Original webinar: http://get.skycure.com/mobile-security-in-healthcare-webinar
In this webinar, Jim Routh, CSO at Aetna, and Adi Sharabani, CEO and co-founder at Skycure, discuss:
- The state of mobile security in Healthcare organizations
- How to improve incident response and resilience of mHealth IT operations
- How to leverage risk-based mobility to predict, detect and protect against threats
4. Aetna Inc.
The Mobile Device is Our New Appendage
4
There are now more cell phones on the planet
than there are people
90% of 19-29 year-olds in the U.S. sleep with
their cell phones
65% of survey respondents said mobile phones
make them better parents
75% of survey respondents bring their phones
to the bathroom
Apple Siri captures everything you say to her
for 6 months and aggregates it for 18 months
Social media
apps have the
ability to use
your phone’s
microphone to
listen to your
dialog
What is the most
commonly used
mobile app?
Source: Qualcomm, Slick Text Surveys
The mobile phone is the best surveillance device in history
5. Aetna Inc.
Mobile Security Landscape
Security
Changes
New Interaction
Opportunities
Factors driving changes in mobile security • Frequent and shorter log-ins instead of long-on line sessions
• Barriers to task completion
• Improved customer experience using
native features they are familiar
with…information presented in a
format using native features
• No browser- the application needs
hardening
• Additive controls feasible
• Mobile customers want
more security to have
confidence in the channel.
Customer adoption is
slower due to security
concerns
• Software distribution is a factor in
security profile
• Security vetting varies greatly
• Fraudsters can scan mobile apps
for vulnerabilities in app stores
more easily
• Mobile channel offers geo
location, enhanced
authentication capabilities
(voice recognition, image
and device attributes)
• Mobile can potentially offer better
customer experience (location of
ATMs, identification in a branch,
authentication to a CSR, voice
commands, etc.)
• 90% of 18-29 year olds sleep with
their phone
• 113 smartphones are lost or stolen
every minute
• The theft of cell phones makes up
30-40% of all robberies nationwide
• Email, phone, browser used to be separate channels…now consolidating
Consolidated
Channels
New Capabilities
App Stores
New Interaction
Style
Native
Applications
Security Sensitivity
Proximity with
user
5
7. Aetna Inc. 7
The fourth dimension- Privacy
Dimensions of Mobile Application Risk
1. Application Development 2. Software Distribution
The mobile ecosystem
3. Device Configuration
• Threat Models/Security features
• Education & Developer Checklist
• Application “wrapper” options
• Root detection
• Authentication
• Security Test Selection Matrix
• Static analysis
• Dynamic scanning
• Pen testing
• Different stores have different security
vetting procedures
• The probability of “application
collision” needs to be managed
• Vetting mobile apps used by enterprise
users for security and privacy
• Does the app need to be tamper
resistant?
• Consumer
• Code protection
• Root/malware detection
• Authentication
• Channel verification
• Enterprise
• Mobile device configuration
standard- MDM
• Authentication controls
• VPN channel
Consumer Enterprise User
8. Aetna Inc.
Aetna Mobile App Security SDLC
Requirements Design Development Test Release
Technical Design
Patterns
• Key management
• Encryption (data in
transit, data at rest)
• Authentication
• Version updates
ENABLE VERIFY
Static Analysis Dynamic ScanningThreat Modeling
Design Patterns Ethical HackingOpen Source
Risk Classification
Mobile Mavens
Mobile Security Software Training (Role-Based Curriculum)
Preventive Detective
Security Reqs
Behavioral Auth
SDK
Code Protection
DISTRIBUTE
App Signing
Process Guides
8
9. Aetna Inc.
Threat Modeling / App Risk Assessment
Key questions when threat modeling:
• What are we building?
• What information can be abused?
• Are their flaws in the design?
• How will the customer information captured be handled on
which platforms?
Benefits of threat modeling:
• Early identification of security defects- lower cost
• Increase product quality
• Identify and understand security requirements
9
10. Aetna Inc.
Static Source Code Analysis
• Performed during development
cycle
• Includes exhaustive review of code
quality (E.g. Objective-C, Java or
C#), security and privacy issues
• Goal to decrease defects during
development lifecycle which
results in longer term savings
• Benefits
• Immediate feedback and
learnings for developers
• Explicit references to areas
needing attention
• Developer oversights
• Increase product quality
Scan Results
10
11. Aetna Inc. 11
Next Generation Authentication
• Binary
authentication
is obsolete
• Behavioral-
based model
is key
• Innovation
applied to the
interface
Authentication Hub
LOA
Advanced Analytics
Risk Score API
Dynamic LOA API
Backend Analytics
& Risk Engine
Prevent @ Inception
RT Push+TouchID
iWatch & Sign Out
Wearables + T/Haptic
Spatiotemporal +
Real-Time (RT)
Authorization
SWIPE +
Contextual
SWIPE + TAP
Advanced Contextual
Cognitive & Device
Biometrics
FIDO UAF 1.0
FIDO 2.0
When Available
Decentralized
Authentication
The mobile device provides an opportunity to improve authentication
12. Aetna Inc.
Brand Protection – Tamper Resistance
12
• Reduce ability to perform app store scan for security vulnerabilities
• Increase difficulty for attackers to create malware attacking our applications
• Reduce ability to create clone applications
• Provide brand protection
14. Aetna Inc.
The 2 Most Widely Exploited Mobile Vulnerabilities
14
Apps for
Android
314,000,000
hits
TLS is broken
Any credentials shared are
exposed