Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Don't F it up: How to simplify your security de...
Search
Matheus Cardoso
June 04, 2019
Technology
0
27
Don't F it up: How to simplify your security decisions and protect yourself when building a healthcare app
Matheus Cardoso
June 04, 2019
Tweet
Share
More Decks by Matheus Cardoso
See All by Matheus Cardoso
Server-Side Swift with Vapor
cardoso
0
87
Going Open Source: Advantages and Lessons Learned
cardoso
0
31
ChatOps with Rocket.Chat & Python
cardoso
0
240
Other Decks in Technology
See All in Technology
AIの全社活用を推進するための安全なレールを敷いた話
shoheimitani
2
510
Should Our Project Join the CNCF? (Japanese Recap)
whywaita
PRO
0
340
OPENLOGI Company Profile
hr01
0
67k
CDKTFについてざっくり理解する!!~CloudFormationからCDKTFへ変換するツールも作ってみた~
masakiokuda
1
140
マーケットプレイス版Oracle WebCenter Content For OCI
oracle4engineer
PRO
3
960
Delta airlines®️ USA Contact Numbers: Complete 2025 Support Guide
airtravelguide
0
340
DatabricksにOLTPデータベース『Lakebase』がやってきた!
inoutk
0
100
事業成長の裏側:エンジニア組織と開発生産性の進化 / 20250703 Rinto Ikenoue
shift_evolve
PRO
2
21k
Glacierだからってコストあきらめてない? / JAWS Meet Glacier Cost
taishin
1
160
開発生産性を測る前にやるべきこと - 組織改善の実践 / Before Measuring Dev Productivity
kaonavi
9
4.4k
Flutter向けPDFビューア、pdfrxのpdfium WASM対応について
espresso3389
0
130
CRE Camp #1 エンジニアリングを民主化するCREチームでありたい話
mntsq
1
120
Featured
See All Featured
The Cost Of JavaScript in 2023
addyosmani
51
8.5k
Measuring & Analyzing Core Web Vitals
bluesmoon
7
510
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
3.1k
The Art of Programming - Codeland 2020
erikaheidi
54
13k
Visualization
eitanlees
146
16k
Writing Fast Ruby
sferik
628
62k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.8k
Intergalactic Javascript Robots from Outer Space
tanoku
271
27k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
6
300
Automating Front-end Workflow
addyosmani
1370
200k
4 Signs Your Business is Dying
shpigford
184
22k
Transcript
Don’t F it up! @ AltConf 2019 How to simplify
your security decisions and protect yourself when building a healthcare App.
Matheus Cardoso Developer Relations @ Virgil Security " Open Sourcerer
@ GitHub.com/cardoso
None
Storage Transmission Passwords
None
Security? Cryptography? Regulations?
$4 trillion +5% year fortune.com/2019/02/21/us-health-care-costs-2
modernhealthcare.com
modernhealthcare.com 28% of all VC in the U.S
modernhealthcare.com
modernhealthcare.com
2018 Was a Record Year for HIPAA Penalties gdsconnect.com/2018-was-a-record-year-for-hipaa-penalties
$25 million in fines gdsconnect.com/2018-was-a-record-year-for-hipaa-penalties
None
(ePHI) Electronic Protected Health Information
Securing ePHI HIPAA Compliance
Securing ePHI Facility Access HIPAA Compliance
Securing ePHI Facility Access Policies & Tracking HIPAA Compliance
Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA
Compliance
Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA
Compliance
Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA
Compliance
hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
Recent Examples
techcrunch.com/2019/03/17/medical-health-data-leak
techcrunch.com/2019/03/17/medical-health-data-leak Unsecured Elasticsearch Database
techcrunch.com/2019/03/17/medical-health-data-leak Unsecured Elasticsearch Database 6 million health records exposed
techcrunch.com/2019/03/17/medical-health-data-leak
Medical records techcrunch.com/2019/03/17/medical-health-data-leak
Medical records Doctor’s notes techcrunch.com/2019/03/17/medical-health-data-leak
Medical records Doctor’s notes Prescriptions techcrunch.com/2019/03/17/medical-health-data-leak
Medical records Doctor’s notes Prescriptions Illness information techcrunch.com/2019/03/17/medical-health-data-leak
Medical records Doctor’s notes Prescriptions Illness information Blood test results
techcrunch.com/2019/03/17/medical-health-data-leak
techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test
results Name, address, date of birth
techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test
results Name, address, date of birth Insurance information
techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test
results Name, address, date of birth Insurance information Payment data
techcrunch.com/2019/03/17/medical-health-data-leak Doctor’s notes Prescriptions Illness information Blood test results Name,
address, date of birth Insurance information Payment data Personal data
techcrunch.com/2019/03/17/medical-health-data-leak Prescriptions Illness information Blood test results Name, address, date
of birth Insurance information Payment data Personal data Information on children
techcrunch.com/2019/03/17/medical-health-data-leak Prescriptions Illness information Blood test results Name, address, date
of birth Insurance information Payment data Personal data Information on children ePHI
newsroom.uw.edu/news/data-error-exposes-patient-information
Exposed data to search engines during migration newsroom.uw.edu/news/data-error-exposes-patient-information
databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904
databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade
databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade
1.7 million dollars in fines
databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade
1.7 million dollars in fines Many more…
DataBreachToday.com
DataBreachToday.com HipaaJournal.com
DataBreachToday.com HipaaJournal.com ocrportal.hhs.gov/ocr/ breach
80% of data breaches are by mistake databreachtoday.com/misconfiguration-leads-to-major-health-data-breach-a-12042
80% of data breaches are by mistake databreachtoday.com/misconfiguration-leads-to-major-health-data-breach-a-12042
None
if user.identity == "bob" { send(ePHI, to: user) }
Data base API
Data base API
Data base API Securing the perimeter
Data base API Data in plaintext ->
theguardian.com/technology/2014/jun/06/heartbleed-openssl-bug-security-vulnerabilities
xda-developers.com/user-data-leak-misconfigured-firebase-backends
Heavy HHS fines
Heavy HHS fines Data for ransom securelink.com/blog/healthcare-data-new-prize-hackers
Heavy HHS fines Data for ransom securelink.com/blog/healthcare-data-new-prize-hackers Up to 250$/record
www2.trustwave.com/Value-of-Data-Report_LP.html
cyberscoop.com/yahoo-class-action-settlement-85m-data-breach-lawsuit
cyberscoop.com/yahoo-class-action-settlement-85m-data-breach-lawsuit Heavy HHS fines Data for ransom Lawsuits …
None
None
None
apple.com/privacy/approach-to-privacy
apple.com/privacy/approach-to-privacy
None
washingtonpost.com
Data base API
API
API
Ali Ali B Bo ( )
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
<- Encrypts <- Decrypts
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice)
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice)
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Hello Dr. Alice
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Hello Dr. Alice
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) $&!@*#%?$&
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) $&!@*#%?$&
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) $&!@*#%?$&
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Hello Dr. Alice
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Hello Dr. Alice
Public Key Service iOS Application IP Messaging
Public Key Service iOS Application IP Messaging Generate Key Pair
Encrypt/Decrypt
Public Key Service iOS Application IP Messaging Generate Key Pair
Encrypt/Decrypt Catalog/Distribute Public Keys
Public Key Service iOS Application IP Messaging Generate Key Pair
Encrypt/Decrypt Store/Transmit encrypted Messages Catalog/Distribute Public Keys
iOS Application
https://github.com/VirgilSecurity/virgil-crypto
import VirgilCrypto // generate key pair let crypto = try!
VirgilCrypto() let keyPair = try! crypto.generateKeyPair() 1
// save private key UserDefaults.standard.set( keyPair.privateKey, forKey: "private_key") // code
for keychain too big for slides // but use keychain!! 2
// publish public key publishPublicKey( keyPair.publicKey, for: "bob") 3
// lookup public key let k = lookupPublicKey(of: "alice")! 4
// encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:
.utf8)!, for: [k]) 5
// encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:
.utf8)!, for: [k]/* encrypt for multiple keys */) 5
// decrypt message let decryptedData = try crypto.decrypt( encryptedData, with:
keyPair.privateKey) let message = String( data: decryptedData, encoding: .utf8) 6
Transmission Security STANDARD § 164.312(e)(1)
Integrity STANDARD § 164.312(c)(1)
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Hello Alice
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Something else
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Something else
Encryption Message Body Signature
Encryption Message Body Signature
// encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:
.utf8)!, for: [k])
// sign and encrypt message let signedData = try crypto.signThenEncrypt(
"Hello Bob!".data(using: .utf8)!, with: keyPair.privateKey, /* to sign! */ for: [k])
// decrypt message let decryptedData = try crypto.decrypt( encryptedData, with:
keyPair.privateKey)
// decrypt and verify signature let verifiedData = try crypto.decryptThenVerify(
signedData, with: keyPair.privateKey, using: k /* to verify! */)
// decrypt and verify signature let verifiedData = try crypto.decryptThenVerify(
signedData, with: keyPair.privateKey, using: k /* to verify! */) No need to be a Cryptographer
+ Database Compromises
+ Man-in-the-middle Attacks
+ Brute-force Attacks
Non-deterministic encrypt(“Hello Dr. Alice”) = X encrypt(“Hello Dr. Alice”) =
Y encrypt(“Hello Dr. Alice”) = Z …
+ Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks
Transmission Security STANDARD § 164.312(e)(1) Integrity STANDARD § 164.312(c)(1)
Quick Demo! Please work
https://github.com/VirgilSecurity/virgil-crypto
https://github.com/VirgilSecurity/virgil-crypto Objective-C, Swift, Java, Kotlin, C, C++ Go, PHP, Python,
Ruby, C#/.NET, AsmJS, NodeJS, WebAssembly, …
+ Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks
+ Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks That’s
not all, folks
Perfect Forward Secrecy + Private Key Compromises
Perfect Forward Secrecy (Double Ratchet) signal.org/docs/specifications/doubleratchet/doubleratchet.pdf
To consider…
CareKit ResearchKit HealthKit
HealthKit Track health & fitness
Track health & fitness Access health records HealthKit
Track health & fitness Access health records HealthKit Ongoing health
CareKit Measure symptoms Track medications Get Insights Share with doctors
CareKit Measure symptoms Track medications Share with doctors Medical treatment
ResearchKit Enroll participants Gather data Share with researchers
ResearchKit Enroll participants Measure symptoms Share with doctors Medical research
CareKit ResearchKit HealthKit
CareKit ResearchKit HealthKit User consent Secure storage
None
Questions?
Matheus Cardoso " Open Sourcerer - GitHub.com/cardoso ✉ Mail Reader
-
[email protected]