Upload
stephen-cobb
View
354
Download
0
Tags:
Embed Size (px)
Citation preview
Why the mHealth Security Challenge is Way Bigger than HIPAA
Stephen Cobb, CISSP
Security Researcher, ESET NA
Mobile health: The Security Challenge
The potential benefits of mobile medical
technology and telemedicine are enormous,
from better quality of life to saving lives, not
to mention controlling healthcare costs.
Yet keeping data safe when it is beyond the
confines of hospitals and clinics is a serious
challenge, one that cannot be met merely
through regulatory compliance.
Questions to be answered
• What is mHealth and why is securing
health data that is mobile a challenge?
• What does HIPAA require of mobile health
data users/managers?
• What does HIPAA compliance mean in
the context of mHealth?
• Why does “Standard of Due Care?” come
into the mHealth picture
• What other security actors are in play?
mHealth = mobile health = ?
• The use of mobile devices to achieve
health care benefits by:
• Doctors, nurses, pharmacists, patients,
wellness programs, clinics, hospitals
• Devices include:
• Includes laptops, tablets, smartphones,
wearable technology, wireless sensors,
remote monitors
• Includes Bring Your Own [mobile] Device
• BYOD
Question #1
How are you and/or your organization
involved in mobile health?
Covered entity doing mHealth
Covered entity considering mHealth
mHealth product/services vendor
Security professional
I’m not any of the above
Broad range of sponsors
From startups to big pharma, telcos, insurers, healthcare systems, and retailers
mHealth is hot
• President of Qualcomm
• Pfizer VP of Worldwide Innovation
• Samsung Chief Medical Officer & VP of
Global Healthcare
• Kaiser Permanente Senior VP of
Marketing & Internet Services
• Walgreens Chief Medical Officer
• CISO of Intermountain Healthcare
The mHealth security challenge
Part one:
a. Health data
carries a premium
on the black
market
b. Health data has
regulatory
protection, with
penalties
c. Health data can
be dangerous
Part two:
a. Mobile devices are
new, untested
b. Mobile data is
harder to protect
than static data
c. Secure practices
for devices and
users have not yet
been established
Health data carries a premium on the black market
• Credit card record = $5
• Medical record = $50
• Price based on supply
and demand
• Payment card data
gets stale over time
• Medical records offer
more options, and
long-term exploitation
Health records stolen for
• Generic identity theft, like tax ID fraud
• Medical billing fraud
• Prescriptions, operations, medical devices
• Medical ID theft and patient
impersonation to obtain
• Prescriptions, operations, medical devices
• 1.8 million people were victims of medical
ID theft in 2013
• Ponemon Institute
Symptoms of medical ID theft
• Unexpected bills
• Services you never received
• Collectors, bad credit score
• Health insurance problems
• Premium increases
• Coverage dropped/denied
• Treatment delays
• Medical errors
• Erroneous allergy info
• Drug interactions
Question #2
In what year was the Health
Insurance Portability and
Accountability Act passed?
2001
1996
2013
1999
Health data has regulatory protection, with penalties
1996: Cost of portability of insurance to be offset by
electronic billing, with privacy and security rules to
protect computerized health information
2003: Privacy Rule compliance deadline for all but
small health plans
2005: Security Rule compliance deadline
2008: First HIPAA ‘fine’ ($100,000)
2009: HITECH Act (Meaningful Use requirements)
2012: First round of HIPAA audits
2013: Omnibus Final Rule takes effect
2014: Largest HIPAA settlement so far $4.8 million
HIPAA on mobile health data
• HIPAA Security Rule: Must implement
reasonable and appropriate technical,
administrative and physical safeguards to
protect the confidentiality, integrity and
availability of ePHI (Protected Health
Information in electronic form)
• Fines for violations
• Rule applies regardless of where the data
is located = applies to mobile
HIPAA security and mobile
• Starts with Risk Analysis
– Must address all risks to all ePHI that
your organization creates, maintains, or
transmits
– Consider the SRA tool
• Addressable versus required
– AV required, encryption is addressable
– But ignore at your peril/pain
– Use of “strong” authentication
HIPAA, OCR, and beyond
• OCR about to do more HIPAA audits
• Other players are now in the game:
• FTC = Federal Trade Commission
• Consumer protection, devices, (Lilly)
• FCC = Federal Communications Commission
• Connect2HealthFCC
• DHS = Department of Homeland Security
• NIST cybersecurity framework
• NIST ICS-CERT
Health data can be dangerous
• For patients, stolen or corrupted data can
lead to:
• Lack of access to health care
• Medical errors
• Death
• For providers and business associates,
security and privacy issues can lead to:
• Fines
• Bad publicity
• Lawsuits
Mobile devices are new, untested
• What could possibly go wrong?
• We just don’t know
• That does not mean nothing will go wrong
• Scenario: Your organization deploys
wearable health sensor like Fitbit for patients
(but could be for employees)
• A criminal eavesdrops on Fitbit traffic, finds
wearer is not at home, burgles the home
• Are you exposed?
Mobile data is harder to protect than static data
• The problem of attack surface
Device
Device
1 device = 1 attack surface
Device2 devices = 2 attack surfaces
Device Device
2 devices connected = 5 attack surfaces
Mobile deviceOS + app
Helper appsCarrier data
Network protocols
GPS
VendorCarrier
Voice callsSMS, MMS
USB, SIM, SD cards, Power
Cell tower
Data processing
center
Data processing
center
Data processing center(s)
Clinic networkOS + app
Helper appsNetwork protocols
Printer
Copier
Mobile deviceOS + app
Helper appsCarrier data
Network protocols
GPS
VendorCarrier
Voice callsSMS, MMS
USB, SIM, Flash, Power
Cell tower
Data processing
center
Data processing
center
Data processing center(s)
Clinic networkOS + app
Helper appsNetwork protocols
Printer
Copier
Question #3Where is your organization on the use of
wearables for health data?
Using them right now
Considering deploying them
We have ruled them out for now
I don’t work for an organization
Mobile deviceOS + app
Helper appsCarrier data
Network protocols
GPS
VendorCarrier
Voice callsSMS, MMS
USB, SIM, Flash, Power
Cell tower
Data processing
center
Data processing
center
Data processing center(s)
Clinic networkOS + app
Helper appsNetwork protocols
Printer
Copier
Fitzbit
Wearable/sensor device issues
• Lack of device security
• Lack of app security
• Passwords transmitted in clear
• Third party app issues
• Arbitrary security/privacy, if any
• Multiple domains contacted
• App analytics • Ad networks
• App provider • OS provider
• Social media • App framework
• CRM/marketing • Utility API
CandidWüestSymantecVB 2014
Mobile adds to health data complexity,
e.g. providers, payers, employers
Master
Patient Index
Registration,
or ADT
Billing
Data
Warehouse
CPR
Budgeting
Marketing
Lab
Radiology
Logistics
Pharmacy
Scheduling
Data
Warehouse
Budgeting
HEDIS
Enrollment
Precertification
and Adjudication
Claims
Acceptance
Accounts
Payable
Accounts
Receivable
Coordination of
Benefits
Disease
Management
Medical
Review
Employer
Personnel
HIPAA Transaction
Data User Data Feeder
Claim Entry
Peter McLaughlin, DLA Piper LLP (Boston)
Secure practices for mobile devices and users not established
• For example: we address security of
health data on employee devices (BYOD)
with Mobile Device management (MDM)
• But many organizations still in planning
phase of MDM
• Education and awareness also required
• Ponemon: 60% found mobile devices
diminished employee security practices
• Cost of managed deployment is high
• Ponemon: only 36% had adequate budget
What does HIPAA say?
• Many issues are still “addressable” with
no specific technology required
• Mobile is on HHS radar (see video)
• HIPAA is all about the risk assessment
• Document all the risks
• Be realistic about risks
• Remember there are criminals with means
and motive seeking the data you handle
• Document what you’re doing about each risk
• Document what you’re not doing and why
Does HIPAA compliance help?
• Yes, if you are audited or have a breach,
you can show compliance in your defense
• But that compliance may hinge on your
risk assessment
• Did you document all the risks?
• Were you realistic about risks?
• And compliance may not prevent lawsuits
The three courts and due care
• If your mobile health initiative leaks
protected health information, you will be
“on trial” in three courts, plus OCR
• Law
• Press
• Public opinion
• If there are lawsuits, then reasonableness
is the test, re: “standard of due care”
Due care and negligence
• Due care: “the conduct that a reasonable
man or woman will exercise in a particular
situation, in looking out for the safety of
others.” Applies to action or lack thereof.
• (dictionary.law.com)
• Negligence is: “a failure to behave with
the level of care that someone of ordinary
prudence would have exercised under the
same circumstances.”
• (Cornell University Law School)
Risk assessment and due care
• Have you considered all
of the risks your systems
are likely to face?
• For example, have you
read the FTC brochure
and considered all of its
implications?
• Do your employees
know about McDumpals
and their ilk?
Case study: Walgreens - $1.44m
• Court of Appeals upheld a July 2013
verdict awarding $1.44 million in damages
for a pharmacist's violation of HIPAA's
patient privacy provisions
• She was caught “viewing the prescription
records of a customer …and divulging
information …to the client's ex-boyfriend.”
• Court found for plaintiff despite Walgreens
claim that it was HIPAA compliant
Mobile health risk summary
• Are you confident that the technology can
be used for handling ePHI securely?
• Are you confident that the users of the
technology will handle ePHI securely?
• If yes, do you have documentation of how
you arrived at that answer?
• Do the benefits of deploying mHealth
projects outweigh the costs, including
those that may accrue from security
problems?
Links
• Recorded webinar - The Evolution of Cybercrime:
• https://www.brighttalk.com/webcast/1718/119223
• Recorded webinar - Wearable Technology: What are the Security Threats?
• https://www.brighttalk.com/webcast/1718/125045
• Mobile device security video from HHS:
• http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-
information-privacy-and-security
• HIPAA Security Risk Assessment Tool:
• http://www.healthit.gov/providers-professionals/security-risk-assessment
• HIPAA information:
• http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/
• Security in the New Mobile Ecosystem by Ponemon/Raytheon:
• http://www.trustedcs.com/resources/whitepapers/Ponemon-
RaytheonSecurityInTheNewMobileEcosystemResearchReport.pdf
• FTC information on medical identity theft:
• http://www.business.ftc.gov/documents/bus75-medical-identity-theft-faq-health-care-
health-plan
• Free FTC brochure on medical identity theft:
• https://bulkorder.ftc.gov/system/files/publications/bus75-medical-identity-theft-faq-health-
care-health-plan.pdf
• FCC health intiatives:
• http://www.fcc.gov/health
• DHS/NIST cybersecurity framework:
• http://www.nist.gov/cyberframework/