Securing patient data in a hostile world

Transcript

1. Securing  patient  data  in  a   hostile  world   Some

    thoughts  on  device  &   mobile  trust Kenneth White March 24, 2015 ・ Health IT Series

2. Background •  Safety-critical software engineering •  Clinical Research o  Global

   central labs: academic, startup biotech, mid & large commercial pharma •  FDA technical groups - biosensor data standards (ambulatory & telemetry ECG) •  Machine Learning & expert systems •  Network security

3. Current  Work •  Open Crypto Audit Project o  Large-scale security

   & cryptography audit of OpenSSL o  TrueCrypt audit •  Dovel Labs o  Cloud security R&D practice o  Open data, human-centered application design •  DHIS2 & BAO Systems •  Open source public health surveillance •  WHO, Doctors without Borders, US State Dept…

4. Mobile  apps  are  cloud •  What’s the intended use? o Heart

   rate monitor: gym treadmill or EKG? o See new draft guidance on communication & storage integration for mobile medical apps §  http://www.fda.gov/downloads/Training/CDRHLearn/ UCM435363.pdf o Discretionary enforcement o “Active monitoring” vs. “Healthy lifestyle” •  Where are data stored (device & remote)? •  Information transport, encryption, controls

5. It’s  a  dangerous  world

6. None

7. And  it’s  not  limited  to   traditional  adversaries

8. This  is  a  problem

9. But  so  is  this

10. None

11. People  are  beginning  to  re-­‐‑ examine  trust  of  the  entire

      software  supply  chain
12. None

13. Fortunately,  strong  security   options  are  more  rich  than  ever

14. Emerging  Adoption o  Smarter network defense (Splunk, Dark Viking, real-

    time threat feeds & response) o  Stronger core network protocols o  HTTP/2 rolling out in browsers o  SSL → TLS 1.3 o  Strong primitives •  Elliptic Curve Cryptography (ECC) •  Ephemeral key exchange (PFS) •  Deprecating RSA & legacy suites

15. Emerging  Adoption o  At-rest disk & volume encryption w/ off-cloud

    key management o  Hardware Security Module (HSM) key appliances o  Open multi-factor auth options (TOTP 2FA/MFA apps) o  Sophisticated VPC networking (VPNs, bastion & private vLANs, fine-grain roles & group network ACLs) o  Ubiquitous auditing & monitoring •  CloudTrails •  Elasticsearch •  AlienVault/OSSIM

16. IAM  Role-­‐‑Authorized  One-­‐‑time  Credentials

17. What’s  working •  Governance automation •  Production full-stack orchestration (the

    “Dev” word) o  Ansible, Salt, Puppet, Chef, Docker, Rocket •  Validate the process & configuration engine •  Cloud o  Medidata CTMS o  Bristol-Myers Squibb modeling o  Cardiac safety (HeartSignals) •  Explicit threat models o  But see also Anthem, Premara Blue Cross, Sony •  Database & disk encryption are fundamentally misunderstood technologies

18. Parting  Thoughts o  Intelligence & defense collaboration & sharing is

    critical o  Best practices for cloud are simply first principles for systems o  Understanding the difference between regulator guidance vs. mandates o  Encryption isn’t a magic bullet o  Understand your threat model o  Insulin pumps probably don’t need to be on the Internet

19. Thank  You!

20. Contacts Labs kenneth.white @ doveltech . com OCAP admin @

    opencryptoaudit . org Twitter @kennwhite LinkedIn linkedin.com/in/biotech Talks speakerdeck.com/kwhite