Why the mHealth Security Challenge is Way Bigger than HIPAA

Stephen Cobb, CISSP

Security Researcher, ESET NA

Mobile health: The Security Challenge

The potential benefits of mobile medical

technology and telemedicine are enormous,

from better quality of life to saving lives, not

to mention controlling healthcare costs.

Yet keeping data safe when it is beyond the

confines of hospitals and clinics is a serious

challenge, one that cannot be met merely

through regulatory compliance.

Questions to be answered

• What is mHealth and why is securing

health data that is mobile a challenge?

• What does HIPAA require of mobile health

data users/managers?

• What does HIPAA compliance mean in

the context of mHealth?

• Why does “Standard of Due Care?” come

into the mHealth picture

• What other security actors are in play?

mHealth = mobile health = ?

• The use of mobile devices to achieve

health care benefits by:

• Doctors, nurses, pharmacists, patients,

wellness programs, clinics, hospitals

• Devices include:

• Includes laptops, tablets, smartphones,

wearable technology, wireless sensors,

remote monitors

• Includes Bring Your Own [mobile] Device

• BYOD

Question #1

How are you and/or your organization

involved in mobile health?

Covered entity doing mHealth

Covered entity considering mHealth

mHealth product/services vendor

Security professional

I’m not any of the above

The mHealth scene: Summit 2014

Broad range of sponsors

From startups to big pharma, telcos, insurers, healthcare systems, and retailers

mHealth is hot

• President of Qualcomm

• Pfizer VP of Worldwide Innovation

• Samsung Chief Medical Officer & VP of

Global Healthcare

• Kaiser Permanente Senior VP of

Marketing & Internet Services

• Walgreens Chief Medical Officer

• CISO of Intermountain Healthcare

Privacy & Security Symposium

The mHealth security challenge

Part one:

a. Health data

carries a premium

on the black

market

b. Health data has

regulatory

protection, with

penalties

c. Health data can

be dangerous

Part two:

a. Mobile devices are

new, untested

b. Mobile data is

harder to protect

than static data

c. Secure practices

for devices and

users have not yet

been established

Health data carries a premium on the black market

• Credit card record = $5

• Medical record = $50

• Price based on supply

and demand

• Payment card data

gets stale over time

• Medical records offer

more options, and

long-term exploitation

Fresh card data by state

Screenshots courtesy of krebsonsecurity.com

Health records stolen for

• Generic identity theft, like tax ID fraud

• Medical billing fraud

• Prescriptions, operations, medical devices

• Medical ID theft and patient

impersonation to obtain

• Prescriptions, operations, medical devices

• 1.8 million people were victims of medical

ID theft in 2013

• Ponemon Institute

Symptoms of medical ID theft

• Unexpected bills

• Services you never received

• Collectors, bad credit score

• Health insurance problems

• Premium increases

• Coverage dropped/denied

• Treatment delays

• Medical errors

• Erroneous allergy info

• Drug interactions

Question #2

In what year was the Health

Insurance Portability and

Accountability Act passed?

2001

1996

2013

1999

Health data has regulatory protection, with penalties

1996: Cost of portability of insurance to be offset by

electronic billing, with privacy and security rules to

protect computerized health information

2003: Privacy Rule compliance deadline for all but

small health plans

2005: Security Rule compliance deadline

2008: First HIPAA ‘fine’ ($100,000)

2009: HITECH Act (Meaningful Use requirements)

2012: First round of HIPAA audits

2013: Omnibus Final Rule takes effect

2014: Largest HIPAA settlement so far $4.8 million

HIPAA on mobile health data

• HIPAA Security Rule: Must implement

reasonable and appropriate technical,

administrative and physical safeguards to

protect the confidentiality, integrity and

availability of ePHI (Protected Health

Information in electronic form)

• Fines for violations

• Rule applies regardless of where the data

is located = applies to mobile

HIPAA security and mobile

• Starts with Risk Analysis

– Must address all risks to all ePHI that

your organization creates, maintains, or

transmits

– Consider the SRA tool

• Addressable versus required

– AV required, encryption is addressable

– But ignore at your peril/pain

– Use of “strong” authentication

HIPAA, OCR, and beyond

• OCR about to do more HIPAA audits

• Other players are now in the game:

• FTC = Federal Trade Commission

• Consumer protection, devices, (Lilly)

• FCC = Federal Communications Commission

• Connect2HealthFCC

• DHS = Department of Homeland Security

• NIST cybersecurity framework

• NIST ICS-CERT

Health data can be dangerous

• For patients, stolen or corrupted data can

lead to:

• Lack of access to health care

• Medical errors

• Death

• For providers and business associates,

security and privacy issues can lead to:

• Fines

• Bad publicity

• Lawsuits

Mobile devices are new, untested

• What could possibly go wrong?

• We just don’t know

• That does not mean nothing will go wrong

• Scenario: Your organization deploys

wearable health sensor like Fitbit for patients

(but could be for employees)

• A criminal eavesdrops on Fitbit traffic, finds

wearer is not at home, burgles the home

• Are you exposed?

Mobile data is harder to protect than static data

• The problem of attack surface

Device

Device

1 device = 1 attack surface

Device2 devices = 2 attack surfaces

Device Device

2 devices connected = 5 attack surfaces

Mobile deviceOS + app

Helper appsCarrier data

Network protocols

GPS

VendorCarrier

Voice callsSMS, MMS

USB, SIM, SD cards, Power

Cell tower

Data processing

center

Data processing

center

Data processing center(s)

Clinic networkOS + app

Helper appsNetwork protocols

Printer

Copier

Mobile deviceOS + app

Helper appsCarrier data

Network protocols

GPS

VendorCarrier

Voice callsSMS, MMS

USB, SIM, Flash, Power

Cell tower

Data processing

center

Data processing

center

Data processing center(s)

Clinic networkOS + app

Helper appsNetwork protocols

Printer

Copier

Question #3Where is your organization on the use of

wearables for health data?

Using them right now

Considering deploying them

We have ruled them out for now

I don’t work for an organization

Mobile deviceOS + app

Helper appsCarrier data

Network protocols

GPS

VendorCarrier

Voice callsSMS, MMS

USB, SIM, Flash, Power

Cell tower

Data processing

center

Data processing

center

Data processing center(s)

Clinic networkOS + app

Helper appsNetwork protocols

Printer

Copier

Fitzbit

Wearable/sensor device issues

• Lack of device security

• Lack of app security

• Passwords transmitted in clear

• Third party app issues

• Arbitrary security/privacy, if any

• Multiple domains contacted

• App analytics • Ad networks

• App provider • OS provider

• Social media • App framework

• CRM/marketing • Utility API

CandidWüestSymantecVB 2014

Mobile adds to health data complexity,

e.g. providers, payers, employers

Master

Patient Index

Registration,

or ADT

Billing

Data

Warehouse

CPR

Budgeting

Marketing

Lab

Radiology

Logistics

Pharmacy

Scheduling

Data

Warehouse

Budgeting

HEDIS

Enrollment

Precertification

and Adjudication

Claims

Acceptance

Accounts

Payable

Accounts

Receivable

Coordination of

Benefits

Disease

Management

Medical

Review

Employer

Personnel

HIPAA Transaction

Data User Data Feeder

Claim Entry

Peter McLaughlin, DLA Piper LLP (Boston)

Secure practices for mobile devices and users not established

• For example: we address security of

health data on employee devices (BYOD)

with Mobile Device management (MDM)

• But many organizations still in planning

phase of MDM

• Education and awareness also required

• Ponemon: 60% found mobile devices

diminished employee security practices

• Cost of managed deployment is high

• Ponemon: only 36% had adequate budget

What does HIPAA say?

• Many issues are still “addressable” with

no specific technology required

• Mobile is on HHS radar (see video)

• HIPAA is all about the risk assessment

• Document all the risks

• Be realistic about risks

• Remember there are criminals with means

and motive seeking the data you handle

• Document what you’re doing about each risk

• Document what you’re not doing and why

Does HIPAA compliance help?

• Yes, if you are audited or have a breach,

you can show compliance in your defense

• But that compliance may hinge on your

risk assessment

• Did you document all the risks?

• Were you realistic about risks?

• And compliance may not prevent lawsuits

The three courts and due care

• If your mobile health initiative leaks

protected health information, you will be

“on trial” in three courts, plus OCR

• Law

• Press

• Public opinion

• If there are lawsuits, then reasonableness

is the test, re: “standard of due care”

Due care and negligence

• Due care: “the conduct that a reasonable

man or woman will exercise in a particular

situation, in looking out for the safety of

others.” Applies to action or lack thereof.

• (dictionary.law.com)

• Negligence is: “a failure to behave with

the level of care that someone of ordinary

prudence would have exercised under the

same circumstances.”

• (Cornell University Law School)

Risk assessment and due care

• Have you considered all

of the risks your systems

are likely to face?

• For example, have you

read the FTC brochure

and considered all of its

implications?

• Do your employees

know about McDumpals

and their ilk?

Case study: Walgreens - $1.44m

• Court of Appeals upheld a July 2013

verdict awarding $1.44 million in damages

for a pharmacist's violation of HIPAA's

patient privacy provisions

• She was caught “viewing the prescription

records of a customer …and divulging

information …to the client's ex-boyfriend.”

• Court found for plaintiff despite Walgreens

claim that it was HIPAA compliant

Mobile health risk summary

• Are you confident that the technology can

be used for handling ePHI securely?

• Are you confident that the users of the

technology will handle ePHI securely?

• If yes, do you have documentation of how

you arrived at that answer?

• Do the benefits of deploying mHealth

projects outweigh the costs, including

those that may accrue from security

problems?

Links

• Recorded webinar - The Evolution of Cybercrime:

• https://www.brighttalk.com/webcast/1718/119223

• Recorded webinar - Wearable Technology: What are the Security Threats?

• https://www.brighttalk.com/webcast/1718/125045

• Mobile device security video from HHS:

• http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-

information-privacy-and-security

• HIPAA Security Risk Assessment Tool:

• http://www.healthit.gov/providers-professionals/security-risk-assessment

• HIPAA information:

• http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/

• Security in the New Mobile Ecosystem by Ponemon/Raytheon:

• http://www.trustedcs.com/resources/whitepapers/Ponemon-

RaytheonSecurityInTheNewMobileEcosystemResearchReport.pdf

• FTC information on medical identity theft:

• http://www.business.ftc.gov/documents/bus75-medical-identity-theft-faq-health-care-

health-plan

• Free FTC brochure on medical identity theft:

• https://bulkorder.ftc.gov/system/files/publications/bus75-medical-identity-theft-faq-health-

care-health-plan.pdf

• FCC health intiatives:

• http://www.fcc.gov/health

• DHS/NIST cybersecurity framework:

• http://www.nist.gov/cyberframework/

Thank you!

• stephen.cobb@eset.com

• www.eset.com

• www.WeLiveSecurity.com

• Twitter @zcobb