Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
9/23/2015
1
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
mHealth: Privacy & Security
Considerations in an Evolving
EnvironmentPresented by:
Mac McMillan, CEO & Co-Founder, CynergisTek
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Today’s Presenter
Mac McMillan
FHIMSS, CISM
CEO, CynergisTek, Inc.
2
• Co-founder & CEO CynergisTek, Inc.
• Chair, HIMSS P&S Policy Task Force
• CHIME, AEHIS Advisory Board
• Healthcare Most Wired Advisory Board
• HCPro Editorial Advisory Board
• HealthInfoSecurity.com Editorial Advisory Board
• Health Tech Industry Advisory Board
• Disruption Forum Advisory Board
• Director of Security, DoD
• Excellence in Government Fellow
• US Marine Intelligence Officer, Retired
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
mHealth: What & Why
3
9/23/2015
2
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 4
What Is mHealth?
mHealthmHealthmHealthmHealth is the is the is the is the “delivery of healthcare “delivery of healthcare “delivery of healthcare “delivery of healthcare
services via mobile communications services via mobile communications services via mobile communications services via mobile communications
devices”devices”devices”devices”
Foundations for the National Institutes of Health (FNIH)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Tablets
• Smart Phones
• Applications
• The –ables
– Wearables
– Implantables
– Digestibles
Types of mHealth Technology
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 6
• Hottest health tech trend
• Telemedicine biggest trend
in 2015
• Clinical use for processes
and documents
• Wearables and sensors
• Health management
• Patient engagement
• Caring for the aging
• Venture capital investment
2015 mHealth Trends
9/23/2015
3
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Point of care
documentation
• Real-time
coordination
• Labs & Imaging
• Patient Education
• Therapy benefits
• Medical history
• Care coordination
• Review images
• Real-time
consults
• Testing &
diagnostics
• Blood pressure
• Blood glucose
levels
• Smart apps access
• Online apps
• Device apps
• Health & wellness
• Diagnostic &
testing
• Patient education
• Labs & imaging
• Social Media
• Track & trend
activity levels
• Sense & analyze
transdermal
effects
• Vision correction
& enhancement
• Vital signs
monitoring
• Information relay
to care givers
• Prescription drug
use measurement
TabletsSmart
Phones
mHealth
AppsThe -ables
Why mHealth Matters: The Patient
7
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 8
• There are 5.9 billion mobile subscribers (that's 87% of the world
population). Mobile devices allow providers to connect providers
and patients.
- 81% of patients want online access to schedule appointments
and fill out forms
- 78% will go online to access medical histories and share data
with their physician
- 59% of patients 28-46 will switch to a physician with a greater
online presence
Healthcare Delivery & Patient Engagement Impacts
Source: Intuit Healthcare Check-Up Survey 2010
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 9
• Ponemon Institute reports 80% of physicians use a
mobile device to access e-PHI
• Forester Research reports that by 2016 over 350 million
people will use their smartphones for work
• Cisco reports that by 2019 there will be nearly 1.5
mobile devices per capita
• HIMSS Annual Cyber Security Survey found significant
and persistent challenges to protecting PHI in mobile
environments
Smartphone & Mobile Apps
9/23/2015
4
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Mobile Risks & Concerns
10
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 11
• Regulations have not kept pace with the technology
• mHealth is a collection of disparate technologies and
devices
• Medical devices represent a wide scope of technologies,
used by different groups, communicating different data
• mHealth technologies are being incorporated into the
HER raising network privacy & security issues
• mHealth crosses all jurisdictional boundaries
Privacy & Security Concerns
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 12
• 2010/2011 successful hacks
demonstrated.
• DHS tests 300 devices from 40
vendors. ALL failed.
• 2014 multiple variants of a
popular blood pump hacked.
• 2015 MedJack hack exposes
vulnerability of network from
medical devices.
• FBI issues Alert on IoT threats
pose opportunity for cyber crime
Devices Threaten Safety & Information
By 2020 there will be 25
Billion connected devices.
– Gartner Research
9/23/2015
5
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
100% of 100% of 100% of 100% of smartwatchessmartwatchessmartwatchessmartwatches
tested had serious security tested had serious security tested had serious security tested had serious security
flawsflawsflawsflaws.
HP Fortify Study
13
• Top 10 smartwatches tested:
– Communications easily
intercepted 90% of the time
– 70% of the data passed
through wasn’t encrypted
– Only 50% could lock the
screen
– Watches with cloud interfaces
offered weak passwords
– Mobile apps with
authentication offered
unrestricted account
enumeration
– Combination of above allowed
account harvesting
Smart Watches/Secure Watches?
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 14
• More than half of healthcare
data breaches due to loss or
theft of devices
• 1 in 4 houses is burglarized, a
B&E happens every 9 minutes,
more than 20,000 laptops left
in airports annually
• First rule of security: no one is
immune
• 6 – 10%: the average shrinkage
rate for mobile devices
Theft & Loss Still Prevalent
“unencrypted laptops and mobile
devices pose significant risk to the
security of patient information.”
– Sue McAndrew, OCR
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 15
Targeted Attacks
34%
39%
49%
50%
53%
53%
59%
63%
65%
69%
Brute Force Attacks
Denial of Services (DoS)
Social Engineering Attacks
Malicious Insiders
Exploit Known Software Vulnerabilities
Zero Day Attacks
Cyber Attacks
APT Attacks
Negligent Insiders
Phishing Attacks
HIMSS 2015 Cyber Security Survey
9/23/2015
6
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• This year billed as “more of everything”
as hacking explodes to more devices
• Pwnie Awards went to Shellshock, OPM &
Thomas Dullen
• Miller & Valasek continue to hack cars
• Hacking long range precision guided rifles,
oops don’t tell DoD
• 11,000 attended this year, 73% said their
organization would be hacked
• Workshops and “capture the flag”
contests
• The Hack Fortress contest
• Rubbing elbows with the Pros
Hacking is an Industry
16
“Some hackers call the weeks of Black Hat USA and Def Con Summer Camp”
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 17
Top 10 Implemented Security Technologies
Source: 2015 Cybersecurity Survey
50%
51%
55%
55%
61%
64%
69%
70%
85%
87%
Access Control Lists
Mobile Device Management Tools
User Access Controls
Intrusion Detection Systems
Patch/Vulnerability Management
Audit Logs
Data Encryption (Transit)
Data Encryption (Rest)
Firewalls
Antivirus/Malware
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 18
Barriers to Successful Security
Source: 2015 Cybersecurity Survey
3%
4%
8%
11%
15%
16%
20%
25%
28%
32%
42%
60%
64%
Don't Know
None of the Above
Other
Lack of Know-How
Too Many Users
Network Infrastructure Too Complex
Lack of Technologies for Effective Use
Too Many Applications
Not Enough Intelligence to Stay Ahead of Threats
Too Many Endpoints
Too Many New/Emerging Threats
Lack of Financial Resources
Lack of Appropriate Personnel
9/23/2015
7
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Mobile devices are easily lost,
stolen, or discarded with e-PHI on
them
• Onboard cameras can be
improperly used to record PHI
• No physical keyboard limits use of
complex passwords
• Can easily transfer or store PHI
from enterprise network
• Easy access to Facebook, Twitter,
and other social media that allows
unauthorized disclosure of PHI
Mobile Device Challenges
19
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 20
• Mobile apps have created a number of security problems
which have caught many organizations unaware
– Starbucks app stored its passwords in clear text
– Walgreens encouraged shoppers to take pictures of
prescription labels… then those images were saved so
anyone could see them
– Delta Airlines app encrypted passwords but it also saved
its encryption key on the device in clear text
– Wearable technology, implants and ingestibles are
creating privacy and safety concerns for patients, and
security concerns for providers
Mobile App Security Concerns
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 21
• Data leakage from lost or stolen devices
• Improper disposal of retired devices
• Unintentional data disclosure through untrusted apps
(poor data handling, auto syncing, spyware/malware)
• Unintentional data disclosure through untrusted
networks (WiFi/Bluetooth spoofing, surveillance)
• Phishing attacks
Common Mobile Risks
9/23/2015
8
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• App and OS patching
weaknesses
• Jailbroken/rooted devices
• Inadequate app code review
processes
• Impersonation of apps
• User permissions fatigue
• Sandboxing failures
• Encryption weaknesses
• Lack of user awareness
Common Mobile Vulnerabilities
22
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Compliance
Considerations
23
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 24
• Identify mobile application needs
• Integrate into information security risk analysis
• Design risk management strategy
• Obtain business associate agreements if necessary and
perform due diligence/vendor management
• Document compliance with the HIPAA Privacy and
Security Rules
• Assure compliance with any posted privacy policy and
terms of use agreement
Design Effective Strategy
9/23/2015
9
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
1
3
5
2
4
6
25
Multiple regulatory
agencies oversee different
aspects of mHealth
technology
A devices intended use
affects its classification,
regulatory requirements &
your liability
Understand when HIPAA
and/or other regulations
are triggered
Legal is often not included
in technology selection,
except from a contracting
perspective
Data collected will outlast
the devices, design security
into data retention, use and
destruction practices
Does the solution do what
its says, those affecting
clinical outcomes will be
scrutinized
Ubderstand mHealth Legal
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Identify mobile devices/apps that handle PHI
– What devices/apps create PHI?
(wearable devices, diagnostic apps)
– What devices/apps receive PHI? (email,
EHR portals, vendor modified OTS
devices)
– What devices/apps maintain PHI?
(removable storage media, cloud
email/storage)
– What devices/apps transmit PHI?
(texting, email, cellular/WiFi transmitted
data)
Who’s /What’s Handling PHI
26
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 27
mHealth & Government Oversight
Source: www.healthit.gov
9/23/2015
10
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Provide access to to
electronic versions of
medical textbooks
• Intended as educational
or training aids
• Intended for general
education for patients
• Automate general
medical office
administration
• Generic aids or general
purpose products, such
as magnifying glasses or
directions to medical
facilities
Not Regulated
Regulated/ Not Regulated
• Supplement clinical care
by coaching
• Track or organize health
information
• Provide access to health
information
• Help document or report
medical conditions
• Perform simple
calculations (Body Mass
Index)
• Allow interaction with
EHR
• Meet the definition of a
Medical Device Data
System
Discretionary
• Extension of one or
more medical device
• Transform a mobile
platform into
regulated device
through sensors,
displays or attach.
• Perform patient
specific analysis,
diagnosis or
treatment
recommendations
Regulated
28
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 29
• Start with security by assessing threats and vulnerabilities to data
• Control access to data security
• Require secure passwords and authentication
• Store sensitive personal information securely and protect it during
transmission
• Segment your network and monitor who’s trying to get in & out
• Secure remote access to your network
• Apply sound security practices when developing new products
• Make sure your service providers implement reasonable security
measures
• Put procedures in place to keep your security current and address
vulnerabilities as they arise
• Secure paper, physical media and devices
FTC’s 10 Data Security Steps
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Mobile Device
Management
30
9/23/2015
11
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Access Control – authorizing users/least
privilege
• Inappropriate Storage – sensitivity of
access/local storage
• Insecure Storage – encrypting/hashing
stored data
• Insecure Transport – sensitive session data
protection
• Updates – how & when
• Software Vulnerabilities – application
vulnerabilities
• Back Ups – how and when
Mobile Apps
Implementation Considerations
• Access Control – authorizing the user
• Encryption – data protection
• Updates – how and when
• Software Vulnerabilities – platform/OS
issues
• Backups – how, when & where
• Mobile Malware – protection against
viruses/malware
• Remote Management – how & assurance of
controls
• Device Specific Issues – e.g. device storage
• Platform Specific Issues – e.g. PW storage
Mobile Devices
31
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Identify and evaluate the
organization’s mobile device
threats and vulnerabilities
• Use governance processes to
determine tolerance levels for
identified risks
• Establish controls to address
identified vulnerabilities (policies,
MDM/MAM, training)
• Review and update the risk
assessment on a regular basis
Enterprise Risk Management
32
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 33
• Understand and document the app’s data flows and
storage
– Identify encryption controls/weaknesses
– Identify third parties/BAAs with access to data
• Review the app’s privacy and security settings
• Determine possible interactions with other apps
• Review the developer’s software development practices
Mobile App Risk Assessment
9/23/2015
12
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Select an approach: corporate-
owned vs. BYOD
• Disallow or limit the storage of PHI
and other company data on mobile
devices
• Define controls (PINs, auto-lock,
auto-wipe, etc.)
• Define process for device
decommissioning
• Users should sign acceptable use
agreement that includes details on
mobile device use
Mobile Device Policies
34
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 35
• Mobile Device Management (MDM) solutions can
enforce device security settings and configurations:
– Entry level controls - MS ActiveSync (Exchange)
– Sophisticated controls - MobileIron, AirWatch,
ZenMobile, Symantec, McAfee, etc.
• Mobile Application Management (MAM) solutions
provides wrappers around applications to ensure they
follow defined policies
Technical Controls (MDM/MAM)
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 36
• Important for creating a “culture of responsibility”
• Incorporate into new hire and annual training
• Topics to consider:
– Overview of mobile device security threats
– Mobile device security settings
– Corporate acceptable use policies
• Training and Awareness Resource
– http://healthit.gov/mobiledevices
Security Awareness & Training
9/23/2015
13
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Wrap Up & Questions
37
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
mHealth Strategy Review
1
2
3
4 Communicate & educate
Implement mSecurity controls
Establish policy & risk tolerance
Establish baseline & plan of action
38
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 39
Questions
Mac McMillan
512.405.8555
@mmcmillan07
Questions?
?