himss 2016 lunch & learn: data security in iot (and ephi risks)
TRANSCRIPT
Data Security Risks in the Internet of EverythingChad Kissinger | Founder, OnRamp
Agenda• Intro• What is The Internet of Things?• IoT Benefits• IoT Challenges and Risks• Recommendations • Q&A
Speaker Biography
Chad Kissinger Founder, OnRamp
Since founding OnRamp in 1994, Chad has driven the growth and business model evolution of the company from a start-up ISP to an established provider of data center services. OnRamp is a high security and hybrid hosting provider that operates multiple enterprise class data centers located in Austin, Texas and Raleigh, North Carolina. A founding member, former President & Legislative Chair of the Texas Internet Service Provider Association, and leader in the development of OnRamp’s HIPAA compliant hosting solutions, Chad is highly experienced in data privacy and security issues.
Focus On Compliance
Services
Highly dense, highly available colocation services backed by Full7Layer Support
COLOCATION
Dedicated, secure computing environment with virtualization
PRIVATE CLOUDS
Scalable, secure computing infrastructure
CLOUD SERVICES
What’s the Big Deal? $2.2 MillionAvg Cost of
Data Breach*
11 MillionHealthcare
Records ExposedIn 2016**
**Survey by Ponemon Institute ; *Article by HIPAA Journal
44 percent of all registered data breaches in 2013 targeted at medical companies**
• Everyday objects that connect to the Internet and that send and receive data
• Multi-system integration: cloud, mobile, medical devices, & smart home
• NIST Special Publication 800-183 Networks of ‘Things’
• Sensing, Computing, Communication, and Actuation
What Is IoT?
Benefits
‘Cyber-physical systems’ could save $63 billion in healthcare costs over 15 years with a 15-30% reduction in hospital equipment costs and a 15-20% increase in patient throughput*
*Healthcare IT News
Win-Win Scenario
Patients: early detection, prevention and treatment
Providers: cost savings through reduced hospital remissions and healthcare costs
Continued Growth
IoT - Clinical• Devices
• Lab analyzers• Insulin pumps• Vital sign
monitors
• Types of Data• X-ray images• Dosage settings• Therapy timers
IoT – Non-Clinical Devices & Data Flow
• Health apps• Email• Jump Drives• Wearables• Health sensors• Smart thermostats• Entertainment
systems• Light controls• Motions sensors
Here’s the bad news…
Even if a device is unimportant, it’s the network that’s at risk!
“A lot of adversaries aren't looking at it as 'let me go and attack your toaster': they're looking at it as 'let me attack your toaster to use it as a way to get into the rest of your network'." - John Pironti, President of IP Architects
Challenges & RisksData Integrity, Availability and Privacy
In 2014, there were 333 medical data breaches, compared to 271 breaches in 2013 – a 23% increase year-over-year.*
• No standards for medical software and firmware
• Full-time management and monitoring required for health networks
• Data must be secure, but accessible for medical personnel
• Fixing vulnerabilities not always possible
*Computer.org
Technical Threats to IoT
Threat Sources
Verizon 2015 Data Breach Investigations Report – 2,260 breaches
Why Is this Happening?Business
• Not enough resources• Ineffective training• Lack of policies &
procedures• Lack of audit
procedures• Weak physical security
Technical
• Lack of encryption• Weak remote access controls• Lack of network awareness• Insecure network
architecture• Insufficient access controls• Lack of logging/ monitoring• Gaps in system patching
Best Practices• Security by design - build security into devices • Culture of security - promote good security within
organization• Third-party service providers – ensure 3rd party providers
maintain reasonable security• Defense in depth strategy – multiple layers of security
against risks• Access control measures – measures to keep unauthorized
users from accessing network• Monitor products – provide security patches as needed• Test - security of device before launch• FTC recommends data minimizationVia Pepper Law Publication
Questions: Connected Devices• Do the devices store & transmit data
securely?• Do they accept software security updates
to address new risks?• Do they provide a new avenue to
unauthorized access of data?• Do they provide a new way to steal data?• Do they connect to the institution's
existing IT infrastructure in a way that puts data stored there are greater risk?
• Are the APIs – through which software and devices connect – secure?
Take Action & Gain Control• Perform a risk assessment to
identify gaps• Partner with compliant service
providers• Create processes and
documentation for entire device lifecycle (purchase, configure, test, operate, deprecate, dispose)
• Remediate high risk areas• Procedures for physical access• Educate
67% of healthcare organizations plan to spend money on HIPAA audit prep technology /services in 2016*
*Article by HIPAA Journal
Q & A
Example Policies • Patient access policies• Guest access policies• Network security policy• System users and
management• Software security policy• Remote access policy• Personal use policies• Security training
• Email/ web policies• Medical device policies• HER handling policies• Workflow policies• Endpoint security policies• Information logging
policies
Additional Resources & Links• http://www.businessinsider.com/internet-of-things-in-healthcare-
2016-8• NIST Special Publication 800-183 Networks of ‘Things’• http://www.hipaajournal.com/major-2016-healthcare-data-breac
hes-mid-year-summary-3499/
• http://dupress.com/articles/internet-of-things-iot-in-health-care-industry/#end-notes
• https://www.securityevaluators.com/hospitalhack/securing_hospitals.pdf
• http://www.pepperlaw.com/publications/beyond-hipaa-connected-health-care-and-the-internet-of-things-2015-04-14/
• https://www.securityevaluators.com/hospitalhack/securing_hospitals.pdf
Contact Us
[email protected] Free: (888) 667-2660www.onr.com
SECURE | HYBRID | COMPUTING | | 888.667.2660 | AUSTIN | RALEIGH