messages Catalog/Distribute Public Keys

  89. iOS Application

  90. https://github.com/VirgilSecurity/virgil-crypto

  91. import VirgilCrypto // generate key pair let crypto = try!

    VirgilCrypto() let keyPair = try! crypto.generateKeyPair() 1

  92. // save private key UserDefaults.standard.set( keyPair.privateKey, forKey: "private_key") // code

    for keychain too big for slides // but use keychain!! 2

  93. // publish public key publishPublicKey( keyPair.publicKey, for: "bob") 3

  94. // lookup public key let k = lookupPublicKey(of: "alice")! 4

  95. // encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:

    .utf8)!, for: [k]) 5

  96. // encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:

    .utf8)!, for: [k]/* encrypt for multiple keys */) 5

  97. // decrypt message let decryptedData = try crypto.decrypt( encryptedData, with:

    keyPair.privateKey) let message = String( data: decryptedData, encoding: .utf8) 6

  98. Transmission Security STANDARD § 164.312(e)(1)

  99. Integrity STANDARD § 164.312(c)(1)

  100. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Alice

  101. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Something else

  102. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Something else

  103. Encryption Message Body Signature

  104. Encryption Message Body Signature

  105. // encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:

    .utf8)!, for: [k])

  106. // sign and encrypt message let signedData = try crypto.signThenEncrypt(

    "Hello Bob!".data(using: .utf8)!, with: keyPair.privateKey, /* to sign! */ for: [k])

  107. // decrypt message let decryptedData = try crypto.decrypt( encryptedData, with:

    keyPair.privateKey)

  108. // decrypt and verify signature let verifiedData = try crypto.decryptThenVerify(

    signedData, with: keyPair.privateKey, using: k /* to verify! */)

  109. // decrypt and verify signature let verifiedData = try crypto.decryptThenVerify(

    signedData, with: keyPair.privateKey, using: k /* to verify! */) No need to be a Cryptographer

  110. + Database Compromises

  111. + Man-in-the-middle Attacks

  112. + Brute-force Attacks

  113. Non-deterministic encrypt(“Hello Dr. Alice”) = X encrypt(“Hello Dr. Alice”) =

    Y encrypt(“Hello Dr. Alice”) = Z …

  114. + Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks

  115. Transmission Security STANDARD § 164.312(e)(1) Integrity STANDARD § 164.312(c)(1)

  116. Quick Demo! Please work

  117. https://github.com/VirgilSecurity/virgil-crypto

  118. https://github.com/VirgilSecurity/virgil-crypto Objective-C, Swift, Java, Kotlin, C, C++ Go, PHP, Python,

    Ruby, C#/.NET, AsmJS, NodeJS, WebAssembly, …

  119. + Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks

  120. + Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks That’s

    not all, folks

  121. Perfect Forward Secrecy + Private Key Compromises

  122. Perfect Forward Secrecy (Double Ratchet) signal.org/docs/specifications/doubleratchet/doubleratchet.pdf

  123. To consider…

  124. CareKit ResearchKit HealthKit

  125. HealthKit Track health & fitness

  126. Track health & fitness Access health records HealthKit

  127. Track health & fitness Access health records HealthKit Ongoing health

  128. CareKit Measure symptoms Track medications Get Insights Share with doctors

  129. CareKit Measure symptoms Track medications Share with doctors Medical treatment

  130. ResearchKit Enroll participants Gather data Share with researchers

  131. ResearchKit Enroll participants Measure symptoms Share with doctors Medical research

  132. CareKit ResearchKit HealthKit

  133. CareKit ResearchKit HealthKit User consent Secure storage

  134. None

  135. Questions?

  136. Matheus Cardoso " Open Sourcerer - GitHub.com/cardoso ✉ Mail Reader

    - [email protected]