Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)

Data Security Risks in the Internet of EverythingChad Kissinger | Founder, OnRamp

Agenda• Intro• What is The Internet of Things?• IoT Benefits• IoT Challenges and Risks• Recommendations • Q&A

Speaker Biography

Chad Kissinger Founder, OnRamp

Since founding OnRamp in 1994, Chad has driven the growth and business model evolution of the company from a start-up ISP to an established provider of data center services. OnRamp is a high security and hybrid hosting provider that operates multiple enterprise class data centers located in Austin, Texas and Raleigh, North Carolina. A founding member, former President & Legislative Chair of the Texas Internet Service Provider Association, and leader in the development of OnRamp’s HIPAA compliant hosting solutions, Chad is highly experienced in data privacy and security issues.

Focus On Compliance

Services

Highly dense, highly available colocation services backed by Full7Layer Support

COLOCATION

Dedicated, secure computing environment with virtualization

PRIVATE CLOUDS

Scalable, secure computing infrastructure

CLOUD SERVICES

What’s the Big Deal? $2.2 MillionAvg Cost of

Data Breach*

11 MillionHealthcare

Records ExposedIn 2016**

**Survey by Ponemon Institute ; *Article by HIPAA Journal

44 percent of all registered data breaches in 2013 targeted at medical companies**

• Everyday objects that connect to the Internet and that send and receive data

• Multi-system integration: cloud, mobile, medical devices, & smart home

• NIST Special Publication 800-183 Networks of ‘Things’

• Sensing, Computing, Communication, and Actuation

What Is IoT?

Benefits

‘Cyber-physical systems’ could save $63 billion in healthcare costs over 15 years with a 15-30% reduction in hospital equipment costs and a 15-20% increase in patient throughput*

*Healthcare IT News

Win-Win Scenario

Patients: early detection, prevention and treatment

Providers: cost savings through reduced hospital remissions and healthcare costs

Continued Growth

IoT - Clinical• Devices

• Lab analyzers• Insulin pumps• Vital sign

monitors

• Types of Data• X-ray images• Dosage settings• Therapy timers

IoT – Non-Clinical Devices & Data Flow

• Health apps• Email• Jump Drives• Wearables• Health sensors• Smart thermostats• Entertainment

systems• Light controls• Motions sensors

Here’s the bad news…

Even if a device is unimportant, it’s the network that’s at risk!

“A lot of adversaries aren't looking at it as 'let me go and attack your toaster': they're looking at it as 'let me attack your toaster to use it as a way to get into the rest of your network'." - John Pironti, President of IP Architects

Challenges & RisksData Integrity, Availability and Privacy

In 2014, there were 333 medical data breaches, compared to 271 breaches in 2013 – a 23% increase year-over-year.*

• No standards for medical software and firmware

• Full-time management and monitoring required for health networks

• Data must be secure, but accessible for medical personnel

• Fixing vulnerabilities not always possible

*Computer.org

Technical Threats to IoT

Threat Sources

Verizon 2015 Data Breach Investigations Report – 2,260 breaches

Why Is this Happening?Business

• Not enough resources• Ineffective training• Lack of policies &

procedures• Lack of audit

procedures• Weak physical security

Technical

• Lack of encryption• Weak remote access controls• Lack of network awareness• Insecure network

architecture• Insufficient access controls• Lack of logging/ monitoring• Gaps in system patching

Best Practices• Security by design - build security into devices • Culture of security - promote good security within

organization• Third-party service providers – ensure 3rd party providers

maintain reasonable security• Defense in depth strategy – multiple layers of security

against risks• Access control measures – measures to keep unauthorized

users from accessing network• Monitor products – provide security patches as needed• Test - security of device before launch• FTC recommends data minimizationVia Pepper Law Publication

Questions: Connected Devices• Do the devices store & transmit data

securely?• Do they accept software security updates

to address new risks?• Do they provide a new avenue to

unauthorized access of data?• Do they provide a new way to steal data?• Do they connect to the institution's

existing IT infrastructure in a way that puts data stored there are greater risk?

• Are the APIs – through which software and devices connect – secure?

Take Action & Gain Control• Perform a risk assessment to

identify gaps• Partner with compliant service

providers• Create processes and

documentation for entire device lifecycle (purchase, configure, test, operate, deprecate, dispose)

• Remediate high risk areas• Procedures for physical access• Educate

67% of healthcare organizations plan to spend money on HIPAA audit prep technology /services in 2016*

*Article by HIPAA Journal

Q & A

Example Policies • Patient access policies• Guest access policies• Network security policy• System users and

management• Software security policy• Remote access policy• Personal use policies• Security training

• Email/ web policies• Medical device policies• HER handling policies• Workflow policies• Endpoint security policies• Information logging

policies

Additional Resources & Links• http://www.businessinsider.com/internet-of-things-in-healthcare-

2016-8• NIST Special Publication 800-183 Networks of ‘Things’• http://www.hipaajournal.com/major-2016-healthcare-data-breac

hes-mid-year-summary-3499/

• http://dupress.com/articles/internet-of-things-iot-in-health-care-industry/#end-notes

• https://www.securityevaluators.com/hospitalhack/securing_hospitals.pdf

• http://www.pepperlaw.com/publications/beyond-hipaa-connected-health-care-and-the-internet-of-things-2015-04-14/

• https://www.securityevaluators.com/hospitalhack/securing_hospitals.pdf

Contact Us

Sales@onr.comToll Free: (888) 667-2660www.onr.com

SECURE | HYBRID | COMPUTING | | 888.667.2660 | AUSTIN | RALEIGH