Embed Size (px)
Citation preview
About Custodix
• Custodix provides solutions that enable compliant collection, exchange and (re-)use of sensitive data, focussed on the healthcare and pharmaceutical sector.
• Small highly skilled team (software engineering, IT security, privacy & compliance, health data management)
• Strong reputation with industry and care providers
– Worked for multiple Fortune 500 companies.
– 10+ years of experience as TTP provider, providing services 24/7 over 10 years.
• Strong security & privacy protection R&D background
– 10+ years participation at the top of European research through the EU Framework Programmes and the Innovative Medicines Initiative (IMI).
2
http://www.custodix.com/ Kortrijksesteenweg 214 b3, 9880 St-Martens-Latem
Data Privacy Consultancy
Trusted Third Party (TTP) Data
Collection Services
Identity & Access
Management
Anonymisation &
Pseudonymisation
June 4th, 2015 - B. Claerhout
Security and privacy, crucial for mHealth
• Security, privacy, data protection are very high on the list of top challenges to be addressed to make mHealth successful – Cf. a.o. public consultation on the uptake of mobile health care in the EU by
the European Commission
Mobile environment
Health data
Health data encompasses some of the private and sensitive data, prone to abuse
3 June 4th, 2015 - B. Claerhout
Complex environment
• As secure as the weakest link
– Device security
• Variety of devices: tablets, phones, IoT, …
• Operating system heterogeneity: iOS, Android, Windows Phone
– version heterogeneity
• Rapid technology evolution (APIs, third-party SDKs, …)
– Server side platform security (Cloud)
– Multitude of communication paths
4 June 4th, 2015 - B. Claerhout
Hostile environment
• Physical access: stolen & lost devices
– 68% of health breached relate to loss or theft of mobile devices or files (US)
• Vendor operating system update & patch strategies
• Malicious apps
– Even in official stores
• Device protection software not common place
• Inherent frequent exposure to outside attacks
– Devices connect to networks (esp. Wifi) without any selectivity on trust
5 June 4th, 2015 - B. Claerhout
Data protection by design and by default
• Clear project scope is crucial for defining data protection strategy from the very beginning
– Address legal and technical aspects from the design stage
– Adjusting the purpose of data processing “as you go” can have serious legal impact and can affect user trust
• Data protection strategy dependant on application
– Application target users: consumers , HCP, … (or all)
– Application environment: closed vs. open environment (e.g. intramural), regulated or free (e.g. clinical trials)
– Displaying information - collecting data - making recommendations - decision support
– Connectivity to platforms, devices, …
Wellness & fitness
PHR
Disease management
Teleconsult
Telemonitoring
ePRO EMR access
Etc…
Diagnostic Recommendations
6 June 4th, 2015 - B. Claerhout
Data protection
• Data Protection directive (95/46/EC)
– Applicable when processing personal data
• Cf. status of health related data
– mHealth, multi-stakeholder environment
• Who is (are) the data controller(s) in your initiative?
– Informed consent transparency
• Specific, free
• “Informed”: requires a clear view of what you plan to do
• ePrivacy directive (2002/58/EC, 2009/136/EC)
– Storing or accessing information on devices
– Informed consent transparency
Art 29 Working Party worries about data protection & apps
– Lack of transparency
– Lack of meaningful consent
– Poor security measures
– Trend towards data maximisation
7 June 4th, 2015 - B. Claerhout
Security
• Legal requirement
– Data Protection Directive: “Requirement to take the necessary organisational and technical measures to protect personal data”
• Consequences to lack of security & data breaches
– Cost of dealing with the breach
– Loss of reputation (loss of business)
– In the EU, no major legal cases…
• Future: Data Protection Regulation – Need to have a “security plan”
• Continuous evaluation, vulnerability management, bug fixes, …
– Introduction of pecuniary penalties
8 June 4th, 2015 - B. Claerhout
Security
• Usual suspects…
– Address security at all points
• Device, backend, …
– Secure communication
• Encryption in transit (proper use of SSL/TLS)
– Storage of sensitive data: local or cloud?
• Encryption at rest
– Proper authentication & authorisation
• Mixed on-line / off-line authorised usage needs consideration
• You might need to think of…
– Availability
• Mission critical applications
– Integrity
• Integrity of collected data (e.g. sensors)
Confidentiality
Integrity
Availability
Audit & Accountability
Clear link to patient safety & potential fraud in health environments
9 June 4th, 2015 - B. Claerhout
Things to consider when
OWASP Top 10 Mobile Risks 2014 1. Weak Server Side Controls
• cf. the OWASP Web Top Ten or Cloud Top Ten projects
2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage 5. Poor Authorization and Authentication 6. Broken Cryptography 7. Client Side Injection 8. Security Decisions Via Untrusted
Inputs 9. Improper Session Handling 10.Lack of Binary Protections
10
Industry is determined to invest in mHealth
• Platforms, SDKs, API will evolve and take health security requirements into account
Google Fit
June 4th, 2015 - B. Claerhout
Summary
1. Address security & privacy from the very beginning
– Clearly specify objectives, identify stakeholders and map data flows
– Define your data protection strategy from the design stage
• Anyway, adding S&P to an already developed platform is always more costly
– Evaluate S&P during the whole project and software development lifecycle
2. Go to bed with a clear conscience
11
Cf. mobile banking
Text-book example of security by design
Primarily protecting transactions (easier than information)
Credit card information
1$
Health data*
10-50$
* US specific, health data helps insurance fraud and identity theft
June 4th, 2015 - B. Claerhout
Thank you for your attention!
12
Contact Information
Brecht Claerhout
Custodix NV KORTRIJKSESTEENWEG 214 bus 3
B-9830 SINT-MARTENS-LATEM (BELGIUM)
+32 9 210 78 90
June 4th, 2015 - B. Claerhout
