Don't F it up: How to simplify your security decisions and protect yourself when building a healthcare app

Transcript

1. Don’t F it up! @ AltConf 2019 How to simplify

   your security decisions and protect yourself when building a healthcare App.

2. Matheus Cardoso Developer Relations @ Virgil Security " Open Sourcerer

   @ GitHub.com/cardoso
3. None

4. Storage Transmission Passwords

5. None

6. Security? Cryptography? Regulations?

7. $4 trillion +5% year fortune.com/2019/02/21/us-health-care-costs-2

8. modernhealthcare.com

9. modernhealthcare.com 28% of all VC in the U.S

10. modernhealthcare.com

11. modernhealthcare.com

12. 2018 Was a Record Year for HIPAA Penalties gdsconnect.com/2018-was-a-record-year-for-hipaa-penalties

13. $25 million in fines gdsconnect.com/2018-was-a-record-year-for-hipaa-penalties

14. None

15. (ePHI) Electronic Protected Health Information

16. Securing ePHI HIPAA Compliance

17. Securing ePHI Facility Access HIPAA Compliance

18. Securing ePHI Facility Access Policies & Tracking HIPAA Compliance

19. Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA

    Compliance

20. Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA

    Compliance

21. Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA

    Compliance

22. hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

23. Recent Examples

24. techcrunch.com/2019/03/17/medical-health-data-leak

25. techcrunch.com/2019/03/17/medical-health-data-leak Unsecured Elasticsearch Database

26. techcrunch.com/2019/03/17/medical-health-data-leak Unsecured Elasticsearch Database 6 million health records exposed

27. techcrunch.com/2019/03/17/medical-health-data-leak

28. Medical records techcrunch.com/2019/03/17/medical-health-data-leak

29. Medical records Doctor’s notes techcrunch.com/2019/03/17/medical-health-data-leak

30. Medical records Doctor’s notes Prescriptions techcrunch.com/2019/03/17/medical-health-data-leak

31. Medical records Doctor’s notes Prescriptions Illness information techcrunch.com/2019/03/17/medical-health-data-leak

32. Medical records Doctor’s notes Prescriptions Illness information Blood test results

    techcrunch.com/2019/03/17/medical-health-data-leak

33. techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test

    results Name, address, date of birth

34. techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test

    results Name, address, date of birth Insurance information

35. techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test

    results Name, address, date of birth Insurance information Payment data

36. techcrunch.com/2019/03/17/medical-health-data-leak Doctor’s notes Prescriptions Illness information Blood test results Name,

    address, date of birth Insurance information Payment data Personal data

37. techcrunch.com/2019/03/17/medical-health-data-leak Prescriptions Illness information Blood test results Name, address, date

    of birth Insurance information Payment data Personal data Information on children

38. techcrunch.com/2019/03/17/medical-health-data-leak Prescriptions Illness information Blood test results Name, address, date

    of birth Insurance information Payment data Personal data Information on children ePHI

39. newsroom.uw.edu/news/data-error-exposes-patient-information

40. Exposed data to search engines during migration newsroom.uw.edu/news/data-error-exposes-patient-information

41. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904

42. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade

43. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade

    1.7 million dollars in fines

44. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade

    1.7 million dollars in fines Many more…

45. DataBreachToday.com

46. DataBreachToday.com HipaaJournal.com

47. DataBreachToday.com HipaaJournal.com ocrportal.hhs.gov/ocr/ breach

48. 80% of data breaches are by mistake databreachtoday.com/misconfiguration-leads-to-major-health-data-breach-a-12042

49. 80% of data breaches are by mistake databreachtoday.com/misconfiguration-leads-to-major-health-data-breach-a-12042

50. None

51. if user.identity == "bob" { send(ePHI, to: user) }

52. Data base API

53. Data base API

54. Data base API Securing the perimeter

55. Data base API Data in plaintext ->

56. theguardian.com/technology/2014/jun/06/heartbleed-openssl-bug-security-vulnerabilities

57. xda-developers.com/user-data-leak-misconfigured-firebase-backends

58. Heavy HHS fines

59. Heavy HHS fines Data for ransom securelink.com/blog/healthcare-data-new-prize-hackers

60. Heavy HHS fines Data for ransom securelink.com/blog/healthcare-data-new-prize-hackers Up to 250$/record

    www2.trustwave.com/Value-of-Data-Report_LP.html

61. cyberscoop.com/yahoo-class-action-settlement-85m-data-breach-lawsuit

62. cyberscoop.com/yahoo-class-action-settlement-85m-data-breach-lawsuit Heavy HHS fines Data for ransom Lawsuits …

63. None
64. None
65. None

66. apple.com/privacy/approach-to-privacy

67. apple.com/privacy/approach-to-privacy

68. None

69. washingtonpost.com

70. Data base API

71. API

72. API

73. Ali Ali B Bo ( )

74. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

75. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    <- Encrypts <- Decrypts

76. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice)

77. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice)

78. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

79. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

80. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) $&!@*#%?$&

81. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) $&!@*#%?$&

82. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) $&!@*#%?$&

83. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

84. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

85. Public Key Service iOS Application IP Messaging

86. Public Key Service iOS Application IP Messaging Generate Key Pair

    Encrypt/Decrypt

87. Public Key Service iOS Application IP Messaging Generate Key Pair

    Encrypt/Decrypt Catalog/Distribute Public Keys

88. Public Key Service iOS Application IP Messaging Generate Key Pair

    Encrypt/Decrypt Store/Transmit encrypted Messages Catalog/Distribute Public Keys

89. iOS Application

90. https://github.com/VirgilSecurity/virgil-crypto

91. import VirgilCrypto // generate key pair let crypto = try!

    VirgilCrypto() let keyPair = try! crypto.generateKeyPair() 1

92. // save private key UserDefaults.standard.set( keyPair.privateKey, forKey: "private_key") // code

    for keychain too big for slides // but use keychain!! 2

93. // publish public key publishPublicKey( keyPair.publicKey, for: "bob") 3

94. // lookup public key let k = lookupPublicKey(of: "alice")! 4

95. // encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:

    .utf8)!, for: [k]) 5

96. // encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:

    .utf8)!, for: [k]/* encrypt for multiple keys */) 5

97. // decrypt message let decryptedData = try crypto.decrypt( encryptedData, with:

    keyPair.privateKey) let message = String( data: decryptedData, encoding: .utf8) 6

98. Transmission Security STANDARD § 164.312(e)(1)

99. Integrity STANDARD § 164.312(c)(1)

100. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

     Public (Bob) Public (Alice) Hello Alice

101. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

     Public (Bob) Public (Alice) Something else

102. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

     Public (Bob) Public (Alice) Something else

103. Encryption Message Body Signature

104. Encryption Message Body Signature

105. // encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:

     .utf8)!, for: [k])

106. // sign and encrypt message let signedData = try crypto.signThenEncrypt(

     "Hello Bob!".data(using: .utf8)!, with: keyPair.privateKey, /* to sign! */ for: [k])

107. // decrypt message let decryptedData = try crypto.decrypt( encryptedData, with:

     keyPair.privateKey)

108. // decrypt and verify signature let verifiedData = try crypto.decryptThenVerify(

     signedData, with: keyPair.privateKey, using: k /* to verify! */)

109. // decrypt and verify signature let verifiedData = try crypto.decryptThenVerify(

     signedData, with: keyPair.privateKey, using: k /* to verify! */) No need to be a Cryptographer

110. + Database Compromises

111. + Man-in-the-middle Attacks

112. + Brute-force Attacks

113. Non-deterministic encrypt(“Hello Dr. Alice”) = X encrypt(“Hello Dr. Alice”) =

     Y encrypt(“Hello Dr. Alice”) = Z …

114. + Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks

115. Transmission Security STANDARD § 164.312(e)(1) Integrity STANDARD § 164.312(c)(1)

116. Quick Demo! Please work

117. https://github.com/VirgilSecurity/virgil-crypto

118. https://github.com/VirgilSecurity/virgil-crypto Objective-C, Swift, Java, Kotlin, C, C++ Go, PHP, Python,

     Ruby, C#/.NET, AsmJS, NodeJS, WebAssembly, …

119. + Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks

120. + Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks That’s

     not all, folks

121. Perfect Forward Secrecy + Private Key Compromises

122. Perfect Forward Secrecy (Double Ratchet) signal.org/docs/specifications/doubleratchet/doubleratchet.pdf

123. To consider…

124. CareKit ResearchKit HealthKit

125. HealthKit Track health & fitness

126. Track health & fitness Access health records HealthKit

127. Track health & fitness Access health records HealthKit Ongoing health

128. CareKit Measure symptoms Track medications Get Insights Share with doctors

129. CareKit Measure symptoms Track medications Share with doctors Medical treatment

130. ResearchKit Enroll participants Gather data Share with researchers

131. ResearchKit Enroll participants Measure symptoms Share with doctors Medical research

132. CareKit ResearchKit HealthKit

133. CareKit ResearchKit HealthKit User consent Secure storage

134. None

135. Questions?

136. Matheus Cardoso " Open Sourcerer - GitHub.com/cardoso ✉ Mail Reader

     - [email protected]