Downloaded 13 times
Uploaded byIn The Pocket
Securing sensitive health data
The document discusses the importance of security and privacy in managing sensitive health data, particularly in the context of mobile health (mHealth). It emphasizes the necessity of incorporating data protection strategies from the design stage and highlights various security challenges, including device security, unauthorized access, and legal compliance. Custodix, as a trusted third party in health data management, aims to ensure compliant data collection and protection in a highly complex and evolving technological environment.
More Related Content
Similar to Securing sensitive health data
Securing sensitive health data
- 1. Securing sensitive healthdata Brecht Claerhout brecht.claerhout@custodix.com 1June 4th, 2015 - B. Claerhout
- 2. About Custodix • Custodixprovides solutions that enable compliant collection, exchange and (re-)use of sensitive data, focussed on the healthcare and pharmaceutical sector. • Small highly skilled team (software engineering, IT security, privacy & compliance, health data management) • Strong reputation with industry and care providers – Worked for multiple Fortune 500 companies. – 10+ years of experience as TTP provider, providing services 24/7 over 10 years. • Strong security & privacy protection R&D background – 10+ years participation at the top of European research through the EU Framework Programmes and the Innovative Medicines Initiative (IMI). 2 http://www.custodix.com/ Kortrijksesteenweg 214 b3, 9880 St-Martens-Latem Data Privacy Consultancy Trusted Third Party (TTP) Data Collection Services Identity & Access Management Anonymisation & Pseudonymisati on June 4th, 2015 - B. Claerhout
- 3. Security and privacy,crucial for mHealth • Security, privacy, data protection are very high on the list of top challenges to be addressed to make mHealth successful – Cf. a.o. public consultation on the uptake of mobile health care in the EU by the European Commission Mobile environmentHealth data Health data encompasses some of the private and sensitive data, prone to abuse 3June 4th, 2015 - B. Claerhout
- 4. Complex environment • Assecure as the weakest link – Device security • Variety of devices: tablets, phones, IoT, … • Operating system heterogeneity: iOS, Android, Windows Phone – version heterogeneity • Rapid technology evolution (APIs, third-party SDKs, …) – Server side platform security (Cloud) – Multitude of communication paths 4June 4th, 2015 - B. Claerhout
- 5. Hostile environment • Physicalaccess: stolen & lost devices – 68% of health breached relate to loss or theft of mobile devices or files (US) • Vendor operating system update & patch strategies • Malicious apps – Even in official stores • Device protection software not common place • Inherent frequent exposure to outside attacks – Devices connect to networks (esp. Wifi) without any selectivity on trust 5June 4th, 2015 - B. Claerhout
- 6. Data protection bydesign and by default • Clear project scope is crucial for defining data protection strategy from the very beginning – Address legal and technical aspects from the design stage – Adjusting the purpose of data processing “as you go” can have serious legal impact and can affect user trust • Data protection strategy dependant on application – Application target users: consumers , HCP, … (or all) – Application environment: closed vs. open environment (e.g. intramural), regulated or free (e.g. clinical trials) – Displaying information - collecting data - making recommendations - decision support – Connectivity to platforms, devices, … Wellness & fitness PHR Disease management Teleconsult Telemonitoring ePRO EMR access Etc… Diagnostic Recommendations 6June 4th, 2015 - B. Claerhout
- 7. Data protection • DataProtection directive (95/46/EC) – Applicable when processing personal data • Cf. status of health related data – mHealth, multi-stakeholder environment • Who is (are) the data controller(s) in your initiative? – Informed consent transparency • Specific, free • “Informed”: requires a clear view of what you plan to do • ePrivacy directive (2002/58/EC, 2009/136/EC) – Storing or accessing information on devices – Informed consent transparency Art 29 Working Party worries about data protection & apps – Lack of transparency – Lack of meaningful consent – Poor security measures – Trend towards data maximisation 7June 4th, 2015 - B. Claerhout
- 8. Security • Legal requirement –Data Protection Directive: “Requirement to take the necessary organisational and technical measures to protect personal data” • Consequences to lack of security & data breaches – Cost of dealing with the breach – Loss of reputation (loss of business) – In the EU, no major legal cases… • Future: Data Protection Regulation – Need to have a “security plan” • Continuous evaluation, vulnerability management, bug fixes, … – Introduction of pecuniary penalties 8June 4th, 2015 - B. Claerhout
- 9. Security • Usual suspects… –Address security at all points • Device, backend, … – Secure communication • Encryption in transit (proper use of SSL/TLS) – Storage of sensitive data: local or cloud? • Encryption at rest – Proper authentication & authorisation • Mixed on-line / off-line authorised usage needs consideration • You might need to think of… – Availability • Mission critical applications – Integrity • Integrity of collected data (e.g. sensors) Confidentiality Integrity Availability Audit & Accountability Clear link to patient safety & potential fraud in health environments 9June 4th, 2015 - B. Claerhout
- 10. Things to considerwhen OWASP Top 10 Mobile Risks 2014 1. Weak Server Side Controls • cf. the OWASP Web Top Ten or Cloud Top Ten projects 2. Insecure Data Storage 3. Insufficient Transport Layer Protection 4. Unintended Data Leakage 5. Poor Authorization and Authentication 6. Broken Cryptography 7. Client Side Injection 8. Security Decisions Via Untrusted Inputs 9. Improper Session Handling 10.Lack of Binary Protections 10 Industry is determined to invest in mHealth • Platforms, SDKs, API will evolve and take health security requirements into account Google Fit June 4th, 2015 - B. Claerhout
- 11. Summary 1. Address security& privacy from the very beginning – Clearly specify objectives, identify stakeholders and map data flows – Define your data protection strategy from the design stage • Anyway, adding S&P to an already developed platform is always more costly – Evaluate S&P during the whole project and software development lifecycle 2. Go to bed with a clear conscience 11 Cf. mobile banking Text-book example of security by design Primarily protecting transactions (easier than information) Credit card information 1$ Health data* 10-50$ * US specific, health data helps insurance fraud and identity theft June 4th, 2015 - B. Claerhout
- 12. Thank you foryour attention! 12 Contact Information Brecht Claerhout Brecht.Claerhout@custodix.com Custodix NV KORTRIJKSESTEENWEG 214 bus 3 B-9830 SINT-MARTENS-LATEM (BELGIUM) +32 9 210 78 90 June 4th, 2015 - B. Claerhout