Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Don't F it up: How to simplify your security decisions and protect yourself when building a healthcare app
Search
Matheus Cardoso
June 04, 2019
Technology
0
17
Don't F it up: How to simplify your security decisions and protect yourself when building a healthcare app
Matheus Cardoso
June 04, 2019
Tweet
Share
More Decks by Matheus Cardoso
See All by Matheus Cardoso
Server-Side Swift with Vapor
cardoso
0
76
Going Open Source: Advantages and Lessons Learned
cardoso
0
27
ChatOps with Rocket.Chat & Python
cardoso
0
210
Other Decks in Technology
See All in Technology
VSCodeの拡張機能を作っている話
ebarakazuhiro
1
700
Handling focus in 2024
tahia910
0
120
R3のコードから見る実践LINQ実装最適化・コンカレントプログラミング実例
neuecc
3
1.4k
2024春 注目のWeb系 OSS & SaaS 3選
makies
0
170
Microsoft Intune 勉強会 第 2 回目
tamaiyutaro
2
350
web-application-security
matsuihidetoshi
1
180
MapLibreとAmazon Location Service
dayjournal
1
170
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.3k
ChatworkのSRE部って実は 半分くらいPlatform Engineering部かもしれない
saramune
0
160
VS CodeでAWSを操作しよう
smt7174
9
1.9k
Amplify 🩷 Bedrock 〜生成AI入門〜
minorun365
PRO
5
190
GraphQL 成熟度モデルの紹介と、プロダクトに当てはめた事例 / GraphQL maturity model
mh4gf
7
1.4k
Featured
See All Featured
Designing for humans not robots
tammielis
248
25k
Raft: Consensus for Rubyists
vanstee
133
6.3k
Web Components: a chance to create the future
zenorocha
306
41k
What the flash - Photography Introduction
edds
64
11k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
The Pragmatic Product Professional
lauravandoore
26
5.8k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
How to Ace a Technical Interview
jacobian
273
22k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
41
4.4k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
A designer walks into a library…
pauljervisheath
201
23k
Automating Front-end Workflow
addyosmani
1357
200k
Transcript
Don’t F it up! @ AltConf 2019 How to simplify
your security decisions and protect yourself when building a healthcare App.
Matheus Cardoso Developer Relations @ Virgil Security " Open Sourcerer
@ GitHub.com/cardoso
None
Storage Transmission Passwords
None
Security? Cryptography? Regulations?
$4 trillion +5% year fortune.com/2019/02/21/us-health-care-costs-2
modernhealthcare.com
modernhealthcare.com 28% of all VC in the U.S
modernhealthcare.com
modernhealthcare.com
2018 Was a Record Year for HIPAA Penalties gdsconnect.com/2018-was-a-record-year-for-hipaa-penalties
$25 million in fines gdsconnect.com/2018-was-a-record-year-for-hipaa-penalties
None
(ePHI) Electronic Protected Health Information
Securing ePHI HIPAA Compliance
Securing ePHI Facility Access HIPAA Compliance
Securing ePHI Facility Access Policies & Tracking HIPAA Compliance
Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA
Compliance
Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA
Compliance
Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA
Compliance
hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
Recent Examples
techcrunch.com/2019/03/17/medical-health-data-leak
techcrunch.com/2019/03/17/medical-health-data-leak Unsecured Elasticsearch Database
techcrunch.com/2019/03/17/medical-health-data-leak Unsecured Elasticsearch Database 6 million health records exposed
techcrunch.com/2019/03/17/medical-health-data-leak
Medical records techcrunch.com/2019/03/17/medical-health-data-leak
Medical records Doctor’s notes techcrunch.com/2019/03/17/medical-health-data-leak
Medical records Doctor’s notes Prescriptions techcrunch.com/2019/03/17/medical-health-data-leak
Medical records Doctor’s notes Prescriptions Illness information techcrunch.com/2019/03/17/medical-health-data-leak
Medical records Doctor’s notes Prescriptions Illness information Blood test results
techcrunch.com/2019/03/17/medical-health-data-leak
techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test
results Name, address, date of birth
techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test
results Name, address, date of birth Insurance information
techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test
results Name, address, date of birth Insurance information Payment data
techcrunch.com/2019/03/17/medical-health-data-leak Doctor’s notes Prescriptions Illness information Blood test results Name,
address, date of birth Insurance information Payment data Personal data
techcrunch.com/2019/03/17/medical-health-data-leak Prescriptions Illness information Blood test results Name, address, date
of birth Insurance information Payment data Personal data Information on children
techcrunch.com/2019/03/17/medical-health-data-leak Prescriptions Illness information Blood test results Name, address, date
of birth Insurance information Payment data Personal data Information on children ePHI
newsroom.uw.edu/news/data-error-exposes-patient-information
Exposed data to search engines during migration newsroom.uw.edu/news/data-error-exposes-patient-information
databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904
databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade
databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade
1.7 million dollars in fines
databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade
1.7 million dollars in fines Many more…
DataBreachToday.com
DataBreachToday.com HipaaJournal.com
DataBreachToday.com HipaaJournal.com ocrportal.hhs.gov/ocr/ breach
80% of data breaches are by mistake databreachtoday.com/misconfiguration-leads-to-major-health-data-breach-a-12042
80% of data breaches are by mistake databreachtoday.com/misconfiguration-leads-to-major-health-data-breach-a-12042
None
if user.identity == "bob" { send(ePHI, to: user) }
Data base API
Data base API
Data base API Securing the perimeter
Data base API Data in plaintext ->
theguardian.com/technology/2014/jun/06/heartbleed-openssl-bug-security-vulnerabilities
xda-developers.com/user-data-leak-misconfigured-firebase-backends
Heavy HHS fines
Heavy HHS fines Data for ransom securelink.com/blog/healthcare-data-new-prize-hackers
Heavy HHS fines Data for ransom securelink.com/blog/healthcare-data-new-prize-hackers Up to 250$/record
www2.trustwave.com/Value-of-Data-Report_LP.html
cyberscoop.com/yahoo-class-action-settlement-85m-data-breach-lawsuit
cyberscoop.com/yahoo-class-action-settlement-85m-data-breach-lawsuit Heavy HHS fines Data for ransom Lawsuits …
None
None
None
apple.com/privacy/approach-to-privacy
apple.com/privacy/approach-to-privacy
None
washingtonpost.com
Data base API
API
API
Ali Ali B Bo ( )
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
<- Encrypts <- Decrypts
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice)
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice)
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Hello Dr. Alice
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Hello Dr. Alice
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) $&!@*#%?$&
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) $&!@*#%?$&
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) $&!@*#%?$&
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Hello Dr. Alice
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Hello Dr. Alice
Public Key Service iOS Application IP Messaging
Public Key Service iOS Application IP Messaging Generate Key Pair
Encrypt/Decrypt
Public Key Service iOS Application IP Messaging Generate Key Pair
Encrypt/Decrypt Catalog/Distribute Public Keys
Public Key Service iOS Application IP Messaging Generate Key Pair
Encrypt/Decrypt Store/Transmit encrypted Messages Catalog/Distribute Public Keys
iOS Application
https://github.com/VirgilSecurity/virgil-crypto
import VirgilCrypto // generate key pair let crypto = try!
VirgilCrypto() let keyPair = try! crypto.generateKeyPair() 1
// save private key UserDefaults.standard.set( keyPair.privateKey, forKey: "private_key") // code
for keychain too big for slides // but use keychain!! 2
// publish public key publishPublicKey( keyPair.publicKey, for: "bob") 3
// lookup public key let k = lookupPublicKey(of: "alice")! 4
// encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:
.utf8)!, for: [k]) 5
// encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:
.utf8)!, for: [k]/* encrypt for multiple keys */) 5
// decrypt message let decryptedData = try crypto.decrypt( encryptedData, with:
keyPair.privateKey) let message = String( data: decryptedData, encoding: .utf8) 6
Transmission Security STANDARD § 164.312(e)(1)
Integrity STANDARD § 164.312(c)(1)
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Hello Alice
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Something else
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Something else
Encryption Message Body Signature
Encryption Message Body Signature
// encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:
.utf8)!, for: [k])
// sign and encrypt message let signedData = try crypto.signThenEncrypt(
"Hello Bob!".data(using: .utf8)!, with: keyPair.privateKey, /* to sign! */ for: [k])
// decrypt message let decryptedData = try crypto.decrypt( encryptedData, with:
keyPair.privateKey)
// decrypt and verify signature let verifiedData = try crypto.decryptThenVerify(
signedData, with: keyPair.privateKey, using: k /* to verify! */)
// decrypt and verify signature let verifiedData = try crypto.decryptThenVerify(
signedData, with: keyPair.privateKey, using: k /* to verify! */) No need to be a Cryptographer
+ Database Compromises
+ Man-in-the-middle Attacks
+ Brute-force Attacks
Non-deterministic encrypt(“Hello Dr. Alice”) = X encrypt(“Hello Dr. Alice”) =
Y encrypt(“Hello Dr. Alice”) = Z …
+ Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks
Transmission Security STANDARD § 164.312(e)(1) Integrity STANDARD § 164.312(c)(1)
Quick Demo! Please work
https://github.com/VirgilSecurity/virgil-crypto
https://github.com/VirgilSecurity/virgil-crypto Objective-C, Swift, Java, Kotlin, C, C++ Go, PHP, Python,
Ruby, C#/.NET, AsmJS, NodeJS, WebAssembly, …
+ Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks
+ Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks That’s
not all, folks
Perfect Forward Secrecy + Private Key Compromises
Perfect Forward Secrecy (Double Ratchet) signal.org/docs/specifications/doubleratchet/doubleratchet.pdf
To consider…
CareKit ResearchKit HealthKit
HealthKit Track health & fitness
Track health & fitness Access health records HealthKit
Track health & fitness Access health records HealthKit Ongoing health
CareKit Measure symptoms Track medications Get Insights Share with doctors
CareKit Measure symptoms Track medications Share with doctors Medical treatment
ResearchKit Enroll participants Gather data Share with researchers
ResearchKit Enroll participants Measure symptoms Share with doctors Medical research
CareKit ResearchKit HealthKit
CareKit ResearchKit HealthKit User consent Secure storage
None
Questions?
Matheus Cardoso " Open Sourcerer - GitHub.com/cardoso ✉ Mail Reader
-
[email protected]