Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Don't F it up: How to simplify your security de...
Search
Matheus Cardoso
June 04, 2019
Technology
0
27
Don't F it up: How to simplify your security decisions and protect yourself when building a healthcare app
Matheus Cardoso
June 04, 2019
Tweet
Share
More Decks by Matheus Cardoso
See All by Matheus Cardoso
Server-Side Swift with Vapor
cardoso
0
87
Going Open Source: Advantages and Lessons Learned
cardoso
0
31
ChatOps with Rocket.Chat & Python
cardoso
0
240
Other Decks in Technology
See All in Technology
United Airlines Customer Service– Call 1-833-341-3142 Now!
airhelp
0
170
AWS認定を取る中で感じたこと
siromi
1
190
Zero Data Loss Autonomous Recovery Service サービス概要
oracle4engineer
PRO
2
7.7k
OPENLOGI Company Profile for engineer
hr01
1
34k
LLM時代の検索
shibuiwilliam
2
150
開発生産性を測る前にやるべきこと - 組織改善の実践 / Before Measuring Dev Productivity
kaonavi
10
4.5k
さくらのIaaS基盤のモニタリングとOpenTelemetry/OSC Hokkaido 2025
fujiwara3
3
440
生成AI開発案件におけるClineの業務活用事例とTips
shinya337
0
260
AI専用のリンターを作る #yumemi_patch
bengo4com
5
4.3k
ビズリーチにおけるリアーキテクティング実践事例 / JJUG CCC 2025 Spring
visional_engineering_and_design
1
120
OPENLOGI Company Profile
hr01
0
67k
赤煉瓦倉庫勉強会「Databricksを選んだ理由と、絶賛真っ只中のデータ基盤移行体験記」
ivry_presentationmaterials
2
360
Featured
See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.5k
Producing Creativity
orderedlist
PRO
346
40k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.4k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Scaling GitHub
holman
460
140k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
GitHub's CSS Performance
jonrohan
1031
460k
The World Runs on Bad Software
bkeepers
PRO
69
11k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
107
19k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.7k
Bash Introduction
62gerente
613
210k
Transcript
Don’t F it up! @ AltConf 2019 How to simplify
your security decisions and protect yourself when building a healthcare App.
Matheus Cardoso Developer Relations @ Virgil Security " Open Sourcerer
@ GitHub.com/cardoso
None
Storage Transmission Passwords
None
Security? Cryptography? Regulations?
$4 trillion +5% year fortune.com/2019/02/21/us-health-care-costs-2
modernhealthcare.com
modernhealthcare.com 28% of all VC in the U.S
modernhealthcare.com
modernhealthcare.com
2018 Was a Record Year for HIPAA Penalties gdsconnect.com/2018-was-a-record-year-for-hipaa-penalties
$25 million in fines gdsconnect.com/2018-was-a-record-year-for-hipaa-penalties
None
(ePHI) Electronic Protected Health Information
Securing ePHI HIPAA Compliance
Securing ePHI Facility Access HIPAA Compliance
Securing ePHI Facility Access Policies & Tracking HIPAA Compliance
Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA
Compliance
Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA
Compliance
Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA
Compliance
hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
Recent Examples
techcrunch.com/2019/03/17/medical-health-data-leak
techcrunch.com/2019/03/17/medical-health-data-leak Unsecured Elasticsearch Database
techcrunch.com/2019/03/17/medical-health-data-leak Unsecured Elasticsearch Database 6 million health records exposed
techcrunch.com/2019/03/17/medical-health-data-leak
Medical records techcrunch.com/2019/03/17/medical-health-data-leak
Medical records Doctor’s notes techcrunch.com/2019/03/17/medical-health-data-leak
Medical records Doctor’s notes Prescriptions techcrunch.com/2019/03/17/medical-health-data-leak
Medical records Doctor’s notes Prescriptions Illness information techcrunch.com/2019/03/17/medical-health-data-leak
Medical records Doctor’s notes Prescriptions Illness information Blood test results
techcrunch.com/2019/03/17/medical-health-data-leak
techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test
results Name, address, date of birth
techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test
results Name, address, date of birth Insurance information
techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test
results Name, address, date of birth Insurance information Payment data
techcrunch.com/2019/03/17/medical-health-data-leak Doctor’s notes Prescriptions Illness information Blood test results Name,
address, date of birth Insurance information Payment data Personal data
techcrunch.com/2019/03/17/medical-health-data-leak Prescriptions Illness information Blood test results Name, address, date
of birth Insurance information Payment data Personal data Information on children
techcrunch.com/2019/03/17/medical-health-data-leak Prescriptions Illness information Blood test results Name, address, date
of birth Insurance information Payment data Personal data Information on children ePHI
newsroom.uw.edu/news/data-error-exposes-patient-information
Exposed data to search engines during migration newsroom.uw.edu/news/data-error-exposes-patient-information
databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904
databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade
databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade
1.7 million dollars in fines
databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade
1.7 million dollars in fines Many more…
DataBreachToday.com
DataBreachToday.com HipaaJournal.com
DataBreachToday.com HipaaJournal.com ocrportal.hhs.gov/ocr/ breach
80% of data breaches are by mistake databreachtoday.com/misconfiguration-leads-to-major-health-data-breach-a-12042
80% of data breaches are by mistake databreachtoday.com/misconfiguration-leads-to-major-health-data-breach-a-12042
None
if user.identity == "bob" { send(ePHI, to: user) }
Data base API
Data base API
Data base API Securing the perimeter
Data base API Data in plaintext ->
theguardian.com/technology/2014/jun/06/heartbleed-openssl-bug-security-vulnerabilities
xda-developers.com/user-data-leak-misconfigured-firebase-backends
Heavy HHS fines
Heavy HHS fines Data for ransom securelink.com/blog/healthcare-data-new-prize-hackers
Heavy HHS fines Data for ransom securelink.com/blog/healthcare-data-new-prize-hackers Up to 250$/record
www2.trustwave.com/Value-of-Data-Report_LP.html
cyberscoop.com/yahoo-class-action-settlement-85m-data-breach-lawsuit
cyberscoop.com/yahoo-class-action-settlement-85m-data-breach-lawsuit Heavy HHS fines Data for ransom Lawsuits …
None
None
None
apple.com/privacy/approach-to-privacy
apple.com/privacy/approach-to-privacy
None
washingtonpost.com
Data base API
API
API
Ali Ali B Bo ( )
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
<- Encrypts <- Decrypts
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice)
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice)
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Hello Dr. Alice
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Hello Dr. Alice
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) $&!@*#%?$&
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) $&!@*#%?$&
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) $&!@*#%?$&
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Hello Dr. Alice
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Hello Dr. Alice
Public Key Service iOS Application IP Messaging
Public Key Service iOS Application IP Messaging Generate Key Pair
Encrypt/Decrypt
Public Key Service iOS Application IP Messaging Generate Key Pair
Encrypt/Decrypt Catalog/Distribute Public Keys
Public Key Service iOS Application IP Messaging Generate Key Pair
Encrypt/Decrypt Store/Transmit encrypted Messages Catalog/Distribute Public Keys
iOS Application
https://github.com/VirgilSecurity/virgil-crypto
import VirgilCrypto // generate key pair let crypto = try!
VirgilCrypto() let keyPair = try! crypto.generateKeyPair() 1
// save private key UserDefaults.standard.set( keyPair.privateKey, forKey: "private_key") // code
for keychain too big for slides // but use keychain!! 2
// publish public key publishPublicKey( keyPair.publicKey, for: "bob") 3
// lookup public key let k = lookupPublicKey(of: "alice")! 4
// encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:
.utf8)!, for: [k]) 5
// encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:
.utf8)!, for: [k]/* encrypt for multiple keys */) 5
// decrypt message let decryptedData = try crypto.decrypt( encryptedData, with:
keyPair.privateKey) let message = String( data: decryptedData, encoding: .utf8) 6
Transmission Security STANDARD § 164.312(e)(1)
Integrity STANDARD § 164.312(c)(1)
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Hello Alice
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Something else
( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)
Public (Bob) Public (Alice) Something else
Encryption Message Body Signature
Encryption Message Body Signature
// encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:
.utf8)!, for: [k])
// sign and encrypt message let signedData = try crypto.signThenEncrypt(
"Hello Bob!".data(using: .utf8)!, with: keyPair.privateKey, /* to sign! */ for: [k])
// decrypt message let decryptedData = try crypto.decrypt( encryptedData, with:
keyPair.privateKey)
// decrypt and verify signature let verifiedData = try crypto.decryptThenVerify(
signedData, with: keyPair.privateKey, using: k /* to verify! */)
// decrypt and verify signature let verifiedData = try crypto.decryptThenVerify(
signedData, with: keyPair.privateKey, using: k /* to verify! */) No need to be a Cryptographer
+ Database Compromises
+ Man-in-the-middle Attacks
+ Brute-force Attacks
Non-deterministic encrypt(“Hello Dr. Alice”) = X encrypt(“Hello Dr. Alice”) =
Y encrypt(“Hello Dr. Alice”) = Z …
+ Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks
Transmission Security STANDARD § 164.312(e)(1) Integrity STANDARD § 164.312(c)(1)
Quick Demo! Please work
https://github.com/VirgilSecurity/virgil-crypto
https://github.com/VirgilSecurity/virgil-crypto Objective-C, Swift, Java, Kotlin, C, C++ Go, PHP, Python,
Ruby, C#/.NET, AsmJS, NodeJS, WebAssembly, …
+ Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks
+ Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks That’s
not all, folks
Perfect Forward Secrecy + Private Key Compromises
Perfect Forward Secrecy (Double Ratchet) signal.org/docs/specifications/doubleratchet/doubleratchet.pdf
To consider…
CareKit ResearchKit HealthKit
HealthKit Track health & fitness
Track health & fitness Access health records HealthKit
Track health & fitness Access health records HealthKit Ongoing health
CareKit Measure symptoms Track medications Get Insights Share with doctors
CareKit Measure symptoms Track medications Share with doctors Medical treatment
ResearchKit Enroll participants Gather data Share with researchers
ResearchKit Enroll participants Measure symptoms Share with doctors Medical research
CareKit ResearchKit HealthKit
CareKit ResearchKit HealthKit User consent Secure storage
None
Questions?
Matheus Cardoso " Open Sourcerer - GitHub.com/cardoso ✉ Mail Reader
-
[email protected]