himss 2016 lunch & learn: data security in iot (and ephi risks)
TRANSCRIPT
![Page 1: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/1.jpg)
Data Security Risks in the Internet of EverythingChad Kissinger | Founder, OnRamp
![Page 2: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/2.jpg)
Agenda• Intro• What is The Internet of Things?• IoT Benefits• IoT Challenges and Risks• Recommendations • Q&A
![Page 3: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/3.jpg)
Speaker Biography
Chad Kissinger Founder, OnRamp
Since founding OnRamp in 1994, Chad has driven the growth and business model evolution of the company from a start-up ISP to an established provider of data center services. OnRamp is a high security and hybrid hosting provider that operates multiple enterprise class data centers located in Austin, Texas and Raleigh, North Carolina. A founding member, former President & Legislative Chair of the Texas Internet Service Provider Association, and leader in the development of OnRamp’s HIPAA compliant hosting solutions, Chad is highly experienced in data privacy and security issues.
![Page 4: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/4.jpg)
Focus On Compliance
![Page 5: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/5.jpg)
Services
Highly dense, highly available colocation services backed by Full7Layer Support
COLOCATION
Dedicated, secure computing environment with virtualization
PRIVATE CLOUDS
Scalable, secure computing infrastructure
CLOUD SERVICES
![Page 6: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/6.jpg)
What’s the Big Deal? $2.2 MillionAvg Cost of
Data Breach*
11 MillionHealthcare
Records ExposedIn 2016**
**Survey by Ponemon Institute ; *Article by HIPAA Journal
44 percent of all registered data breaches in 2013 targeted at medical companies**
![Page 7: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/7.jpg)
• Everyday objects that connect to the Internet and that send and receive data
• Multi-system integration: cloud, mobile, medical devices, & smart home
• NIST Special Publication 800-183 Networks of ‘Things’
• Sensing, Computing, Communication, and Actuation
What Is IoT?
![Page 8: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/8.jpg)
Benefits
‘Cyber-physical systems’ could save $63 billion in healthcare costs over 15 years with a 15-30% reduction in hospital equipment costs and a 15-20% increase in patient throughput*
*Healthcare IT News
Win-Win Scenario
Patients: early detection, prevention and treatment
Providers: cost savings through reduced hospital remissions and healthcare costs
![Page 9: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/9.jpg)
Continued Growth
![Page 10: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/10.jpg)
IoT - Clinical• Devices
• Lab analyzers• Insulin pumps• Vital sign
monitors
• Types of Data• X-ray images• Dosage settings• Therapy timers
![Page 11: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/11.jpg)
IoT – Non-Clinical Devices & Data Flow
• Health apps• Email• Jump Drives• Wearables• Health sensors• Smart thermostats• Entertainment
systems• Light controls• Motions sensors
![Page 12: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/12.jpg)
Here’s the bad news…
Even if a device is unimportant, it’s the network that’s at risk!
“A lot of adversaries aren't looking at it as 'let me go and attack your toaster': they're looking at it as 'let me attack your toaster to use it as a way to get into the rest of your network'." - John Pironti, President of IP Architects
![Page 13: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/13.jpg)
Challenges & RisksData Integrity, Availability and Privacy
In 2014, there were 333 medical data breaches, compared to 271 breaches in 2013 – a 23% increase year-over-year.*
• No standards for medical software and firmware
• Full-time management and monitoring required for health networks
• Data must be secure, but accessible for medical personnel
• Fixing vulnerabilities not always possible
*Computer.org
![Page 14: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/14.jpg)
Technical Threats to IoT
![Page 15: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/15.jpg)
Threat Sources
Verizon 2015 Data Breach Investigations Report – 2,260 breaches
![Page 16: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/16.jpg)
Why Is this Happening?Business
• Not enough resources• Ineffective training• Lack of policies &
procedures• Lack of audit
procedures• Weak physical security
Technical
• Lack of encryption• Weak remote access controls• Lack of network awareness• Insecure network
architecture• Insufficient access controls• Lack of logging/ monitoring• Gaps in system patching
![Page 17: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/17.jpg)
Best Practices• Security by design - build security into devices • Culture of security - promote good security within
organization• Third-party service providers – ensure 3rd party providers
maintain reasonable security• Defense in depth strategy – multiple layers of security
against risks• Access control measures – measures to keep unauthorized
users from accessing network• Monitor products – provide security patches as needed• Test - security of device before launch• FTC recommends data minimizationVia Pepper Law Publication
![Page 18: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/18.jpg)
Questions: Connected Devices• Do the devices store & transmit data
securely?• Do they accept software security updates
to address new risks?• Do they provide a new avenue to
unauthorized access of data?• Do they provide a new way to steal data?• Do they connect to the institution's
existing IT infrastructure in a way that puts data stored there are greater risk?
• Are the APIs – through which software and devices connect – secure?
![Page 19: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/19.jpg)
Take Action & Gain Control• Perform a risk assessment to
identify gaps• Partner with compliant service
providers• Create processes and
documentation for entire device lifecycle (purchase, configure, test, operate, deprecate, dispose)
• Remediate high risk areas• Procedures for physical access• Educate
67% of healthcare organizations plan to spend money on HIPAA audit prep technology /services in 2016*
*Article by HIPAA Journal
![Page 20: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/20.jpg)
Q & A
![Page 21: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/21.jpg)
Example Policies • Patient access policies• Guest access policies• Network security policy• System users and
management• Software security policy• Remote access policy• Personal use policies• Security training
• Email/ web policies• Medical device policies• HER handling policies• Workflow policies• Endpoint security policies• Information logging
policies
![Page 22: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/22.jpg)
Additional Resources & Links• http://www.businessinsider.com/internet-of-things-in-healthcare-
2016-8• NIST Special Publication 800-183 Networks of ‘Things’• http://www.hipaajournal.com/major-2016-healthcare-data-breac
hes-mid-year-summary-3499/
• http://dupress.com/articles/internet-of-things-iot-in-health-care-industry/#end-notes
• https://www.securityevaluators.com/hospitalhack/securing_hospitals.pdf
• http://www.pepperlaw.com/publications/beyond-hipaa-connected-health-care-and-the-internet-of-things-2015-04-14/
• https://www.securityevaluators.com/hospitalhack/securing_hospitals.pdf
![Page 23: Himss 2016 Lunch & Learn: Data Security in IoT (and ePHI Risks)](https://reader036.vdocument.in/reader036/viewer/2022081605/58f1d8eb1a28ab60208b4595/html5/thumbnails/23.jpg)
Contact Us
[email protected] Free: (888) 667-2660www.onr.com
SECURE | HYBRID | COMPUTING | | 888.667.2660 | AUSTIN | RALEIGH