Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Don't F it up: How to simplify your security de...

Avatar for Matheus Cardoso Matheus Cardoso
June 04, 2019
Technology
0
29

Don't F it up: How to simplify your security decisions and protect yourself when building a healthcare app

Avatar for Matheus Cardoso

Matheus Cardoso

June 04, 2019
Tweet

More Decks by Matheus Cardoso

See All by Matheus Cardoso
Server-Side Swift with Vapor
Avatar for Matheus Cardoso cardoso
0
92
Going Open Source: Advantages and Lessons Learned
Avatar for Matheus Cardoso cardoso
0
36
ChatOps with Rocket.Chat & Python
Avatar for Matheus Cardoso cardoso
0
260

Other Decks in Technology

See All in Technology
ファインディの横断SREがTakumi byGMOと取り組む、セキュリティと開発スピードの両立
Avatar for adachi.ryo rvirus0817
1
1.7k
ブロックテーマでサイトをリニューアルした話 / 2026-01-31 Kansai WordPress Meetup
Avatar for Toro_Unit (Hiroshi Urabe) torounit
0
480
Tebiki Engineering Team Deck
Avatar for Tebiki, Inc. tebiki
0
24k
~Everything as Codeを諦めない~ 後からCDK
Avatar for mu7889yoon / Yuta Nakamura mu7889yoon
3
530
AzureでのIaC - Bicep? Terraform? それ早く言ってよ会議
Avatar for Toru Makabe torumakabe
1
620
ランサムウェア対策としてのpnpm導入のススメ
Avatar for Satoru Ishikawa ishikawa_satoru
0
230
Amazon Bedrock Knowledge Basesチャンキング解説!
Avatar for 野口碧生 aoinoguchi
0
170
30万人の同時アクセスに耐えたい!新サービスの盤石なリリースを支える負荷試験 / SRE Kaigi 2026
Avatar for GENDA genda
4
1.4k
日本の85%が使う公共SaaSは、どう育ったのか
Avatar for たけだ taketakekaho
1
250
AIエージェントに必要なのはデータではなく文脈だった/ai-agent-context-graph-mybest
Avatar for Jun Naito jonnojun
1
250
Oracle Cloud Observability and Management Platform - OCI 運用監視サービス概要 -
Avatar for oracle4engineer oracle4engineer
PRO
2
14k
OpenShiftでllm-dを動かそう!
Avatar for jpishikawa jpishikawa
0
140

Featured

See All Featured
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
304
21k
First, design no harm
Avatar for Per Axbom axbom
PRO
2
1.1k
Rebuilding a faster, lazier Slack
Avatar for samanthasiow samanthasiow
85
9.4k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
760
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
37
6.3k
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
Avatar for Dr. Kim W Petersen kimpetersen
PRO
0
240
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
61
9.7k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
10
1.1k
Efficient Content Optimization with Google Search Console & Apps Script
Avatar for Katarina Dahlin katarinadahlin
PRO
1
330
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.8k
Building an army of robots
Avatar for Kyle Neath kneath
306
46k
Highjacked: Video Game Concept Design
Avatar for Ryan Kendrick rkendrick25
PRO
1
290

Transcript

  1. Don’t F it up! @ AltConf 2019 How to simplify

    your security decisions and protect yourself when building a healthcare App.

  2. Matheus Cardoso Developer Relations @ Virgil Security " Open Sourcerer

    @ GitHub.com/cardoso
  3. None

  4. Storage Transmission Passwords

  5. None

  6. Security? Cryptography? Regulations?

  7. $4 trillion +5% year fortune.com/2019/02/21/us-health-care-costs-2

  8. modernhealthcare.com

  9. modernhealthcare.com 28% of all VC in the U.S

  10. modernhealthcare.com

  11. modernhealthcare.com

  12. 2018 Was a Record Year for HIPAA Penalties gdsconnect.com/2018-was-a-record-year-for-hipaa-penalties

  13. $25 million in fines gdsconnect.com/2018-was-a-record-year-for-hipaa-penalties

  14. None

  15. (ePHI) Electronic Protected Health Information

  16. Securing ePHI HIPAA Compliance

  17. Securing ePHI Facility Access HIPAA Compliance

  18. Securing ePHI Facility Access Policies & Tracking HIPAA Compliance

  19. Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA

    Compliance

  20. Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA

    Compliance

  21. Securing ePHI Personnel Training Facility Access Policies & Tracking HIPAA

    Compliance

  22. hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

  23. Recent Examples

  24. techcrunch.com/2019/03/17/medical-health-data-leak

  25. techcrunch.com/2019/03/17/medical-health-data-leak Unsecured Elasticsearch Database

  26. techcrunch.com/2019/03/17/medical-health-data-leak Unsecured Elasticsearch Database 6 million health records exposed

  27. techcrunch.com/2019/03/17/medical-health-data-leak

  28. Medical records techcrunch.com/2019/03/17/medical-health-data-leak

  29. Medical records Doctor’s notes techcrunch.com/2019/03/17/medical-health-data-leak

  30. Medical records Doctor’s notes Prescriptions techcrunch.com/2019/03/17/medical-health-data-leak

  31. Medical records Doctor’s notes Prescriptions Illness information techcrunch.com/2019/03/17/medical-health-data-leak

  32. Medical records Doctor’s notes Prescriptions Illness information Blood test results

    techcrunch.com/2019/03/17/medical-health-data-leak

  33. techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test

    results Name, address, date of birth

  34. techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test

    results Name, address, date of birth Insurance information

  35. techcrunch.com/2019/03/17/medical-health-data-leak Medical records Doctor’s notes Prescriptions Illness information Blood test

    results Name, address, date of birth Insurance information Payment data

  36. techcrunch.com/2019/03/17/medical-health-data-leak Doctor’s notes Prescriptions Illness information Blood test results Name,

    address, date of birth Insurance information Payment data Personal data

  37. techcrunch.com/2019/03/17/medical-health-data-leak Prescriptions Illness information Blood test results Name, address, date

    of birth Insurance information Payment data Personal data Information on children

  38. techcrunch.com/2019/03/17/medical-health-data-leak Prescriptions Illness information Blood test results Name, address, date

    of birth Insurance information Payment data Personal data Information on children ePHI

  39. newsroom.uw.edu/news/data-error-exposes-patient-information

  40. Exposed data to search engines during migration newsroom.uw.edu/news/data-error-exposes-patient-information

  41. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904

  42. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade

  43. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade

    1.7 million dollars in fines

  44. databreachtoday.com/wellpoint-to-pay-17-million-settlement-a-5904 Stopped checking user identities during 3rd party software upgrade

    1.7 million dollars in fines Many more…

  45. DataBreachToday.com

  46. DataBreachToday.com HipaaJournal.com

  47. DataBreachToday.com HipaaJournal.com ocrportal.hhs.gov/ocr/ breach

  48. 80% of data breaches are by mistake databreachtoday.com/misconfiguration-leads-to-major-health-data-breach-a-12042

  49. 80% of data breaches are by mistake databreachtoday.com/misconfiguration-leads-to-major-health-data-breach-a-12042

  50. None

  51. if user.identity == "bob" { send(ePHI, to: user) }

  52. Data base API

  53. Data base API

  54. Data base API Securing the perimeter

  55. Data base API Data in plaintext ->

  56. theguardian.com/technology/2014/jun/06/heartbleed-openssl-bug-security-vulnerabilities

  57. xda-developers.com/user-data-leak-misconfigured-firebase-backends

  58. Heavy HHS fines

  59. Heavy HHS fines Data for ransom securelink.com/blog/healthcare-data-new-prize-hackers

  60. Heavy HHS fines Data for ransom securelink.com/blog/healthcare-data-new-prize-hackers Up to 250$/record

    www2.trustwave.com/Value-of-Data-Report_LP.html

  61. cyberscoop.com/yahoo-class-action-settlement-85m-data-breach-lawsuit

  62. cyberscoop.com/yahoo-class-action-settlement-85m-data-breach-lawsuit Heavy HHS fines Data for ransom Lawsuits …

  63. None
  64. None
  65. None

  66. apple.com/privacy/approach-to-privacy

  67. apple.com/privacy/approach-to-privacy

  68. None

  69. washingtonpost.com

  70. Data base API

  71. API

  72. API

  73. Ali Ali B Bo ( )

  74. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

  75. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    <- Encrypts <- Decrypts

  76. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice)

  77. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice)

  78. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

  79. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

  80. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) $&!@*#%?$&

  81. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) $&!@*#%?$&

  82. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) $&!@*#%?$&

  83. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

  84. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Dr. Alice

  85. Public Key Service iOS Application IP Messaging

  86. Public Key Service iOS Application IP Messaging Generate Key Pair

    Encrypt/Decrypt

  87. Public Key Service iOS Application IP Messaging Generate Key Pair

    Encrypt/Decrypt Catalog/Distribute Public Keys

  88. Public Key Service iOS Application IP Messaging Generate Key Pair

    Encrypt/Decrypt Store/Transmit encrypted Messages Catalog/Distribute Public Keys

  89. iOS Application

  90. https://github.com/VirgilSecurity/virgil-crypto

  91. import VirgilCrypto // generate key pair let crypto = try!

    VirgilCrypto() let keyPair = try! crypto.generateKeyPair() 1

  92. // save private key UserDefaults.standard.set( keyPair.privateKey, forKey: "private_key") // code

    for keychain too big for slides // but use keychain!! 2

  93. // publish public key publishPublicKey( keyPair.publicKey, for: "bob") 3

  94. // lookup public key let k = lookupPublicKey(of: "alice")! 4

  95. // encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:

    .utf8)!, for: [k]) 5

  96. // encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:

    .utf8)!, for: [k]/* encrypt for multiple keys */) 5

  97. // decrypt message let decryptedData = try crypto.decrypt( encryptedData, with:

    keyPair.privateKey) let message = String( data: decryptedData, encoding: .utf8) 6

  98. Transmission Security STANDARD § 164.312(e)(1)

  99. Integrity STANDARD § 164.312(c)(1)

  100. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Hello Alice

  101. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Something else

  102. ( ) Public (Alice) Public (Bob) Private (Bob) Private (Alice)

    Public (Bob) Public (Alice) Something else

  103. Encryption Message Body Signature

  104. Encryption Message Body Signature

  105. // encrypt message let encryptedData = try crypto.encrypt( "Hello Alice!".data(using:

    .utf8)!, for: [k])

  106. // sign and encrypt message let signedData = try crypto.signThenEncrypt(

    "Hello Bob!".data(using: .utf8)!, with: keyPair.privateKey, /* to sign! */ for: [k])

  107. // decrypt message let decryptedData = try crypto.decrypt( encryptedData, with:

    keyPair.privateKey)

  108. // decrypt and verify signature let verifiedData = try crypto.decryptThenVerify(

    signedData, with: keyPair.privateKey, using: k /* to verify! */)

  109. // decrypt and verify signature let verifiedData = try crypto.decryptThenVerify(

    signedData, with: keyPair.privateKey, using: k /* to verify! */) No need to be a Cryptographer

  110. + Database Compromises

  111. + Man-in-the-middle Attacks

  112. + Brute-force Attacks

  113. Non-deterministic encrypt(“Hello Dr. Alice”) = X encrypt(“Hello Dr. Alice”) =

    Y encrypt(“Hello Dr. Alice”) = Z …

  114. + Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks

  115. Transmission Security STANDARD § 164.312(e)(1) Integrity STANDARD § 164.312(c)(1)

  116. Quick Demo! Please work

  117. https://github.com/VirgilSecurity/virgil-crypto

  118. https://github.com/VirgilSecurity/virgil-crypto Objective-C, Swift, Java, Kotlin, C, C++ Go, PHP, Python,

    Ruby, C#/.NET, AsmJS, NodeJS, WebAssembly, …

  119. + Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks

  120. + Database Compromises + Man-in-the-middle Attacks + Brute-force Attacks That’s

    not all, folks

  121. Perfect Forward Secrecy + Private Key Compromises

  122. Perfect Forward Secrecy (Double Ratchet) signal.org/docs/specifications/doubleratchet/doubleratchet.pdf

  123. To consider…

  124. CareKit ResearchKit HealthKit

  125. HealthKit Track health & fitness

  126. Track health & fitness Access health records HealthKit

  127. Track health & fitness Access health records HealthKit Ongoing health

  128. CareKit Measure symptoms Track medications Get Insights Share with doctors

  129. CareKit Measure symptoms Track medications Share with doctors Medical treatment

  130. ResearchKit Enroll participants Gather data Share with researchers

  131. ResearchKit Enroll participants Measure symptoms Share with doctors Medical research

  132. CareKit ResearchKit HealthKit

  133. CareKit ResearchKit HealthKit User consent Secure storage

  134. None

  135. Questions?

  136. Matheus Cardoso " Open Sourcerer - GitHub.com/cardoso ✉ Mail Reader

    - [email protected]