Securing patient data in a hostile world

Securing patient data in a hostile world

Some brief thoughts shared at the Tech Council of Maryland


Kenneth White

March 25, 2015


  1. 1.

    Securing  patient  data  in  a   hostile  world   Some

     thoughts  on  device  &   mobile  trust Kenneth White March 24, 2015 ・ Health IT Series
  2. 2.

    Background •  Safety-critical software engineering •  Clinical Research o  Global

    central labs: academic, startup biotech, mid & large commercial pharma •  FDA technical groups - biosensor data standards (ambulatory & telemetry ECG) •  Machine Learning & expert systems •  Network security
  3. 3.

    Current  Work •  Open Crypto Audit Project o  Large-scale security

    & cryptography audit of OpenSSL o  TrueCrypt audit •  Dovel Labs o  Cloud security R&D practice o  Open data, human-centered application design •  DHIS2 & BAO Systems •  Open source public health surveillance •  WHO, Doctors without Borders, US State Dept…
  4. 4.

    Mobile  apps  are  cloud •  What’s the intended use? o Heart

    rate monitor: gym treadmill or EKG? o See new draft guidance on communication & storage integration for mobile medical apps § UCM435363.pdf o Discretionary enforcement o “Active monitoring” vs. “Healthy lifestyle” •  Where are data stored (device & remote)? •  Information transport, encryption, controls
  5. 6.
  6. 10.
  7. 12.
  8. 14.

    Emerging  Adoption o  Smarter network defense (Splunk, Dark Viking, real-

    time threat feeds & response) o  Stronger core network protocols o  HTTP/2 rolling out in browsers o  SSL → TLS 1.3 o  Strong primitives •  Elliptic Curve Cryptography (ECC) •  Ephemeral key exchange (PFS) •  Deprecating RSA & legacy suites
  9. 15.

    Emerging  Adoption o  At-rest disk & volume encryption w/ off-cloud

    key management o  Hardware Security Module (HSM) key appliances o  Open multi-factor auth options (TOTP 2FA/MFA apps) o  Sophisticated VPC networking (VPNs, bastion & private vLANs, fine-grain roles & group network ACLs) o  Ubiquitous auditing & monitoring •  CloudTrails •  Elasticsearch •  AlienVault/OSSIM
  10. 17.

    What’s  working •  Governance automation •  Production full-stack orchestration (the

    “Dev” word) o  Ansible, Salt, Puppet, Chef, Docker, Rocket •  Validate the process & configuration engine •  Cloud o  Medidata CTMS o  Bristol-Myers Squibb modeling o  Cardiac safety (HeartSignals) •  Explicit threat models o  But see also Anthem, Premara Blue Cross, Sony •  Database & disk encryption are fundamentally misunderstood technologies
  11. 18.

    Parting  Thoughts o  Intelligence & defense collaboration & sharing is

    critical o  Best practices for cloud are simply first principles for systems o  Understanding the difference between regulator guidance vs. mandates o  Encryption isn’t a magic bullet o  Understand your threat model o  Insulin pumps probably don’t need to be on the Internet
  12. 20.

    Contacts Labs kenneth.white @ doveltech . com OCAP admin @

    opencryptoaudit . org Twitter @kennwhite LinkedIn Talks