mHealth: Privacy & Security Considerations in an Evolving … · 2015-09-23 · Considerations in an Evolving Environment Presented by: Mac McMillan, CEO & Co-Founder, CynergisTek

9/23/2015

1

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek

mHealth: Privacy & Security

Considerations in an Evolving

EnvironmentPresented by:

Mac McMillan, CEO & Co-Founder, CynergisTek


Today’s Presenter

Mac McMillan

FHIMSS, CISM

CEO, CynergisTek, Inc.

2

• Co-founder & CEO CynergisTek, Inc.

• Chair, HIMSS P&S Policy Task Force

• CHIME, AEHIS Advisory Board

• Healthcare Most Wired Advisory Board

• HCPro Editorial Advisory Board

• HealthInfoSecurity.com Editorial Advisory Board

• Health Tech Industry Advisory Board

• Disruption Forum Advisory Board

• Director of Security, DoD

• Excellence in Government Fellow

• US Marine Intelligence Officer, Retired


mHealth: What & Why

3

9/23/2015

2

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 4

What Is mHealth?

mHealthmHealthmHealthmHealth is the is the is the is the “delivery of healthcare “delivery of healthcare “delivery of healthcare “delivery of healthcare

services via mobile communications services via mobile communications services via mobile communications services via mobile communications

devices”devices”devices”devices”

Foundations for the National Institutes of Health (FNIH)


• Tablets

• Smart Phones

• Applications

• The –ables

– Wearables

– Implantables

– Digestibles

Types of mHealth Technology


• Hottest health tech trend

• Telemedicine biggest trend

in 2015

• Clinical use for processes

and documents

• Wearables and sensors

• Health management

• Patient engagement

• Caring for the aging

• Venture capital investment

2015 mHealth Trends

9/23/2015

3


• Point of care

documentation

• Real-time

coordination

• Labs & Imaging

• Patient Education

• Therapy benefits

• Medical history

• Care coordination

• Review images

• Real-time

consults

• Testing &

diagnostics

• Blood pressure

• Blood glucose

levels

• Smart apps access

• Online apps

• Device apps

• Health & wellness

• Diagnostic &

testing

• Patient education

• Labs & imaging

• Social Media

• Track & trend

activity levels

• Sense & analyze

transdermal

effects

• Vision correction

& enhancement

• Vital signs

monitoring

• Information relay

to care givers

• Prescription drug

use measurement

TabletsSmart

Phones

mHealth

AppsThe -ables

Why mHealth Matters: The Patient

7


• There are 5.9 billion mobile subscribers (that's 87% of the world

population). Mobile devices allow providers to connect providers

and patients.

- 81% of patients want online access to schedule appointments

and fill out forms

- 78% will go online to access medical histories and share data

with their physician

- 59% of patients 28-46 will switch to a physician with a greater

online presence

Healthcare Delivery & Patient Engagement Impacts

Source: Intuit Healthcare Check-Up Survey 2010


• Ponemon Institute reports 80% of physicians use a

mobile device to access e-PHI

• Forester Research reports that by 2016 over 350 million

people will use their smartphones for work

• Cisco reports that by 2019 there will be nearly 1.5

mobile devices per capita

• HIMSS Annual Cyber Security Survey found significant

and persistent challenges to protecting PHI in mobile

environments

Smartphone & Mobile Apps

9/23/2015

4


Mobile Risks & Concerns

10


• Regulations have not kept pace with the technology

• mHealth is a collection of disparate technologies and

devices

• Medical devices represent a wide scope of technologies,

used by different groups, communicating different data

• mHealth technologies are being incorporated into the

HER raising network privacy & security issues

• mHealth crosses all jurisdictional boundaries

Privacy & Security Concerns


• 2010/2011 successful hacks

demonstrated.

• DHS tests 300 devices from 40

vendors. ALL failed.

• 2014 multiple variants of a

popular blood pump hacked.

• 2015 MedJack hack exposes

vulnerability of network from

medical devices.

• FBI issues Alert on IoT threats

pose opportunity for cyber crime

Devices Threaten Safety & Information

By 2020 there will be 25

Billion connected devices.

– Gartner Research

9/23/2015

5


100% of 100% of 100% of 100% of smartwatchessmartwatchessmartwatchessmartwatches

tested had serious security tested had serious security tested had serious security tested had serious security

flawsflawsflawsflaws.

HP Fortify Study

13

• Top 10 smartwatches tested:

– Communications easily

intercepted 90% of the time

– 70% of the data passed

through wasn’t encrypted

– Only 50% could lock the

screen

– Watches with cloud interfaces

offered weak passwords

– Mobile apps with

authentication offered

unrestricted account

enumeration

– Combination of above allowed

account harvesting

Smart Watches/Secure Watches?


• More than half of healthcare

data breaches due to loss or

theft of devices

• 1 in 4 houses is burglarized, a

B&E happens every 9 minutes,

more than 20,000 laptops left

in airports annually

• First rule of security: no one is

immune

• 6 – 10%: the average shrinkage

rate for mobile devices

Theft & Loss Still Prevalent

“unencrypted laptops and mobile

devices pose significant risk to the

security of patient information.”

– Sue McAndrew, OCR


Targeted Attacks

34%

39%

49%

50%

53%

53%

59%

63%

65%

69%

Brute Force Attacks

Denial of Services (DoS)

Social Engineering Attacks

Malicious Insiders

Exploit Known Software Vulnerabilities

Zero Day Attacks

Cyber Attacks

APT Attacks

Negligent Insiders

Phishing Attacks

HIMSS 2015 Cyber Security Survey

9/23/2015

6


• This year billed as “more of everything”

as hacking explodes to more devices

• Pwnie Awards went to Shellshock, OPM &

Thomas Dullen

• Miller & Valasek continue to hack cars

• Hacking long range precision guided rifles,

oops don’t tell DoD

• 11,000 attended this year, 73% said their

organization would be hacked

• Workshops and “capture the flag”

contests

• The Hack Fortress contest

• Rubbing elbows with the Pros

Hacking is an Industry

16

“Some hackers call the weeks of Black Hat USA and Def Con Summer Camp”


Top 10 Implemented Security Technologies

Source: 2015 Cybersecurity Survey

50%

51%

55%

55%

61%

64%

69%

70%

85%

87%

Access Control Lists

Mobile Device Management Tools

User Access Controls

Intrusion Detection Systems

Patch/Vulnerability Management

Audit Logs

Data Encryption (Transit)

Data Encryption (Rest)

Firewalls

Antivirus/Malware


Barriers to Successful Security

Source: 2015 Cybersecurity Survey

3%

4%

8%

11%

15%

16%

20%

25%

28%

32%

42%

60%

64%

Don't Know

None of the Above

Other

Lack of Know-How

Too Many Users

Network Infrastructure Too Complex

Lack of Technologies for Effective Use

Too Many Applications

Not Enough Intelligence to Stay Ahead of Threats

Too Many Endpoints

Too Many New/Emerging Threats

Lack of Financial Resources

Lack of Appropriate Personnel

9/23/2015

7


• Mobile devices are easily lost,

stolen, or discarded with e-PHI on

them

• Onboard cameras can be

improperly used to record PHI

• No physical keyboard limits use of

complex passwords

• Can easily transfer or store PHI

from enterprise network

• Easy access to Facebook, Twitter,

and other social media that allows

unauthorized disclosure of PHI

Mobile Device Challenges

19


• Mobile apps have created a number of security problems

which have caught many organizations unaware

– Starbucks app stored its passwords in clear text

– Walgreens encouraged shoppers to take pictures of

prescription labels… then those images were saved so

anyone could see them

– Delta Airlines app encrypted passwords but it also saved

its encryption key on the device in clear text

– Wearable technology, implants and ingestibles are

creating privacy and safety concerns for patients, and

security concerns for providers

Mobile App Security Concerns


• Data leakage from lost or stolen devices

• Improper disposal of retired devices

• Unintentional data disclosure through untrusted apps

(poor data handling, auto syncing, spyware/malware)

• Unintentional data disclosure through untrusted

networks (WiFi/Bluetooth spoofing, surveillance)

• Phishing attacks

Common Mobile Risks

9/23/2015

8


• App and OS patching

weaknesses

• Jailbroken/rooted devices

• Inadequate app code review

processes

• Impersonation of apps

• User permissions fatigue

• Sandboxing failures

• Encryption weaknesses

• Lack of user awareness

Common Mobile Vulnerabilities

22


Compliance

Considerations

23


• Identify mobile application needs

• Integrate into information security risk analysis

• Design risk management strategy

• Obtain business associate agreements if necessary and

perform due diligence/vendor management

• Document compliance with the HIPAA Privacy and

Security Rules

• Assure compliance with any posted privacy policy and

terms of use agreement

Design Effective Strategy

9/23/2015

9


1

3

5

2

4

6

25

Multiple regulatory

agencies oversee different

aspects of mHealth

technology

A devices intended use

affects its classification,

regulatory requirements &

your liability

Understand when HIPAA

and/or other regulations

are triggered

Legal is often not included

in technology selection,

except from a contracting

perspective

Data collected will outlast

the devices, design security

into data retention, use and

destruction practices

Does the solution do what

its says, those affecting

clinical outcomes will be

scrutinized

Ubderstand mHealth Legal


• Identify mobile devices/apps that handle PHI

– What devices/apps create PHI?

(wearable devices, diagnostic apps)

– What devices/apps receive PHI? (email,

EHR portals, vendor modified OTS

devices)

– What devices/apps maintain PHI?

(removable storage media, cloud

email/storage)

– What devices/apps transmit PHI?

(texting, email, cellular/WiFi transmitted

data)

Who’s /What’s Handling PHI

26


mHealth & Government Oversight

Source: www.healthit.gov

9/23/2015

10


• Provide access to to

electronic versions of

medical textbooks

• Intended as educational

or training aids

• Intended for general

education for patients

• Automate general

medical office

administration

• Generic aids or general

purpose products, such

as magnifying glasses or

directions to medical

facilities

Not Regulated

Regulated/ Not Regulated

• Supplement clinical care

by coaching

• Track or organize health

information

• Provide access to health

information

• Help document or report

medical conditions

• Perform simple

calculations (Body Mass

Index)

• Allow interaction with

EHR

• Meet the definition of a

Medical Device Data

System

Discretionary

• Extension of one or

more medical device

• Transform a mobile

platform into

regulated device

through sensors,

displays or attach.

• Perform patient

specific analysis,

diagnosis or

treatment

recommendations

Regulated

28


• Start with security by assessing threats and vulnerabilities to data

• Control access to data security

• Require secure passwords and authentication

• Store sensitive personal information securely and protect it during

transmission

• Segment your network and monitor who’s trying to get in & out

• Secure remote access to your network

• Apply sound security practices when developing new products

• Make sure your service providers implement reasonable security

measures

• Put procedures in place to keep your security current and address

vulnerabilities as they arise

• Secure paper, physical media and devices

FTC’s 10 Data Security Steps


Mobile Device

Management

30

9/23/2015

11


• Access Control – authorizing users/least

privilege

• Inappropriate Storage – sensitivity of

access/local storage

• Insecure Storage – encrypting/hashing

stored data

• Insecure Transport – sensitive session data

protection

• Updates – how & when

• Software Vulnerabilities – application

vulnerabilities

• Back Ups – how and when

Mobile Apps

Implementation Considerations

• Access Control – authorizing the user

• Encryption – data protection

• Updates – how and when

• Software Vulnerabilities – platform/OS

issues

• Backups – how, when & where

• Mobile Malware – protection against

viruses/malware

• Remote Management – how & assurance of

controls

• Device Specific Issues – e.g. device storage

• Platform Specific Issues – e.g. PW storage

Mobile Devices

31


• Identify and evaluate the

organization’s mobile device

threats and vulnerabilities

• Use governance processes to

determine tolerance levels for

identified risks

• Establish controls to address

identified vulnerabilities (policies,

MDM/MAM, training)

• Review and update the risk

assessment on a regular basis

Enterprise Risk Management

32


• Understand and document the app’s data flows and

storage

– Identify encryption controls/weaknesses

– Identify third parties/BAAs with access to data

• Review the app’s privacy and security settings

• Determine possible interactions with other apps

• Review the developer’s software development practices

Mobile App Risk Assessment

9/23/2015

12


• Select an approach: corporate-

owned vs. BYOD

• Disallow or limit the storage of PHI

and other company data on mobile

devices

• Define controls (PINs, auto-lock,

auto-wipe, etc.)

• Define process for device

decommissioning

• Users should sign acceptable use

agreement that includes details on

mobile device use

Mobile Device Policies

34


• Mobile Device Management (MDM) solutions can

enforce device security settings and configurations:

– Entry level controls - MS ActiveSync (Exchange)

– Sophisticated controls - MobileIron, AirWatch,

ZenMobile, Symantec, McAfee, etc.

• Mobile Application Management (MAM) solutions

provides wrappers around applications to ensure they

follow defined policies

Technical Controls (MDM/MAM)


• Important for creating a “culture of responsibility”

• Incorporate into new hire and annual training

• Topics to consider:

– Overview of mobile device security threats

– Mobile device security settings

– Corporate acceptable use policies

• Training and Awareness Resource

– http://healthit.gov/mobiledevices

Security Awareness & Training

9/23/2015

13


Wrap Up & Questions

37


mHealth Strategy Review

1

2

3

4 Communicate & educate

Implement mSecurity controls

Establish policy & risk tolerance

Establish baseline & plan of action

38


Questions

Mac McMillan

[email protected]

512.405.8555

@mmcmillan07

Questions?

?

Documents

mHealth: Privacy & Security Considerations in an Evolving … · 2015-09-23 · Considerations in an Evolving Environment Presented by: Mac McMillan, CEO & Co-Founder, CynergisTek