Securing  patient  data  in  a   hostile  world   Some  thoughts  on  device  &   mobile  trust Kenneth White March 24, 2015 ・ Health IT Series 

Background •  Safety-critical software engineering •  Clinical Research o  Global central labs: academic, startup biotech, mid & large commercial pharma •  FDA technical groups - biosensor data standards (ambulatory & telemetry ECG) •  Machine Learning & expert systems •  Network security 

Current  Work •  Open Crypto Audit Project o  Large-scale security & cryptography audit of OpenSSL o  TrueCrypt audit •  Dovel Labs o  Cloud security R&D practice o  Open data, human-centered application design •  DHIS2 & BAO Systems •  Open source public health surveillance •  WHO, Doctors without Borders, US State Dept… 

Mobile  apps  are  cloud •  What’s the intended use? o Heart rate monitor: gym treadmill or EKG? o See new draft guidance on communication & storage integration for mobile medical apps §  http://www.fda.gov/downloads/Training/CDRHLearn/ UCM435363.pdf o Discretionary enforcement o “Active monitoring” vs. “Healthy lifestyle” •  Where are data stored (device & remote)? •  Information transport, encryption, controls 

It’s  a  dangerous  world 

No content

And  it’s  not  limited  to   traditional  adversaries 

This  is  a  problem 

But  so  is  this 

No content

People  are  beginning  to  re-­‐‑ examine  trust  of  the  entire   software  supply  chain 

No content

Fortunately,  strong  security   options  are  more  rich  than  ever 

Emerging  Adoption o  Smarter network defense (Splunk, Dark Viking, real- time threat feeds & response) o  Stronger core network protocols o  HTTP/2 rolling out in browsers o  SSL → TLS 1.3 o  Strong primitives •  Elliptic Curve Cryptography (ECC) •  Ephemeral key exchange (PFS) •  Deprecating RSA & legacy suites 

Emerging  Adoption o  At-rest disk & volume encryption w/ off-cloud key management o  Hardware Security Module (HSM) key appliances o  Open multi-factor auth options (TOTP 2FA/MFA apps) o  Sophisticated VPC networking (VPNs, bastion & private vLANs, fine-grain roles & group network ACLs) o  Ubiquitous auditing & monitoring •  CloudTrails •  Elasticsearch •  AlienVault/OSSIM 

IAM  Role-­‐‑Authorized  One-­‐‑time  Credentials 

What’s  working •  Governance automation •  Production full-stack orchestration (the “Dev” word) o  Ansible, Salt, Puppet, Chef, Docker, Rocket •  Validate the process & configuration engine •  Cloud o  Medidata CTMS o  Bristol-Myers Squibb modeling o  Cardiac safety (HeartSignals) •  Explicit threat models o  But see also Anthem, Premara Blue Cross, Sony •  Database & disk encryption are fundamentally misunderstood technologies 

Parting  Thoughts o  Intelligence & defense collaboration & sharing is critical o  Best practices for cloud are simply first principles for systems o  Understanding the difference between regulator guidance vs. mandates o  Encryption isn’t a magic bullet o  Understand your threat model o  Insulin pumps probably don’t need to be on the Internet 

Thank  You! 

Contacts Labs kenneth.white @ doveltech . com OCAP admin @ opencryptoaudit . org Twitter @kennwhite LinkedIn linkedin.com/in/biotech Talks speakerdeck.com/kwhite