4. • Presentation Overview
– IoT? Huh….
– Vulnerabilities & Exploits
– Hacking Examples
– Security / Privacy by Design
– Where Do We Go From Here?
Securing IoT Medical Devices
5. • IoT? Huh....
– IoT = Internet of Things
• Ubiquitous Connectivity (e.g., 802.11x, 802.15, 3G / 4G, WMTS)
• Data Portability / Interoperable Data Synching
– EDI = Electronic Data Interchange
• Redundant Technologies & Methods
– Java, Linux, Open-source APIs, etc.
– Cocoa Touch Layer, etc.
– Medical / Healthcare Esoteric Language & Nuances
• WMTS = Wireless Medical Telemetry Services
• Regulatory Requirements: HIPAA / HITECH, FDA
• Healthcare Digitization: PPACA (i.e., Obamacare)
– ICD-9 / 10 for US = EDI
Securing IoT Medical Devices
6. • Vulnerabilities & Exploits
– Data in Motion (DIM) Challenges
• (Distributed) Denial of Service = DoS / DDoS
– Disable the Device via Signal – Dick Cheney’s Heart, No Wireless
• Man in the Middle (MITM)
– Sniff / Alter Packets
– Economic DoS (EDoS)
– Data in Use (DIU) Challenges
• DLP
– Is sandboxing that effective?
– Data at Rest (DAR) Challenges
• Jailbreak
• Crack Weak Cryptography
Securing IoT Medical Devices
10. • Security / Privacy By Design
– Security / Privacy Requirements
• Access Controls
– Mobile Medical Applications (MMAs)
» Sandboxed w/ Strong Password Protections
– Wearable Medical Devices (WMDs)
» Self-contained with DLP Protections
– Embedded Medical Devices (EMDs)
» Secure, Configurable, Intuitive GUIs – Like a Wireless Router
• Cryptography
– Strong Encryption / Hashing for DAR / DIM / DIU
– Transparent Data Encryption (TDE)
» Follow the Apple Model
– Homomorphic Encryption (HE)
Securing IoT Medical Devices
11. • Security / Privacy By Design
– Threat Modelling
• Performance / DDoS / Quality of Service (QoS)
• Nonrepudiation – Data, Patches
• False Positives – Alerts, Data Transfer
• Data Retention
– Misuse Cases
• EDoS
– Insurance
– Clinical Visits
• Physiological, Psychological Stress
• Device Misconfiguration – Data Loss, Transaction Integrity
• GPS
Securing IoT Medical Devices
12. • Security / Privacy By Design
– Compensating Controls
• SIEM Operational Awareness
• Tokenization
• DLP
• IAM
• MDM / MAM
• Physical Access Controls
Securing IoT Medical Devices
14. • Where Do We Go From Here?
– National / Industry / Workgroup Standards
• FDA
• HIMSS
• HITRUST
• NIST
– Thought Leadership
• OWASP
• ISC2
• ISSA
– Device Certification / Attestation
• FDA
• HITRUST
Securing IoT Medical Devices