Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Don't F it up: How to simplify your security de...

Avatar for Matheus Cardoso Matheus Cardoso
June 04, 2019
Technology
0
29

Don't F it up: How to simplify your security decisions and protect yourself when building a healthcare app

Avatar for Matheus Cardoso

Matheus Cardoso

June 04, 2019
Tweet

More Decks by Matheus Cardoso

See All by Matheus Cardoso
Server-Side Swift with Vapor
Avatar for Matheus Cardoso cardoso
0
89
Going Open Source: Advantages and Lessons Learned
Avatar for Matheus Cardoso cardoso
0
36
ChatOps with Rocket.Chat & Python
Avatar for Matheus Cardoso cardoso
0
250

Other Decks in Technology

See All in Technology
"'TSのAPI型安全”の対価は誰が払う?不公平なスキーマ駆動に終止符を打つハイブリッド戦略
Avatar for Hal hal_spidernight
0
210
MySQL AIとMySQL Studioを使ってみよう
Avatar for mikoma ikomachi226
0
130
Pandocでmd→pptx便利すぎワロタwww
Avatar for meow meow_noisy
2
1.1k
.NET 10 のパフォーマンス改善
Avatar for neno nenonaninu
2
4.1k
How native lazy objects will change Doctrine and Symfony forever
Avatar for Benjamin Eberlei beberlei
1
320
進化の早すぎる生成 AI と向き合う
Avatar for SatohJohn satohjohn
0
470
type-challenges を全問解いたのでエッセンスと推し問題を紹介してみる
Avatar for KNOWLEDGE WORK / 株式会社ナレッジワーク kworkdev
PRO
0
160
都市スケールAR制作で気をつけること
Avatar for segur segur
0
220
Google Stitch 大型アップデートが実現するアイデアとコードの完全なる融合
Avatar for 月ねこAI nekoailab
0
100
re:Invent2025とAWS Builder Cards Resilience Expansionのご紹介
Avatar for Tsuwa61 tsuwa61
1
130
Dify on AWS の選択肢
Avatar for Yuki Sekiya ysekiy
0
120
Eight Engineering Unit 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
5.7k

Featured

See All Featured
Large-scale JavaScript Application Architecture
Avatar for Addy Osmani addyosmani
514
110k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
36
6.1k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
140
34k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
9
990
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
379
70k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
234
18k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
52
3.5k
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
180
10k
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
31
6.4k
A better future with KSS
Avatar for Kyle Neath kneath
240
18k
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
32
1.8k
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
9.3k

Transcript

  1. Don’t F it up! @ AltConf 2019 How to simplify

    your security decisions and protect yourself when building a healthcare App.

  2. Matheus Cardoso Developer Relations @ Virgil Security " Open Sourcerer

    @ GitHub.com/cardoso
  3. None

  4. Storage Transmission Passwords

  5. None

  6. Security? Cryptography? Regulations?

  7. $4 trillion +5% year fortune.com/2019/02/21/us-health-care-costs-2

  8. modernhealthcare.com

  9. modernhealthcare.com 28% of all VC in the U.S

  10. modernhealthcare.com

  11. modernhealthcare.com

  12. 2018 Was a Record Year for HIPAA Penalties gdsconnect.com/2018-was-a-record-year-for-hipaa-penalties

  13. $25 million in fines gdsconnect.com/2018-was-a-record-year-for-hipaa-penalties

  14. None

  15. (ePHI) Electronic Protected Health Information

  16. Securing ePHI HIPAA Compliance

  17. Securing ePHI Facility Access HIPAA Compliance

  18. Securing ePHI Facility Access Policies & Tracking HIPAA Compliance

  19. Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA

    Compliance

  20. Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA

    Compliance

  21. Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA

    Compliance

  22. hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

  23. Recent Examples

  24. techcrunch.com/2019/03/17/medical-health-data-leak

  25. techcrunch.com/2019/03/17/medical-health-data-leak Unsecured Elasticsearch Database

  26. techcrunch.com/2019/03/17/medical-health-data-leak Unsecured Elasticsearch Database 6 million health records exposed

  27. techcrunch.com/2019/03/17/medical-health-data-leak

  28. Medical records techcrunch.com/2019/03/17/medical-health-data-leak

  29. Medical records Doctor’s notes techcrunch.com/2019/03/17/medical-health-data-leak

  30. Medical records Doctor’s notes Prescriptions techcrunch.com/2019/03/17/medical-health-data-leak

  31. Medical records Doctor’s notes Prescriptions Illness information techcrunch.com/2019/03/17/medical-health-data-leak

  32. Medical records Doctor’s notes Prescriptions Illness information Blood test results

    techcrunch.com/2019/03/17/medical-health-data-leak

  33. techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test

    results Name, address, date of birth

  34. techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test

    results Name, address, date of birth Insurance information

  35. techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test

    results Name, address, date of birth Insurance information Payment data

  36. techcrunch.com/2019/03/17/medical-health-data-leak Doctor’s notes Prescriptions Illness information Blood test results Name,

    address, date of birth Insurance information Payment data Personal data

  37. techcrunch.com/2019/03/17/medical-health-data-leak Prescriptions Illness information Blood test results Name, address, date

    of birth Insurance information Payment data Personal data Information on children

  38. techcrunch.com/2019/03/17/medical-health-data-leak Prescriptions Illness information Blood test results Name, address, date

    of birth Insurance information Payment data Personal data Information on children ePHI

  39. newsroom.uw.edu/news/data-error-exposes-patient-information

  40. Exposed data to search engines during migration newsroom.uw.edu/news/data-error-exposes-patient-information

  41. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904

  42. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade

  43. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade

    1.7 million dollars in fines

  44. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade

    1.7 million dollars in fines Many more…

  45. DataBreachToday.com

  46. DataBreachToday.com HipaaJournal.com

  47. DataBreachToday.com HipaaJournal.com ocrportal.hhs.gov/ocr/ breach

  48. 80% of data breaches are by mistake databreachtoday.com/misconfiguration-leads-to-major-health-data-breach-a-12042

  49. 80% of data breaches are by mistake databreachtoday.com/misconfiguration-leads-to-major-health-data-breach-a-12042

  50. None

  51. if user.identity == "bob" { send(ePHI, to: user) }

  52. Data base API

  53. Data base API

  54. Data base API Securing the perimeter

  55. Data base API Data in plaintext ->

  56. theguardian.com/technology/2014/jun/06/heartbleed-openssl-bug-security-vulnerabilities

  57. xda-developers.com/user-data-leak-misconfigured-firebase-backends

  58. Heavy HHS fines

  59. Heavy HHS fines Data for ransom securelink.com/blog/healthcare-data-new-prize-hackers

  60. Heavy HHS fines Data for ransom securelink.com/blog/healthcare-data-new-prize-hackers Up to 250$/record

    www2.trustwave.com/Value-of-Data-Report_LP.html

  61. cyberscoop.com/yahoo-class-action-settlement-85m-data-breach-lawsuit

  62. cyberscoop.com/yahoo-class-action-settlement-85m-data-breach-lawsuit Heavy HHS fines Data for ransom Lawsuits …

  63. None
  64. None
  65. None

  66. apple.com/privacy/approach-to-privacy

  67. apple.com/privacy/approach-to-privacy

  68. None

  69. washingtonpost.com

  70. Data base API

  71. API

  72. API

  73. Ali Ali B Bo ( )

  74. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

  75. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    <- Encrypts <- Decrypts

  76. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice)

  77. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice)

  78. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

  79. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

  80. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) $&!@*#%?$&

  81. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) $&!@*#%?$&

  82. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) $&!@*#%?$&

  83. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

  84. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

  85. Public Key Service iOS Application IP Messaging

  86. Public Key Service iOS Application IP Messaging Generate Key Pair

    Encrypt/Decrypt

  87. Public Key Service iOS Application IP Messaging Generate Key Pair

    Encrypt/Decrypt Catalog/Distribute Public Keys

  88. Public Key Service iOS Application IP Messaging Generate Key Pair

    Encrypt/Decrypt Store/Transmit encrypted Messages Catalog/Distribute Public Keys

  89. iOS Application

  90. https://github.com/VirgilSecurity/virgil-crypto

  91. import VirgilCrypto // generate key pair let crypto = try!

    VirgilCrypto() let keyPair = try! crypto.generateKeyPair() 1

  92. // save private key UserDefaults.standard.set( keyPair.privateKey, forKey: "private_key") // code

    for keychain too big for slides // but use keychain!! 2

  93. // publish public key publishPublicKey( keyPair.publicKey, for: "bob") 3

  94. // lookup public key let k = lookupPublicKey(of: "alice")! 4

  95. // encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:

    .utf8)!, for: [k]) 5

  96. // encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:

    .utf8)!, for: [k]/* encrypt for multiple keys */) 5

  97. // decrypt message let decryptedData = try crypto.decrypt( encryptedData, with:

    keyPair.privateKey) let message = String( data: decryptedData, encoding: .utf8) 6

  98. Transmission Security STANDARD § 164.312(e)(1)

  99. Integrity STANDARD § 164.312(c)(1)

  100. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Alice

  101. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Something else

  102. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Something else

  103. Encryption Message Body Signature

  104. Encryption Message Body Signature

  105. // encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:

    .utf8)!, for: [k])

  106. // sign and encrypt message let signedData = try crypto.signThenEncrypt(

    "Hello Bob!".data(using: .utf8)!, with: keyPair.privateKey, /* to sign! */ for: [k])

  107. // decrypt message let decryptedData = try crypto.decrypt( encryptedData, with:

    keyPair.privateKey)

  108. // decrypt and verify signature let verifiedData = try crypto.decryptThenVerify(

    signedData, with: keyPair.privateKey, using: k /* to verify! */)

  109. // decrypt and verify signature let verifiedData = try crypto.decryptThenVerify(

    signedData, with: keyPair.privateKey, using: k /* to verify! */) No need to be a Cryptographer

  110. + Database Compromises

  111. + Man-in-the-middle Attacks

  112. + Brute-force Attacks

  113. Non-deterministic encrypt(“Hello Dr. Alice”) = X encrypt(“Hello Dr. Alice”) =

    Y encrypt(“Hello Dr. Alice”) = Z …

  114. + Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks

  115. Transmission Security STANDARD § 164.312(e)(1) Integrity STANDARD § 164.312(c)(1)

  116. Quick Demo! Please work

  117. https://github.com/VirgilSecurity/virgil-crypto

  118. https://github.com/VirgilSecurity/virgil-crypto Objective-C, Swift, Java, Kotlin, C, C++ Go, PHP, Python,

    Ruby, C#/.NET, AsmJS, NodeJS, WebAssembly, …

  119. + Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks

  120. + Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks That’s

    not all, folks

  121. Perfect Forward Secrecy + Private Key Compromises

  122. Perfect Forward Secrecy (Double Ratchet) signal.org/docs/specifications/doubleratchet/doubleratchet.pdf

  123. To consider…

  124. CareKit ResearchKit HealthKit

  125. HealthKit Track health & fitness

  126. Track health & fitness Access health records HealthKit

  127. Track health & fitness Access health records HealthKit Ongoing health

  128. CareKit Measure symptoms Track medications Get Insights Share with doctors

  129. CareKit Measure symptoms Track medications Share with doctors Medical treatment

  130. ResearchKit Enroll participants Gather data Share with researchers

  131. ResearchKit Enroll participants Measure symptoms Share with doctors Medical research

  132. CareKit ResearchKit HealthKit

  133. CareKit ResearchKit HealthKit User consent Secure storage

  134. None

  135. Questions?

  136. Matheus Cardoso " Open Sourcerer - GitHub.com/cardoso ✉ Mail Reader

    - [email protected]