SlideShare a Scribd company logo

2022 APIsecure_Anomaly detection is no longer a strategy

Download as PPTX, PDF
APIsecure_ Official
APIsecure_ Official

This document summarizes the risks to patient health records through unregulated APIs. It describes how regulations like HIPAA aimed to protect privacy but subsequent policies and incentives have unintentionally led to widespread accessibility of records through APIs and apps. Experts express concerns that further action is needed regarding data security, information blocking, and prioritizing interoperability to fully address these risks to millions of patient records.

Technology
1 of 33
Millions Of Patient Health Records Now At Risk Through Unregulated APIs October, 2021 WTF? @danmunro
Storyteller Infrastructure Software Engineer Author and Forbes Contributor @danmunro
@danmunro 2 ACT STORY NB: THIS CONTENT IS EXCLUSIVE TO THE U.S. MARKET
@danmunro ACT 1
“If it wasn’t complicated – it wouldn’t be allowed to happen. The complexity disguises what’s happening. If it’s so complicated that you can’t understand it – then you can’t question it.” Michael Lewis @danmunro
@danmunro 1979 1975 1976 1977 1982 1979 PGI & Associates Software Development Laboratories
@danmunro 1979
@danmunro 1979 1996 HIPAA Security + Privacy – Title II CE’s & BA’s
@danmunro 1979 1996 2004 HIPAA ONC
@danmunro 1979 1996 2004 2009 HIPAA ONC HITECH ACT [$30B]
@danmunro Dr. David Brailer First ONC – 2004 to 2006
@danmunro Dr. David Brailer First ONC – 2004 to 2006 Excerpt from: The Digital Doctor By Dr. Bob Wachter (2015)
@danmunro Dr. David Brailer First ONC – 2004 to 2006 Dr. Bob Wachter: I asked Brailer … if he had still been ONC director in 2008, would he have turned down the [HITECH ACT] $30 billion? Dr. David Brailer: No, but I would have spent the money on standards, interoperability, a ‘Geek Squad’ to help with training and implementation, and creating a cloud-based ‘medical Internet.’ I never would have spent money on direct subsidies to providers. We’ve built the Frankenstein I was most afraid of. Excerpt from: The Digital Doctor By Dr. Bob Wachter (2015)
@danmunro Dave deBronkart ePatient Dave Patient Pioneers
@danmunro Dave deBronkart ePatient Dave Hugo Campos Medtronic ICD Data Patient Pioneers
@danmunro Dave deBronkart ePatient Dave Hugo Campos Medtronic ICD Data Dana Lewis Open-Source Artificial Pancreas System Patient Pioneers
@danmunro Anna McCollister-Slipp 4 Rx Medical Devices
@danmunro ACT 2
@danmunro 2014 [Normative – 2019]
@danmunro 2014 2015 [Normative – 2019] Information Blocking Introduced
@danmunro 2014 2015 [Normative – 2019] 80M Records $16M Fine [2016] Information Blocking Introduced
@danmunro 2014 2015 2020 [Normative – 2019] 80M Records $16M Fine [2016] Information Blocking Introduced
@danmunro 2014 2015 2020 2021 Information Blocking Effective: April 5 [Normative – 2019] 80M Records $16M Fine [2016] Information Blocking Introduced
@danmunro “Although the rule acknowledges the tension between data security and authentication procedures [acknowledging that the OAuth 2.0 standard for Health IT Modules’ implementation of an API is susceptible to cross- site request forgery vulnerabilities] it also cautions certified Health IT Modules against requiring patients to reauthorize or reauthenticate with such frequency that it would be considered information blocking.”
@danmunro PLAYING WITH FHIR [October, 2021] The vulnerability findings in FHIR mobile apps and APIs accessed via the aggregators and developers were innumerable. With one patient engagement app, the API endpoint sent me all the patient and clinician records in its database, indicating it was using the mobile app to filter out just my record.
@danmunro Dinner tonight with multiple digital health app CEOs: One EHR has literally turned off App Store access to new apps for at least . . . TWO months. Off Another EHR said “21CC prevents them from sharing data with apps” Still so far to go . . . but we can fix this! 7:57 PM · Mar 29, 2022 Twitter for iPhone
@danmunro “I might be lambasted for this, but … to be completely frank, I have problems with the information blocking provisions. They represent excellent regulatory policy when judged solely on intent, but, taken more practically, miss on advancing our national posture. They don’t fundamentally change a whole lot, given the exceptions, and really just reinforces HIPAA rights that already existed.” Brendan Keeler PM @ Zus Health November, 2021 Note: Until October 2022 – EHI under IB is a subset of PHI under HIPAA.
@danmunro Dr. Micki Tripathi 11th ONC – 2021 to Present “I don’t even like the term ‘information blocking.’ I don’t know how much information blocking is really out there, but I don’t think most of it is malicious in nature. It’s more that providers are not prioritizing the sharing of information. It’s not high on the list, so they’re just doing the bare minimum to avoid penalties without really investing in making interoperability a core part of their business model.” March, 2022
@danmunro EPILOGUE
@danmunro “INFORMATION BLOCKING” COMPLAINTS [April 5, 2021 – February 28, 2022] http://hc4.us/IBComplaints SOURCE: Entity Claiming Info Blocking Actor Accused of Info Blocking 353 316
@danmunro HEALTHCARE DATA BREACHES 2021 [500+ Records] http://hc4.us/breaches2021 SOURCE: 712 Breaches 45.7 Million Health Records
@danmunro Jeffrey Wheatman Sr. VP, Cyber Risk Evangelist “I believe it’s fairly unlikely that cyber insurance will continue to pay off significant damages as a result of cyber claims and, for the most part, is going to be primarily used for simple things such as paying postage for breach notification mailings, paying for incident response and postmortem investigations.” A Fight For Coverage Cyber Insurance Risk in 2022
@danmunro • #HC Needs APIs – But #HC Data is unique • Security is a BIG Cost • #FHIR is a GREAT Resource/Standard • But standards can’t be ‘voluntary’

Recommended

Using Social Media in the Age of ACA and HIPAA Regulations - BDI 7/24 Patient...
Using Social Media in the Age of ACA and HIPAA Regulations - BDI 7/24 Patient...Using Social Media in the Age of ACA and HIPAA Regulations - BDI 7/24 Patient...
Using Social Media in the Age of ACA and HIPAA Regulations - BDI 7/24 Patient...
Business Development Institute
 
Health debate webinar patient privacy and regulations reviewed as an m heal...
Health debate webinar patient privacy and regulations reviewed as an m heal...Health debate webinar patient privacy and regulations reviewed as an m heal...
Health debate webinar patient privacy and regulations reviewed as an m heal...
Jeroen Veenhoven
 
mHealth Adoption Barriers: Privacy & Regulation - Health Debate Webinar findi...
mHealth Adoption Barriers: Privacy & Regulation - Health Debate Webinar findi...mHealth Adoption Barriers: Privacy & Regulation - Health Debate Webinar findi...
mHealth Adoption Barriers: Privacy & Regulation - Health Debate Webinar findi...
Vodafone Business
 
4 Big Data Challenges In Healthcare
4 Big Data Challenges In Healthcare4 Big Data Challenges In Healthcare
4 Big Data Challenges In Healthcare
HPC Asia
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small Providers
Sarah Kim
 
CPS February 2012 Newsletter
CPS February 2012 NewsletterCPS February 2012 Newsletter
CPS February 2012 Newsletter
Bryan Graven
 
Healthcare Technology Predictions 2016
Healthcare Technology Predictions 2016Healthcare Technology Predictions 2016
Healthcare Technology Predictions 2016
Damo Consulting Inc.
 
Understanding the Kissht Crackdown Causes and Effects.pptx
Understanding the Kissht Crackdown Causes and Effects.pptxUnderstanding the Kissht Crackdown Causes and Effects.pptx
Understanding the Kissht Crackdown Causes and Effects.pptx
Kissht reviews
 

Recommended

Using Social Media in the Age of ACA and HIPAA Regulations - BDI 7/24 Patient...
Using Social Media in the Age of ACA and HIPAA Regulations - BDI 7/24 Patient...Using Social Media in the Age of ACA and HIPAA Regulations - BDI 7/24 Patient...
Using Social Media in the Age of ACA and HIPAA Regulations - BDI 7/24 Patient...
Business Development Institute
 
Health debate webinar patient privacy and regulations reviewed as an m heal...
Health debate webinar patient privacy and regulations reviewed as an m heal...Health debate webinar patient privacy and regulations reviewed as an m heal...
Health debate webinar patient privacy and regulations reviewed as an m heal...
Jeroen Veenhoven
 
mHealth Adoption Barriers: Privacy & Regulation - Health Debate Webinar findi...
mHealth Adoption Barriers: Privacy & Regulation - Health Debate Webinar findi...mHealth Adoption Barriers: Privacy & Regulation - Health Debate Webinar findi...
mHealth Adoption Barriers: Privacy & Regulation - Health Debate Webinar findi...
Vodafone Business
 
4 Big Data Challenges In Healthcare
4 Big Data Challenges In Healthcare4 Big Data Challenges In Healthcare
4 Big Data Challenges In Healthcare
HPC Asia
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small Providers
Sarah Kim
 
CPS February 2012 Newsletter
CPS February 2012 NewsletterCPS February 2012 Newsletter
CPS February 2012 Newsletter
Bryan Graven
 
Healthcare Technology Predictions 2016
Healthcare Technology Predictions 2016Healthcare Technology Predictions 2016
Healthcare Technology Predictions 2016
Damo Consulting Inc.
 
Understanding the Kissht Crackdown Causes and Effects.pptx
Understanding the Kissht Crackdown Causes and Effects.pptxUnderstanding the Kissht Crackdown Causes and Effects.pptx
Understanding the Kissht Crackdown Causes and Effects.pptx
Kissht reviews
 
Healthcare Informatics Industry: 10 Effective Trends | The Entrepreneur Review
Healthcare Informatics Industry: 10 Effective Trends | The Entrepreneur ReviewHealthcare Informatics Industry: 10 Effective Trends | The Entrepreneur Review
Healthcare Informatics Industry: 10 Effective Trends | The Entrepreneur Review
TheEntrepreneurRevie
 
Mit dtpss module 4_google health and microsoft health_vault launch
Mit dtpss module 4_google health and microsoft health_vault launchMit dtpss module 4_google health and microsoft health_vault launch
Mit dtpss module 4_google health and microsoft health_vault launch
Enrique Mesones
 
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Ted Myerson
 
Health IT Beyond Hospitals
Health IT Beyond HospitalsHealth IT Beyond Hospitals
Health IT Beyond Hospitals
Nawanan Theera-Ampornpunt
 
2024 Future of Communication Technology
2024 Future of Communication Technology2024 Future of Communication Technology
2024 Future of Communication Technology
Holly Baldwin
 
Unleashing government’s ‘innovation mojo’ an interview with the us chief tec...
Unleashing government’s ‘innovation mojo’ an interview with the us chief tec...Unleashing government’s ‘innovation mojo’ an interview with the us chief tec...
Unleashing government’s ‘innovation mojo’ an interview with the us chief tec...
Mondher Ben-Hamida
 
How to do Business in Health IT
How to do Business in Health ITHow to do Business in Health IT
How to do Business in Health IT
Brandon Miller
 
Personal Health Records and Consumer Health Informatics
Personal Health Records and Consumer Health InformaticsPersonal Health Records and Consumer Health Informatics
Personal Health Records and Consumer Health Informatics
Nawanan Theera-Ampornpunt
 
2022 APIsecure_Raw and Unbridled Truth: Healthcare APIs
2022 APIsecure_Raw and Unbridled Truth: Healthcare APIs2022 APIsecure_Raw and Unbridled Truth: Healthcare APIs
2022 APIsecure_Raw and Unbridled Truth: Healthcare APIs
APIsecure_ Official
 
How blockchain technology works in healthcare industry
How blockchain technology works in healthcare industryHow blockchain technology works in healthcare industry
How blockchain technology works in healthcare industry
Stacey Roberts
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Envision Technology Advisors
 
Health IT Beyond Hospitals (September 15, 2016)
Health IT Beyond Hospitals (September 15, 2016)Health IT Beyond Hospitals (September 15, 2016)
Health IT Beyond Hospitals (September 15, 2016)
Nawanan Theera-Ampornpunt
 
How Disruptive Technologies Drive Innovation in the Channel
How Disruptive Technologies Drive Innovation in the ChannelHow Disruptive Technologies Drive Innovation in the Channel
How Disruptive Technologies Drive Innovation in the Channel
Jay McBain
 
Health IT Beyond Hospitals
Health IT Beyond HospitalsHealth IT Beyond Hospitals
Health IT Beyond Hospitals
Nawanan Theera-Ampornpunt
 
디지털 헬스케어를 어떻게 구현할 것인가: 국내 스타트업 업계를 중심으로
디지털 헬스케어를 어떻게 구현할 것인가: 국내 스타트업 업계를 중심으로디지털 헬스케어를 어떻게 구현할 것인가: 국내 스타트업 업계를 중심으로
디지털 헬스케어를 어떻게 구현할 것인가: 국내 스타트업 업계를 중심으로
Yoon Sup Choi
 
ONR Blog 1
ONR Blog 1ONR Blog 1
ONR Blog 1
Charles (Mac) Hamilton M.A., M.F.A., C.P.C.
 
Running head DATA PRIVACY 1 DATA PRIVACY10Short- and .docx
Running head DATA PRIVACY 1 DATA PRIVACY10Short- and .docxRunning head DATA PRIVACY 1 DATA PRIVACY10Short- and .docx
Running head DATA PRIVACY 1 DATA PRIVACY10Short- and .docx
todd271
 
The Intersection of Social Media, HIPAA, and the Workplace
The Intersection of Social Media, HIPAA, and the WorkplaceThe Intersection of Social Media, HIPAA, and the Workplace
The Intersection of Social Media, HIPAA, and the Workplace
Polsinelli PC
 
Mit wiroon dtpss_module 4_google health and ms health_vault launch (wiroon)
Mit wiroon dtpss_module 4_google health and ms health_vault launch (wiroon)Mit wiroon dtpss_module 4_google health and ms health_vault launch (wiroon)
Mit wiroon dtpss_module 4_google health and ms health_vault launch (wiroon)
Enrique Mesones
 
Digital trends and its Implications on Patients and HCPs in India
Digital trends and its Implications on Patients and HCPs in IndiaDigital trends and its Implications on Patients and HCPs in India
Digital trends and its Implications on Patients and HCPs in India
Asentech123
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
APIsecure_ Official
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
APIsecure_ Official
 

More Related Content

Similar to 2022 APIsecure_Anomaly detection is no longer a strategy

Mit dtpss module 4_google health and microsoft health_vault launch
Mit dtpss module 4_google health and microsoft health_vault launchMit dtpss module 4_google health and microsoft health_vault launch
Mit dtpss module 4_google health and microsoft health_vault launch
Enrique Mesones
 
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Ted Myerson
 
2024 Future of Communication Technology
2024 Future of Communication Technology2024 Future of Communication Technology
2024 Future of Communication Technology
Holly Baldwin
 
Unleashing government’s ‘innovation mojo’ an interview with the us chief tec...
Unleashing government’s ‘innovation mojo’ an interview with the us chief tec...Unleashing government’s ‘innovation mojo’ an interview with the us chief tec...
Unleashing government’s ‘innovation mojo’ an interview with the us chief tec...
Mondher Ben-Hamida
 
How to do Business in Health IT
How to do Business in Health ITHow to do Business in Health IT
How to do Business in Health IT
Brandon Miller
 
Personal Health Records and Consumer Health Informatics
Personal Health Records and Consumer Health InformaticsPersonal Health Records and Consumer Health Informatics
Personal Health Records and Consumer Health Informatics
Nawanan Theera-Ampornpunt
 
Running head DATA PRIVACY 1 DATA PRIVACY10Short- and .docx
Running head DATA PRIVACY 1 DATA PRIVACY10Short- and .docxRunning head DATA PRIVACY 1 DATA PRIVACY10Short- and .docx
Running head DATA PRIVACY 1 DATA PRIVACY10Short- and .docx
todd271
 
The Intersection of Social Media, HIPAA, and the Workplace
The Intersection of Social Media, HIPAA, and the WorkplaceThe Intersection of Social Media, HIPAA, and the Workplace
The Intersection of Social Media, HIPAA, and the Workplace
Polsinelli PC
 
Mit wiroon dtpss_module 4_google health and ms health_vault launch (wiroon)
Mit wiroon dtpss_module 4_google health and ms health_vault launch (wiroon)Mit wiroon dtpss_module 4_google health and ms health_vault launch (wiroon)
Mit wiroon dtpss_module 4_google health and ms health_vault launch (wiroon)
Enrique Mesones
 

Similar to 2022 APIsecure_Anomaly detection is no longer a strategy (20)

Healthcare Informatics Industry: 10 Effective Trends | The Entrepreneur Review
Healthcare Informatics Industry: 10 Effective Trends | The Entrepreneur ReviewHealthcare Informatics Industry: 10 Effective Trends | The Entrepreneur Review
Healthcare Informatics Industry: 10 Effective Trends | The Entrepreneur Review
 
Mit dtpss module 4_google health and microsoft health_vault launch
Mit dtpss module 4_google health and microsoft health_vault launchMit dtpss module 4_google health and microsoft health_vault launch
Mit dtpss module 4_google health and microsoft health_vault launch
 
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
 
Health IT Beyond Hospitals
Health IT Beyond HospitalsHealth IT Beyond Hospitals
Health IT Beyond Hospitals
 
2024 Future of Communication Technology
2024 Future of Communication Technology2024 Future of Communication Technology
2024 Future of Communication Technology
 
Unleashing government’s ‘innovation mojo’ an interview with the us chief tec...
Unleashing government’s ‘innovation mojo’ an interview with the us chief tec...Unleashing government’s ‘innovation mojo’ an interview with the us chief tec...
Unleashing government’s ‘innovation mojo’ an interview with the us chief tec...
 
How to do Business in Health IT
How to do Business in Health ITHow to do Business in Health IT
How to do Business in Health IT
 
Personal Health Records and Consumer Health Informatics
Personal Health Records and Consumer Health InformaticsPersonal Health Records and Consumer Health Informatics
Personal Health Records and Consumer Health Informatics
 
2022 APIsecure_Raw and Unbridled Truth: Healthcare APIs
2022 APIsecure_Raw and Unbridled Truth: Healthcare APIs2022 APIsecure_Raw and Unbridled Truth: Healthcare APIs
2022 APIsecure_Raw and Unbridled Truth: Healthcare APIs
 
How blockchain technology works in healthcare industry
How blockchain technology works in healthcare industryHow blockchain technology works in healthcare industry
How blockchain technology works in healthcare industry
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
 
Health IT Beyond Hospitals (September 15, 2016)
Health IT Beyond Hospitals (September 15, 2016)Health IT Beyond Hospitals (September 15, 2016)
Health IT Beyond Hospitals (September 15, 2016)
 
How Disruptive Technologies Drive Innovation in the Channel
How Disruptive Technologies Drive Innovation in the ChannelHow Disruptive Technologies Drive Innovation in the Channel
How Disruptive Technologies Drive Innovation in the Channel
 
Health IT Beyond Hospitals
Health IT Beyond HospitalsHealth IT Beyond Hospitals
Health IT Beyond Hospitals
 
디지털 헬스케어를 어떻게 구현할 것인가: 국내 스타트업 업계를 중심으로
디지털 헬스케어를 어떻게 구현할 것인가: 국내 스타트업 업계를 중심으로디지털 헬스케어를 어떻게 구현할 것인가: 국내 스타트업 업계를 중심으로
디지털 헬스케어를 어떻게 구현할 것인가: 국내 스타트업 업계를 중심으로
 
ONR Blog 1
ONR Blog 1ONR Blog 1
ONR Blog 1
 
Running head DATA PRIVACY 1 DATA PRIVACY10Short- and .docx
Running head DATA PRIVACY 1 DATA PRIVACY10Short- and .docxRunning head DATA PRIVACY 1 DATA PRIVACY10Short- and .docx
Running head DATA PRIVACY 1 DATA PRIVACY10Short- and .docx
 
The Intersection of Social Media, HIPAA, and the Workplace
The Intersection of Social Media, HIPAA, and the WorkplaceThe Intersection of Social Media, HIPAA, and the Workplace
The Intersection of Social Media, HIPAA, and the Workplace
 
Mit wiroon dtpss_module 4_google health and ms health_vault launch (wiroon)
Mit wiroon dtpss_module 4_google health and ms health_vault launch (wiroon)Mit wiroon dtpss_module 4_google health and ms health_vault launch (wiroon)
Mit wiroon dtpss_module 4_google health and ms health_vault launch (wiroon)
 
Digital trends and its Implications on Patients and HCPs in India
Digital trends and its Implications on Patients and HCPs in IndiaDigital trends and its Implications on Patients and HCPs in India
Digital trends and its Implications on Patients and HCPs in India
 

More from APIsecure_ Official

More from APIsecure_ Official (20)

2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
 
2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way2022 APIsecure_Shift Left API Security - The Right Way
2022 APIsecure_Shift Left API Security - The Right Way
 
2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds
 
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
2022 APIsecure_Passwordless Multi-factor Authentication Security and Identity
 
2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems2022 APIsecure_Securing Large API Ecosystems
2022 APIsecure_Securing Large API Ecosystems
 
2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API Vulnerabilities2022 APIsecure_Quarterly Review of API Vulnerabilities
2022 APIsecure_Quarterly Review of API Vulnerabilities
 
2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIs2022 APIsecure_Top Ten Security Tips for APIs
2022 APIsecure_Top Ten Security Tips for APIs
 
2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?
 
2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterprise2022 APIsecure_Making webhook APIs secure for enterprise
2022 APIsecure_Making webhook APIs secure for enterprise
 
2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?2022 APIsecure_API Security & Fraud Detection - Are you ready?
2022 APIsecure_API Security & Fraud Detection - Are you ready?
 
2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches2022 APIsecure_Monitoring and Responding to API Breaches
2022 APIsecure_Monitoring and Responding to API Breaches
 
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
2022 APIsecure_Exploiting multi-step business logic vulnerabilities in APIs
 
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
 
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
2022 APIsecure_Realizing the Full Cloud Native Potential With a Multi-Layered...
 
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
2022 APIsecure_From Shift Left to Full Circle - A Pragmatic Approach to Catch...
 
2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials2022 APIsecure_Hackers with Valid Credentials
2022 APIsecure_Hackers with Valid Credentials
 
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
2022 APIsecure_API Abuse - How data breaches now and in the future will use A...
 
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
 
2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of Innovation2022 APIsecure_Harnessing the Speed of Innovation
2022 APIsecure_Harnessing the Speed of Innovation
 

Recently uploaded

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Recently uploaded (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

2022 APIsecure_Anomaly detection is no longer a strategy

  • 1. Millions Of Patient Health Records Now At Risk Through Unregulated APIs October, 2021 WTF? @danmunro
  • 2. Storyteller Infrastructure Software Engineer Author and Forbes Contributor @danmunro
  • 3. @danmunro 2 ACT STORY NB: THIS CONTENT IS EXCLUSIVE TO THE U.S. MARKET
  • 5. “If it wasn’t complicated – it wouldn’t be allowed to happen. The complexity disguises what’s happening. If it’s so complicated that you can’t understand it – then you can’t question it.” Michael Lewis @danmunro
  • 6. @danmunro 1979 1975 1976 1977 1982 1979 PGI & Associates Software Development Laboratories
  • 8. @danmunro 1979 1996 HIPAA Security + Privacy – Title II CE’s & BA’s
  • 10. @danmunro 1979 1996 2004 2009 HIPAA ONC HITECH ACT [$30B]
  • 11. @danmunro Dr. David Brailer First ONC – 2004 to 2006
  • 12. @danmunro Dr. David Brailer First ONC – 2004 to 2006 Excerpt from: The Digital Doctor By Dr. Bob Wachter (2015)
  • 13. @danmunro Dr. David Brailer First ONC – 2004 to 2006 Dr. Bob Wachter: I asked Brailer … if he had still been ONC director in 2008, would he have turned down the [HITECH ACT] $30 billion? Dr. David Brailer: No, but I would have spent the money on standards, interoperability, a ‘Geek Squad’ to help with training and implementation, and creating a cloud-based ‘medical Internet.’ I never would have spent money on direct subsidies to providers. We’ve built the Frankenstein I was most afraid of. Excerpt from: The Digital Doctor By Dr. Bob Wachter (2015)
  • 15. @danmunro Dave deBronkart ePatient Dave Hugo Campos Medtronic ICD Data Patient Pioneers
  • 16. @danmunro Dave deBronkart ePatient Dave Hugo Campos Medtronic ICD Data Dana Lewis Open-Source Artificial Pancreas System Patient Pioneers
  • 20. @danmunro 2014 2015 [Normative – 2019] Information Blocking Introduced
  • 21. @danmunro 2014 2015 [Normative – 2019] 80M Records $16M Fine [2016] Information Blocking Introduced
  • 22. @danmunro 2014 2015 2020 [Normative – 2019] 80M Records $16M Fine [2016] Information Blocking Introduced
  • 23. @danmunro 2014 2015 2020 2021 Information Blocking Effective: April 5 [Normative – 2019] 80M Records $16M Fine [2016] Information Blocking Introduced
  • 24. @danmunro “Although the rule acknowledges the tension between data security and authentication procedures [acknowledging that the OAuth 2.0 standard for Health IT Modules’ implementation of an API is susceptible to cross- site request forgery vulnerabilities] it also cautions certified Health IT Modules against requiring patients to reauthorize or reauthenticate with such frequency that it would be considered information blocking.”
  • 25. @danmunro PLAYING WITH FHIR [October, 2021] The vulnerability findings in FHIR mobile apps and APIs accessed via the aggregators and developers were innumerable. With one patient engagement app, the API endpoint sent me all the patient and clinician records in its database, indicating it was using the mobile app to filter out just my record.
  • 26. @danmunro Dinner tonight with multiple digital health app CEOs: One EHR has literally turned off App Store access to new apps for at least . . . TWO months. Off Another EHR said “21CC prevents them from sharing data with apps” Still so far to go . . . but we can fix this! 7:57 PM · Mar 29, 2022 Twitter for iPhone
  • 27. @danmunro “I might be lambasted for this, but … to be completely frank, I have problems with the information blocking provisions. They represent excellent regulatory policy when judged solely on intent, but, taken more practically, miss on advancing our national posture. They don’t fundamentally change a whole lot, given the exceptions, and really just reinforces HIPAA rights that already existed.” Brendan Keeler PM @ Zus Health November, 2021 Note: Until October 2022 – EHI under IB is a subset of PHI under HIPAA.
  • 28. @danmunro Dr. Micki Tripathi 11th ONC – 2021 to Present “I don’t even like the term ‘information blocking.’ I don’t know how much information blocking is really out there, but I don’t think most of it is malicious in nature. It’s more that providers are not prioritizing the sharing of information. It’s not high on the list, so they’re just doing the bare minimum to avoid penalties without really investing in making interoperability a core part of their business model.” March, 2022
  • 30. @danmunro “INFORMATION BLOCKING” COMPLAINTS [April 5, 2021 – February 28, 2022] http://hc4.us/IBComplaints SOURCE: Entity Claiming Info Blocking Actor Accused of Info Blocking 353 316
  • 31. @danmunro HEALTHCARE DATA BREACHES 2021 [500+ Records] http://hc4.us/breaches2021 SOURCE: 712 Breaches 45.7 Million Health Records
  • 32. @danmunro Jeffrey Wheatman Sr. VP, Cyber Risk Evangelist “I believe it’s fairly unlikely that cyber insurance will continue to pay off significant damages as a result of cyber claims and, for the most part, is going to be primarily used for simple things such as paying postage for breach notification mailings, paying for incident response and postmortem investigations.” A Fight For Coverage Cyber Insurance Risk in 2022
  • 33. @danmunro • #HC Needs APIs – But #HC Data is unique • Security is a BIG Cost • #FHIR is a GREAT Resource/Standard • But standards can’t be ‘voluntary’