hacking health - usenix · hacking health professor avi rubin computer science johns hopkins...
TRANSCRIPT
HackingHealth
ProfessorAviRubinComputerScience
JohnsHopkinsUniversity
1
MyfirstsecurityevaluaAon,2003
- RentalreceiptwithprintedCC#- Easyaccesstoconsumerdata- PoordatasecuritypracAces- WeakauthenAcaAon,ifany
FoundedsecurityevaluaAoncompany
GeNngtoknowHealthITSecurity• In2009,transiAonedfrome-voAngsecurity– TohealthcareITsecurity
• BeganwithIT-focusedtoursofseveralhospitals– Radiology,Pathology,Children’shospital,etc.– About6visits
– SecuritysituaAonwasabysmal• 8,000hospitalemployees100%access• Nursew/“specialtask”• HomeVPNasbridge• DesktopEHRaccess
Example:X-rays
Oldway: Newway:
• BloodGasAnalyzers(BGA)compromised• PACSsystemcompromised
HealthcareisUnique• Theplayers:
– Doctors• (Godcomplex;don’tlikenewwaysofdoingthings)
– PaAents• (ogennottechsavvy;don’tfollowinstrucAons)• Includesallofus
– Nurses&otherClinicalstaff– Regulators:Congress,FDA
• (wellmeaning;maynotunderstandimplicaAons)– Insurancecompanies– Medicaldevicemanufacturers– Entrepreneurs
• Mobile,Wearables,• InternetofThings
HealthcareapplicaAons• ConnecAvity
– Moderndevices,alwaysconnected,alwayson– Databasesalwaysonline
• Mobile/cloud– DatainmulApleplaces– Dataownernotinpossessionofdata
• ExpectaAonthatdataisalwaysavailable
Keypoint:mostinteracAonwithhealthdatacontrolledbySOFTWARE
Controlledbysogware• RadiaAondosage• DosageofmedicaAon• StockingofsuppliesinICU• ShigscheduleforDoctors&Nurses• EHRs• Drugdispensingrobot• CommunicaAonsofdevices
Threatmodel:
Anythingcontrolledbyso1wareispoten5allyexploitable.
Biggestbangforthebuck1. ApplicaAonwhitelisAngonmedicaldevices2. Hygieneforbackendsystems3. DatabaseAcAvityMonitoring–anomalousqueries4. MulAfactorauthenAcaAonforremoteaccess5. VirtualizaAonforaccesstoclinicaldata6. UniversalencrypAonofdata7. Termsofagreementwithcloudserviceproviders8. Automatedsupportforsecurityinchartaccesses9. Privacyforself-idenAfydata(e.g.genomesequences)– HIPAAsafeguardsinadequate
10. AuthenAcaAonforclinicalpersonnel
FinalThoughts• HealthcareSectorhasuniquesecuritychallengesdueto:
– regulatoryenvironment– Stakeholders– Dependenceonsogware– Availabilityrequirementsfordata– Affectsusallpersonally!– Trendtowardscloud/mobile
• NeedtoconsidersecurityimplicaAonsofnewtechnologies,
e.g.network-connectedinfusionpumps
SpeakerinformaAon
ProfessorAviRubinDept.ofComputerScienceJohnsHopkinsUniversityEmail:[email protected]:avirubin.com:@avirubin