Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Don't F it up: How to simplify your security de...

Avatar for Matheus Cardoso Matheus Cardoso
June 04, 2019
Technology
30
0

Don't F it up: How to simplify your security decisions and protect yourself when building a healthcare app

Avatar for Matheus Cardoso

Matheus Cardoso

June 04, 2019

More Decks by Matheus Cardoso

See All by Matheus Cardoso
Server-Side Swift with Vapor
Avatar for Matheus Cardoso cardoso
0
97
Going Open Source: Advantages and Lessons Learned
Avatar for Matheus Cardoso cardoso
0
38
ChatOps with Rocket.Chat & Python
Avatar for Matheus Cardoso cardoso
0
260

Other Decks in Technology

See All in Technology
最近の技術系の話題で気になったもの色々(IoT系以外も) / IoTLT 花見予定会(たぶんBBQ) @都立潮風公園バーベキュー広場
Avatar for you(@youtoy) you
PRO
1
210
Oracle AI Database@AWS:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
4
2.3k
AIを共同作業者にして書籍を執筆する方法 / How to Write a Book with AI as a Co-Creator
Avatar for ama-ch ama_ch
2
120
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
Avatar for Kenji Saito ks91
PRO
0
250
AI時代における技術的負債への取り組み
Avatar for Tadashi Shigeoka codenote
0
960
DIPS2.0データに基づく森林管理における無人航空機の利用状況
Avatar for Forestgeo.info naokimuroki
1
220
2026年、知っておくべき最新 サーバレスTips10選/serverless-10-tips
Avatar for Serverless Operations slsops
13
5k
レビューしきれない?それは「全て人力でのレビュー」だからではないでしょうか
Avatar for amixedcolor amixedcolor
0
250
ARIA Notifyについて
Avatar for ryokatsuse ryokatsuse
1
100
DevOpsDays Tokyo 2026 軽量な仕様書と新たなDORA AI ケイパビリティで実現する、動くソフトウェアを中心とした開発ライフサイクル / DevOpsDays Tokyo 2026
Avatar for Niishi Kubo n11sh1
0
140
"SQLは書けません"から始まる データドリブン
Avatar for kubell kubell_hr
2
460
プロンプトエンジニアリングを超えて:自由と統制のあいだでつくる Platform × Context Engineering
Avatar for yuriemori yuriemori
0
240

Featured

See All Featured
State of Search Keynote: SEO is Dead Long Live SEO
Avatar for Ryan Jones ryanjones
0
180
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
54k
The Limits of Empathy - UXLibs8
Avatar for Cassini Nazir cassininazir
1
290
Google's AI Overviews - The New Search
Avatar for Barry Adams badams
0
970
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
Avatar for MADOX madoxten
62
53k
SEO in 2025: How to Prepare for the Future of Search
Avatar for Michael King ipullrank
3
3.4k
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
Avatar for Kenny Baas-Schwegler baasie
0
290
Designing for Performance
Avatar for Lara Hogan lara
611
70k
How to Talk to Developers About Accessibility
Avatar for Jason CranfordTeague jct
2
170
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
25
1.8k
Scaling GitHub
Avatar for Zach Holman holman
464
140k
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
Avatar for Ines Montani inesmontani
PRO
3
3.3k

Transcript

  1. Don’t F it up! @ AltConf 2019 How to simplify

    your security decisions and protect yourself when building a healthcare App.

  2. Matheus Cardoso Developer Relations @ Virgil Security " Open Sourcerer

    @ GitHub.com/cardoso
  3. None

  4. Storage Transmission Passwords

  5. None

  6. Security? Cryptography? Regulations?

  7. $4 trillion +5% year fortune.com/2019/02/21/us-health-care-costs-2

  8. modernhealthcare.com

  9. modernhealthcare.com 28% of all VC in the U.S

  10. modernhealthcare.com

  11. modernhealthcare.com

  12. 2018 Was a Record Year for HIPAA Penalties gdsconnect.com/2018-was-a-record-year-for-hipaa-penalties

  13. $25 million in fines gdsconnect.com/2018-was-a-record-year-for-hipaa-penalties

  14. None

  15. (ePHI) Electronic Protected Health Information

  16. Securing ePHI HIPAA Compliance

  17. Securing ePHI Facility Access HIPAA Compliance

  18. Securing ePHI Facility Access Policies & Tracking HIPAA Compliance

  19. Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA

    Compliance

  20. Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA

    Compliance

  21. Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA

    Compliance

  22. hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

  23. Recent Examples

  24. techcrunch.com/2019/03/17/medical-health-data-leak

  25. techcrunch.com/2019/03/17/medical-health-data-leak Unsecured Elasticsearch Database

  26. techcrunch.com/2019/03/17/medical-health-data-leak Unsecured Elasticsearch Database 6 million health records exposed

  27. techcrunch.com/2019/03/17/medical-health-data-leak

  28. Medical records techcrunch.com/2019/03/17/medical-health-data-leak

  29. Medical records Doctor’s notes techcrunch.com/2019/03/17/medical-health-data-leak

  30. Medical records Doctor’s notes Prescriptions techcrunch.com/2019/03/17/medical-health-data-leak

  31. Medical records Doctor’s notes Prescriptions Illness information techcrunch.com/2019/03/17/medical-health-data-leak

  32. Medical records Doctor’s notes Prescriptions Illness information Blood test results

    techcrunch.com/2019/03/17/medical-health-data-leak

  33. techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test

    results Name, address, date of birth

  34. techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test

    results Name, address, date of birth Insurance information

  35. techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test

    results Name, address, date of birth Insurance information Payment data

  36. techcrunch.com/2019/03/17/medical-health-data-leak Doctor’s notes Prescriptions Illness information Blood test results Name,

    address, date of birth Insurance information Payment data Personal data

  37. techcrunch.com/2019/03/17/medical-health-data-leak Prescriptions Illness information Blood test results Name, address, date

    of birth Insurance information Payment data Personal data Information on children

  38. techcrunch.com/2019/03/17/medical-health-data-leak Prescriptions Illness information Blood test results Name, address, date

    of birth Insurance information Payment data Personal data Information on children ePHI

  39. newsroom.uw.edu/news/data-error-exposes-patient-information

  40. Exposed data to search engines during migration newsroom.uw.edu/news/data-error-exposes-patient-information

  41. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904

  42. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade

  43. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade

    1.7 million dollars in fines

  44. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade

    1.7 million dollars in fines Many more…

  45. DataBreachToday.com

  46. DataBreachToday.com HipaaJournal.com

  47. DataBreachToday.com HipaaJournal.com ocrportal.hhs.gov/ocr/ breach

  48. 80% of data breaches are by mistake databreachtoday.com/misconfiguration-leads-to-major-health-data-breach-a-12042

  49. 80% of data breaches are by mistake databreachtoday.com/misconfiguration-leads-to-major-health-data-breach-a-12042

  50. None

  51. if user.identity == "bob" { send(ePHI, to: user) }

  52. Data base API

  53. Data base API

  54. Data base API Securing the perimeter

  55. Data base API Data in plaintext ->

  56. theguardian.com/technology/2014/jun/06/heartbleed-openssl-bug-security-vulnerabilities

  57. xda-developers.com/user-data-leak-misconfigured-firebase-backends

  58. Heavy HHS fines

  59. Heavy HHS fines Data for ransom securelink.com/blog/healthcare-data-new-prize-hackers

  60. Heavy HHS fines Data for ransom securelink.com/blog/healthcare-data-new-prize-hackers Up to 250$/record

    www2.trustwave.com/Value-of-Data-Report_LP.html

  61. cyberscoop.com/yahoo-class-action-settlement-85m-data-breach-lawsuit

  62. cyberscoop.com/yahoo-class-action-settlement-85m-data-breach-lawsuit Heavy HHS fines Data for ransom Lawsuits …

  63. None
  64. None
  65. None

  66. apple.com/privacy/approach-to-privacy

  67. apple.com/privacy/approach-to-privacy

  68. None

  69. washingtonpost.com

  70. Data base API

  71. API

  72. API

  73. Ali Ali B Bo ( )

  74. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

  75. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    <- Encrypts <- Decrypts

  76. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice)

  77. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice)

  78. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

  79. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

  80. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) $&!@*#%?$&

  81. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) $&!@*#%?$&

  82. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) $&!@*#%?$&

  83. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

  84. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

  85. Public Key Service iOS Application IP Messaging

  86. Public Key Service iOS Application IP Messaging Generate Key Pair

    Encrypt/Decrypt

  87. Public Key Service iOS Application IP Messaging Generate Key Pair

    Encrypt/Decrypt Catalog/Distribute Public Keys

  88. Public Key Service iOS Application IP Messaging Generate Key Pair

    Encrypt/Decrypt Store/Transmit encrypted Messages Catalog/Distribute Public Keys

  89. iOS Application

  90. https://github.com/VirgilSecurity/virgil-crypto

  91. import VirgilCrypto // generate key pair let crypto = try!

    VirgilCrypto() let keyPair = try! crypto.generateKeyPair() 1

  92. // save private key UserDefaults.standard.set( keyPair.privateKey, forKey: "private_key") // code

    for keychain too big for slides // but use keychain!! 2

  93. // publish public key publishPublicKey( keyPair.publicKey, for: "bob") 3

  94. // lookup public key let k = lookupPublicKey(of: "alice")! 4

  95. // encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:

    .utf8)!, for: [k]) 5

  96. // encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:

    .utf8)!, for: [k]/* encrypt for multiple keys */) 5

  97. // decrypt message let decryptedData = try crypto.decrypt( encryptedData, with:

    keyPair.privateKey) let message = String( data: decryptedData, encoding: .utf8) 6

  98. Transmission Security STANDARD § 164.312(e)(1)

  99. Integrity STANDARD § 164.312(c)(1)

  100. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Alice

  101. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Something else

  102. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Something else

  103. Encryption Message Body Signature

  104. Encryption Message Body Signature

  105. // encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:

    .utf8)!, for: [k])

  106. // sign and encrypt message let signedData = try crypto.signThenEncrypt(

    "Hello Bob!".data(using: .utf8)!, with: keyPair.privateKey, /* to sign! */ for: [k])

  107. // decrypt message let decryptedData = try crypto.decrypt( encryptedData, with:

    keyPair.privateKey)

  108. // decrypt and verify signature let verifiedData = try crypto.decryptThenVerify(

    signedData, with: keyPair.privateKey, using: k /* to verify! */)

  109. // decrypt and verify signature let verifiedData = try crypto.decryptThenVerify(

    signedData, with: keyPair.privateKey, using: k /* to verify! */) No need to be a Cryptographer

  110. + Database Compromises

  111. + Man-in-the-middle Attacks

  112. + Brute-force Attacks

  113. Non-deterministic encrypt(“Hello Dr. Alice”) = X encrypt(“Hello Dr. Alice”) =

    Y encrypt(“Hello Dr. Alice”) = Z …

  114. + Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks

  115. Transmission Security STANDARD § 164.312(e)(1) Integrity STANDARD § 164.312(c)(1)

  116. Quick Demo! Please work

  117. https://github.com/VirgilSecurity/virgil-crypto

  118. https://github.com/VirgilSecurity/virgil-crypto Objective-C, Swift, Java, Kotlin, C, C++ Go, PHP, Python,

    Ruby, C#/.NET, AsmJS, NodeJS, WebAssembly, …

  119. + Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks

  120. + Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks That’s

    not all, folks

  121. Perfect Forward Secrecy + Private Key Compromises

  122. Perfect Forward Secrecy (Double Ratchet) signal.org/docs/specifications/doubleratchet/doubleratchet.pdf

  123. To consider…

  124. CareKit ResearchKit HealthKit

  125. HealthKit Track health & fitness

  126. Track health & fitness Access health records HealthKit

  127. Track health & fitness Access health records HealthKit Ongoing health

  128. CareKit Measure symptoms Track medications Get Insights Share with doctors

  129. CareKit Measure symptoms Track medications Share with doctors Medical treatment

  130. ResearchKit Enroll participants Gather data Share with researchers

  131. ResearchKit Enroll participants Measure symptoms Share with doctors Medical research

  132. CareKit ResearchKit HealthKit

  133. CareKit ResearchKit HealthKit User consent Secure storage

  134. None

  135. Questions?

  136. Matheus Cardoso " Open Sourcerer - GitHub.com/cardoso ✉ Mail Reader

    - [email protected]