Securing patient data in a hostile world

Securing patient data in a hostile world

Some brief thoughts shared at the Tech Council of Maryland

671d41cff530fadcbc82a5d6e7070c4a?s=128

Kenneth White

March 25, 2015
Tweet

Transcript

  1. Securing  patient  data  in  a   hostile  world   Some

     thoughts  on  device  &   mobile  trust Kenneth White March 24, 2015 ・ Health IT Series
  2. Background •  Safety-critical software engineering •  Clinical Research o  Global

    central labs: academic, startup biotech, mid & large commercial pharma •  FDA technical groups - biosensor data standards (ambulatory & telemetry ECG) •  Machine Learning & expert systems •  Network security
  3. Current  Work •  Open Crypto Audit Project o  Large-scale security

    & cryptography audit of OpenSSL o  TrueCrypt audit •  Dovel Labs o  Cloud security R&D practice o  Open data, human-centered application design •  DHIS2 & BAO Systems •  Open source public health surveillance •  WHO, Doctors without Borders, US State Dept…
  4. Mobile  apps  are  cloud •  What’s the intended use? o Heart

    rate monitor: gym treadmill or EKG? o See new draft guidance on communication & storage integration for mobile medical apps §  http://www.fda.gov/downloads/Training/CDRHLearn/ UCM435363.pdf o Discretionary enforcement o “Active monitoring” vs. “Healthy lifestyle” •  Where are data stored (device & remote)? •  Information transport, encryption, controls
  5. It’s  a  dangerous  world

  6. None
  7. And  it’s  not  limited  to   traditional  adversaries

  8. This  is  a  problem

  9. But  so  is  this

  10. None
  11. People  are  beginning  to  re-­‐‑ examine  trust  of  the  entire

      software  supply  chain
  12. None
  13. Fortunately,  strong  security   options  are  more  rich  than  ever

  14. Emerging  Adoption o  Smarter network defense (Splunk, Dark Viking, real-

    time threat feeds & response) o  Stronger core network protocols o  HTTP/2 rolling out in browsers o  SSL → TLS 1.3 o  Strong primitives •  Elliptic Curve Cryptography (ECC) •  Ephemeral key exchange (PFS) •  Deprecating RSA & legacy suites
  15. Emerging  Adoption o  At-rest disk & volume encryption w/ off-cloud

    key management o  Hardware Security Module (HSM) key appliances o  Open multi-factor auth options (TOTP 2FA/MFA apps) o  Sophisticated VPC networking (VPNs, bastion & private vLANs, fine-grain roles & group network ACLs) o  Ubiquitous auditing & monitoring •  CloudTrails •  Elasticsearch •  AlienVault/OSSIM
  16. IAM  Role-­‐‑Authorized  One-­‐‑time  Credentials

  17. What’s  working •  Governance automation •  Production full-stack orchestration (the

    “Dev” word) o  Ansible, Salt, Puppet, Chef, Docker, Rocket •  Validate the process & configuration engine •  Cloud o  Medidata CTMS o  Bristol-Myers Squibb modeling o  Cardiac safety (HeartSignals) •  Explicit threat models o  But see also Anthem, Premara Blue Cross, Sony •  Database & disk encryption are fundamentally misunderstood technologies
  18. Parting  Thoughts o  Intelligence & defense collaboration & sharing is

    critical o  Best practices for cloud are simply first principles for systems o  Understanding the difference between regulator guidance vs. mandates o  Encryption isn’t a magic bullet o  Understand your threat model o  Insulin pumps probably don’t need to be on the Internet
  19. Thank  You!

  20. Contacts Labs kenneth.white @ doveltech . com OCAP admin @

    opencryptoaudit . org Twitter @kennwhite LinkedIn linkedin.com/in/biotech Talks speakerdeck.com/kwhite