Secure and Reliable Data Exchange with IoT Devices

Vinny Sakore & Amit Trivedi February 29, 2016

Mobile and Internet of Things (IoT)

Security Risk With IoT Technology

Nepal Earthquake (April 25, 2015)

Saturday 8AM – find out an earthquake hit Nepal within a mile of where our friends are. 9AM – our friend’s parents FB post that they are OK. 1PM – We find out through FB that all thirty of the team is alive, and OK. Monday – Safety check notifies me who hasn’t “checked in” and I start getting requests for donations.

Fellowship in a mobile world

Instead of grabbing a cup of coffee with a friend or the Wall Street Journal, we grab a cup of coffee with our iPhone and our friends on Facebook or Instagram

Finance in a mobile world

Healthcare in a mobile world

Q: What is the Internet of Things (IoT)?

Answer: Anything with a power button connected to the Internet.

The future of IoT and mobile devices

The drive to 25 billion connected devices

Connected…Yes… Secure…Not So Much

Regarding IoT….“the big takeaway for companies is data security, data security, data security!”

Julie Brill, Federal Telecommunications Commission

Source: At a recent workshop at the IAPP Global Summit on privacy, FTC Commissioner Julie Brill, commenting on its IoT report, was quoted as saying the “big takeaway for companies is data security, data security, data security.”

83 percent of the world’s top 400 mobile apps come from unique developers –

that is, teams, that typically serious lack security expertise

Did you know?

Security issues with mobile apps

"Mobile security breaches are - and will continue to be -- the result of misconfiguration and misuse on an app level, rather than the outcome of deeply technical attacks on mobile devices" – Gartner

The hacking of an insulin pump!

The transition from consumer device to regulatory concern.

Best Practices

Securing Mobile and IoT Devices

(1): mobility

- We live in a mobile world and we will never go back, without catastrophe, to not having mobility as a major part of our lives. Mobile apps, mobile devices and IoT devices are here to stay and we have to be ready to live “connected lives.”

- As consumers we need to understand what and how much of our information is online and “uncontrolled.”

Internet of Things (IOT)

- Because IoT is about physical things, hackers that gain access can not just perform the usual attacks like stealing data, moving money or shutting down web sites; they can also cause havoc by tampering with infrastructure like electrical grids and traffic signals. They can also put lives at risk by meddling with healthcare devices, airplanes, automobiles and elevators.

- While IoT is widely hailed as the Next Big Thing, the key ingredients –network connectivity, information security and infrastructure – have existed for decades.

Risk Management

• Security by Design – Whether it’s appliances, software, toys or electronics, the manufacturer should integrate security into the design process. When considering coverage, it is important that security is implemented into the design of each product throughout the product’s lifecycle.

• Encryption is Essential – Manufacturers should have a strong policy that utilizes encryption. If a data breach happens, but the data is encrypted, a number of “safe harbor” type provisions will be in effect. For example if the data is encrypted, then its loss is generally not considered a breach.

• Built-In Risk Analysis Program – How often does the manufacturer they’re underwriting conduct risk analysis and are they standard in the product’s development lifecycle? It is important to gauge the maturity of a manufacturer’s information security program.

• Authorize Connected Devices - Devices that are connected to the Internet should require some type of authorization such as authentication via digital certificates that confirm its identity as well as its access. If a hacker gains access to a small part of a system, it can gain access to all of it. Authentication can help contain these types of breaches.

• Independently Tested and Certified Products - All product manufacturers should have their security independently tested and certified by a third-party provider. This adds a layer of protection as the products go through rigorous testing, and adhere to security standards.

22

Security & Interoperability Standards

- NIST: DRAFT Framework for Cyber Physical Systems (September 2015). The Framework is intended to serve as a common blueprint for the development of safe, secure, and interoperable systems as varied as smart energy grids, wearable devices, and connected cars.

- FTC: IoT devices come in a variety of forms and shapes, but they have a handful of similar attributes that make security an even greater challenge. The FTC released a staff report recently that took a comprehensive look at IoT and security, including secure APIs, authentication, and product updates, was a key theme.

- Open Web Application Security Project (OWASP): The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies. The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

Additional Resources

- The Personal Connected Health Alliance (PCHA) is an organization

convening, constraining and advocating global technology standards to advise developers of end-to-end interoperable solutions for personal connected health. It publishes the Continua Design Guidelines that clearly define interoperable interfaces that enable the secure flow of medical data among sensors, gateways, and end services, removing ambiguity in underlying healthcare standards and ensuring consistent implementation through product certification.

- Integrating the Healthcare Enterprise (IHE): IHE International is a global not for profit organization that enables the collaboration of healthcare providers and industry leaders to improve the exchange of healthcare information and patient care using IHE's proven framework for interoperability. Medical Equipment Management (MEM): Medical Device Cyber Security – Best Practice Guide (Oct. 2015)

Internet of Things (IOT)

Cloud Security Alliance Guidance

Dependability Assurance Framework For Safety-Sensitive Consumer Devices

Internet of Things (IOT)

MQTT & Oasis Standards

Questions?

Thank you! Amit Trivedi Program Manager, Healthcare @a3vedi Vinny Sakore, CIPT Assistant HIPAA Security Officer @VinnySakore