& cryptography audit of OpenSSL o TrueCrypt audit • Dovel Labs o Cloud security R&D practice o Open data, human-centered application design • DHIS2 & BAO Systems • Open source public health surveillance • WHO, Doctors without Borders, US State Dept…
rate monitor: gym treadmill or EKG? o See new draft guidance on communication & storage integration for mobile medical apps § http://www.fda.gov/downloads/Training/CDRHLearn/ UCM435363.pdf o Discretionary enforcement o “Active monitoring” vs. “Healthy lifestyle” • Where are data stored (device & remote)? • Information transport, encryption, controls
time threat feeds & response) o Stronger core network protocols o HTTP/2 rolling out in browsers o SSL → TLS 1.3 o Strong primitives • Elliptic Curve Cryptography (ECC) • Ephemeral key exchange (PFS) • Deprecating RSA & legacy suites
“Dev” word) o Ansible, Salt, Puppet, Chef, Docker, Rocket • Validate the process & configuration engine • Cloud o Medidata CTMS o Bristol-Myers Squibb modeling o Cardiac safety (HeartSignals) • Explicit threat models o But see also Anthem, Premara Blue Cross, Sony • Database & disk encryption are fundamentally misunderstood technologies
critical o Best practices for cloud are simply first principles for systems o Understanding the difference between regulator guidance vs. mandates o Encryption isn’t a magic bullet o Understand your threat model o Insulin pumps probably don’t need to be on the Internet