Successfully reported this slideshow.
Your SlideShare is downloading. ×

SXSW 2023 Submission Supplement.pptx

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Ethics In DW & DM
Ethics In DW & DM
Loading in …3
×

Check these out next

1 of 12 Ad
Advertisement

More Related Content

Similar to SXSW 2023 Submission Supplement.pptx (20)

Recently uploaded (20)

Advertisement

SXSW 2023 Submission Supplement.pptx

  1. 1. 1 Source: Content derived from playbook.dimesociety.org Your Body is a Unique Database. Who Owns It? SXSW 2023 PanelPicker Submission Speakers: Stephen Ruhmel Andy Coravos Oana Cula Sachin Shah
  2. 2. 2 2 Failure to safeguard against security threats and violations of individuals’ data rights is also a risk to researchers and clinicians. Theft is a data security issue. Misuse is a data rights issue. Safeguarding patient data is a safety issue The Playbook / Build the shared foundation / Technologies Source: Coravos A. et al, Playbook team analysis 2 Although the security of a system cannot be guaranteed, quality design and execution can decrease the risk of harm from code flaws, configuration weaknesses, or other issues. Notably, some data and system access may be authorized (or perhaps “not forbidden”), though unwelcome or undisclosed to the patient or other stakeholders. This type of access will also be covered in the next section. While the most likely and most harmful data risks stem from data loss through accidental deletion or failure of continuity measures, it is also critical to protect against data abuse:
  3. 3. 3 3 Overview of security risks posed by connected sensor technologies The Playbook / Build the shared foundation / Technologies Source: Coravos A. et al, Playbook team analysis 3 By definition, connected sensor technologies transfer data over the internet, which introduces immediate risks because: • an actor could attack and access the product remotely, and • often in near-real time. Cybersecurity involves: • protecting internet-connected systems, data, and networks from unauthorized access and attacks • including human error (e.g., the loss of a company’s unencrypted laptop).
  4. 4. 4 4 As a result more responsibilities are now placed on companies to deal with cybersecurity threats, which many organizations are unprepared to handle. HHS FTC FDA SEC State laws HIPAA • Security Rule • Breach Notification Rule FTC Act • Section 5: “unfair or deceptive acts or practices” FDA Guidances • Postmarket Management of Cybersecurity in Medical Devices Guidance SEC Guidances • CF Disclosure Guidance: Topic No. 2: public company disclosures re cybersecurity risks & cyber incidents • Unofficial guidance • Ransomware Alert Consumer protection laws: • Little FTC Acts, laws based on the Uniform Deceptive Trade Practice Act Breach notification laws In the U.S. there is no single regulatory agency tasked with enforcing a uniform set of cybersecurity standards The Playbook / Build the shared foundation / Technologies Source: Playbook team analysis 4
  5. 5. 5 5 GDPR Cybersecurity Act DGA Data Rights Act Member states GDPR • Principles and conditions for the processing of personal data • Individuals’ rights • Data transfers • Breach reporting Cyber Act • Establishes a permanent EU agency • Create an EU ICT certification framework Data Governance Act • Draft released in late 2020 • Sets out requirements for data re-use by public bodies, intermediaries and data altruism Data Rights Act • First draft anticipated in 2021 • Will likely update the rights of individuals and organisations in the GDPR Cyber security laws Consumer protection laws The E.U. has a growing catalogue of centralised regulations The Playbook / Build the shared foundation / Technologies Source: Playbook team analysis 5 These cover aspects of both security and data rights, privacy, and governance.
  6. 6. 6 6 White hat • Considered to be good; known as “Security researchers” • Perform ethical style of hacking on mission critical networks • Report vulnerabilities by following policies of coordinated disclosure Grey hat • Considers themselves acting for good, but does so in accordance to their own values and ethics, which may not track with governing laws and regulations • Prioritize their own perception of right vs. wrong over what the lawyer might say Black hat • Exploit security flaws for personal or political gain - or for fun • Considered cybercriminals; not concerned if they do something illegal or wrong If it’s connected to the internet, it can be hacked Learn about the different types of hackers: The Playbook / Build the shared foundation / Technologies Source: Adapted from Lahjaty: White hat vs black hat, Playbook team analysis 6
  7. 7. 7 7 White hat • Considered to be good; known as “Security researchers” • Perform ethical style of hacking on mission critical networks • Report vulnerabilities by following policies of coordinated disclosure Grey hat • Considers themselves acting for good, but does so in accordance to their own values and ethics, which may not track with governing laws and regulations • Prioritize their own perception of right vs. wrong over what the lawyer might say Black hat • Exploit security flaws for personal or political gain - or for fun • Considered cybercriminals; not concerned if they do something illegal or wrong Build strong relationships with security researchers The Playbook / Build the shared foundation / Technologies Some “hackers” can be your friends and others are foe. Source: Adapted from Lahjaty: White hat vs black hat, Playbook team analysis 7
  8. 8. 8 8 The FDA has been building relationships with security researchers through initiatives like WeHeartHackers.org at DEFCON The Playbook / Build the shared foundation / Technologies Source: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - FDA, We heart hackers, Playbook team analysis 8
  9. 9. 9 9 To get more involved in the security research community, I Am the Cavalry and Biohacking Village @ DEFCON, a 501(c)3, can support you The Playbook / Build the shared foundation / Technologies Source: I am the Cavalry, Biohacking village, Wired, Playbook team analysis 9
  10. 10. 10 10 DRAFT FOR PUBLIC COMMENT Source: https://healthpolicy.duke.edu/publications/roadmap-developing-study-endpoints-real-world-settings, Playbook team analysis 10 Figure 3. Multiple vulnerability pathways The risk of including third-party software components in healthcare technologies can be managed, in part, by leveraging a software bill of materials (SBOM). Analogous to an ingredients list on food packaging, an SBOM is a list of all included software components. SBOMs provide transparency into a medical technology’s components, which can eventually reduce the feasibility of attacks. SPOTLIGHT Use a software bill of materials (SBOM) to make your supply chain more resilient The Playbook / Build the shared foundation / Technologies Source: Carmody S. et al, Playbook team analysis 10
  11. 11. 11 11 HHS FTC State laws HIPAA • Privacy Rule FTC Act • Section 5: “unfair or deceptive acts or practices” Patient privacy laws based on HIPAA, e.g.: • CMIA (California) • TMPA (Texas) Consumer privacy laws, e.g.: • CCPA (California) • BIPA (Illinois) U.S. law does not have explicit regulations that give consumers full control over how their data is collected, used, and shared. Data rights are limited to a patchwork of protections. U.S. legal protections for data rights are limited The Playbook / Build the shared foundation / Technologies Source: Playbook team analysis
  12. 12. 12 12 Example: Data rights considerations The Playbook / Build the shared foundation / Technologies Source: Coravos A. et al, Playbook team analysis Does the device have any end-user license agreements (EULA) or terms of service (ToS) and privacy policies (PP)? Are these policy documents comprehensive? Are these documents easily accessible (e.g., publicly accessible online)? Is the information contained in them comprehensible by broad audiences? ILLUSTRATIVE 12

×