SlideShare a Scribd company logo
1
Source: Content derived from playbook.dimesociety.org
Your Body is a Unique Database.
Who Owns It?
SXSW 2023 PanelPicker Submission
Speakers:
Stephen Ruhmel
Andy Coravos
Oana Cula
Sachin Shah
2
2
Failure to safeguard against security threats and violations of
individuals’ data rights is also a risk to researchers and clinicians.
Theft is a data
security issue.
Misuse is a data rights
issue.
Safeguarding patient data is a safety issue
The Playbook / Build the shared foundation / Technologies
Source: Coravos A. et al, Playbook team analysis 2
Although the security of a
system cannot be guaranteed,
quality design and execution
can decrease the risk of harm
from code flaws, configuration
weaknesses, or other issues.
Notably, some data and system
access may be authorized (or perhaps
“not forbidden”), though unwelcome
or undisclosed to the patient or other
stakeholders. This type of access will
also be covered in the next section.
While the most likely and
most harmful data risks
stem from data loss
through accidental deletion
or failure of continuity
measures, it is also critical
to protect against data
abuse:
3
3
Overview of security risks posed by connected sensor
technologies
The Playbook / Build the shared foundation / Technologies
Source: Coravos A. et al, Playbook team analysis 3
By definition, connected sensor
technologies transfer data over the
internet, which introduces immediate
risks because:
• an actor could attack and access the
product remotely, and
• often in near-real time.
Cybersecurity involves:
• protecting internet-connected systems,
data, and networks from unauthorized
access and attacks
• including human error (e.g., the loss of
a company’s unencrypted laptop).
4
4
As a result more responsibilities are now placed on companies to deal with
cybersecurity threats, which many organizations are unprepared to handle.
HHS FTC FDA SEC State laws
HIPAA
• Security Rule
• Breach
Notification Rule
FTC Act
• Section 5: “unfair
or deceptive acts
or practices”
FDA Guidances
• Postmarket
Management of
Cybersecurity in
Medical Devices
Guidance
SEC Guidances
• CF Disclosure
Guidance: Topic
No. 2: public
company
disclosures re
cybersecurity risks
& cyber incidents
• Unofficial guidance
• Ransomware Alert
Consumer protection
laws:
• Little FTC Acts,
laws based on the
Uniform Deceptive
Trade Practice Act
Breach notification
laws
In the U.S. there is no single regulatory agency tasked
with enforcing a uniform set of cybersecurity standards
The Playbook / Build the shared foundation / Technologies
Source: Playbook team analysis 4
5
5
GDPR Cybersecurity Act DGA Data Rights Act Member states
GDPR
• Principles and
conditions for the
processing of
personal data
• Individuals’ rights
• Data transfers
• Breach reporting
Cyber Act
• Establishes a
permanent EU
agency
• Create an EU ICT
certification
framework
Data Governance Act
• Draft released in
late 2020
• Sets out
requirements
for data re-use
by public
bodies,
intermediaries
and data
altruism
Data Rights Act
• First draft
anticipated in 2021
• Will likely update
the rights of
individuals and
organisations in
the GDPR
Cyber security laws
Consumer protection
laws
The E.U. has a growing catalogue of centralised
regulations
The Playbook / Build the shared foundation / Technologies
Source: Playbook team analysis 5
These cover aspects of both security and data rights, privacy, and governance.
6
6
White hat
• Considered to be good; known as
“Security researchers”
• Perform ethical style of hacking on
mission critical networks
• Report vulnerabilities by following
policies of coordinated disclosure
Grey hat
• Considers themselves acting for
good, but does so in accordance to
their own values and ethics, which
may not track with governing laws
and regulations
• Prioritize their own perception of
right vs. wrong over what the
lawyer might say
Black hat
• Exploit security flaws for personal
or political gain - or for fun
• Considered cybercriminals; not
concerned if they do something
illegal or wrong
If it’s connected to the internet, it can be hacked
Learn about the different types of hackers:
The Playbook / Build the shared foundation / Technologies
Source: Adapted from Lahjaty: White hat vs black hat, Playbook team analysis 6
7
7
White hat
• Considered to be good; known as
“Security researchers”
• Perform ethical style of hacking on
mission critical networks
• Report vulnerabilities by following
policies of coordinated disclosure
Grey hat
• Considers themselves acting for
good, but does so in accordance to
their own values and ethics, which
may not track with governing laws
and regulations
• Prioritize their own perception of
right vs. wrong over what the
lawyer might say
Black hat
• Exploit security flaws for personal
or political gain - or for fun
• Considered cybercriminals; not
concerned if they do something
illegal or wrong
Build strong relationships with security researchers
The Playbook / Build the shared foundation / Technologies
Some “hackers” can be your friends and others are foe.
Source: Adapted from Lahjaty: White hat vs black hat, Playbook team analysis 7
8
8
The FDA has been building relationships with security researchers
through initiatives like WeHeartHackers.org at DEFCON
The Playbook / Build the shared foundation / Technologies
Source: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - FDA, We heart hackers, Playbook team analysis 8
9
9
To get more involved in the security research community, I Am the
Cavalry and Biohacking Village @ DEFCON, a 501(c)3, can support you
The Playbook / Build the shared foundation / Technologies
Source: I am the Cavalry, Biohacking village, Wired, Playbook team analysis 9
10
10
DRAFT FOR PUBLIC COMMENT
Source: https://healthpolicy.duke.edu/publications/roadmap-developing-study-endpoints-real-world-settings,
Playbook team analysis 10
Figure 3. Multiple vulnerability pathways
The risk of including third-party software
components in healthcare technologies can be
managed, in part, by leveraging a software bill
of materials (SBOM). Analogous to an
ingredients list on food packaging, an SBOM is
a list of all included software components.
SBOMs provide transparency into a medical
technology’s components, which can
eventually reduce the feasibility of attacks.
SPOTLIGHT
Use a software bill of materials
(SBOM) to make your supply chain
more resilient
The Playbook / Build the shared foundation / Technologies
Source: Carmody S. et al, Playbook team analysis 10
11
11
HHS FTC State laws
HIPAA
• Privacy Rule
FTC Act
• Section 5: “unfair or
deceptive acts or
practices”
Patient privacy laws based on HIPAA, e.g.:
• CMIA (California)
• TMPA (Texas)
Consumer privacy laws, e.g.:
• CCPA (California)
• BIPA (Illinois)
U.S. law does not have explicit regulations that give consumers
full control over how their data is collected, used, and shared.
Data rights are limited to a
patchwork of protections.
U.S. legal protections for data rights are limited
The Playbook / Build the shared foundation / Technologies
Source: Playbook team analysis
12
12
Example: Data rights considerations
The Playbook / Build the shared foundation / Technologies
Source: Coravos A. et al, Playbook team analysis
Does the device have
any end-user license
agreements (EULA) or
terms of service
(ToS) and privacy
policies (PP)?
Are these policy
documents
comprehensive?
Are these documents
easily accessible (e.g.,
publicly accessible
online)?
Is the information
contained in them
comprehensible by
broad audiences?
ILLUSTRATIVE
12

More Related Content

Similar to SXSW 2023 Submission Supplement.pptx

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Casey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
bugcrowd
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
Raffa Learning Community
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
Raffa Learning Community
 
Data Privacy Micc Presentation
Data Privacy   Micc PresentationData Privacy   Micc Presentation
Data Privacy Micc Presentation
ashishjoshi
 
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Ted Myerson
 
Introduction to Engineering and Profession Ethics Lecture9-Computer Ethics, P...
Introduction to Engineering and Profession Ethics Lecture9-Computer Ethics, P...Introduction to Engineering and Profession Ethics Lecture9-Computer Ethics, P...
Introduction to Engineering and Profession Ethics Lecture9-Computer Ethics, P...
Dr. Khaled Bakro
 
data mining privacy concerns ppt presentation
data mining privacy concerns ppt presentationdata mining privacy concerns ppt presentation
data mining privacy concerns ppt presentation
iWriteEssays
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Security
mtvvvv
 
Privacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMSPrivacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMS
Interaktiv
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
Eryk Budi Pratama
 
Chapter 3 ethics and privacy
Chapter 3 ethics and privacyChapter 3 ethics and privacy
Chapter 3 ethics and privacy
mrzapper
 
250 words agree or disagreePlease discuss the various limitation.docx
250 words agree or disagreePlease discuss the various limitation.docx250 words agree or disagreePlease discuss the various limitation.docx
250 words agree or disagreePlease discuss the various limitation.docx
vickeryr87
 
For this assignment, you are given an opportunity to explore and.docx
For this assignment, you are given an opportunity to explore and.docxFor this assignment, you are given an opportunity to explore and.docx
For this assignment, you are given an opportunity to explore and.docx
shanaeacklam
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Cheryl Goldberg
 
12-19-14 CLE for South (P Garrett)
12-19-14 CLE for South (P Garrett)12-19-14 CLE for South (P Garrett)
12-19-14 CLE for South (P Garrett)
Patrick Garrett
 
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Ted Myerson
 
[AIIM18] GDPR: whose job is it now? - Paul Lanois
[AIIM18] GDPR: whose job is it now? - Paul Lanois[AIIM18] GDPR: whose job is it now? - Paul Lanois
[AIIM18] GDPR: whose job is it now? - Paul Lanois
AIIM International
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability Scanning
Black Duck by Synopsys
 

Similar to SXSW 2023 Submission Supplement.pptx (20)

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
 
Data Privacy Micc Presentation
Data Privacy   Micc PresentationData Privacy   Micc Presentation
Data Privacy Micc Presentation
 
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
Anonos NTIA Comment Letter letter on ''Big Data'' Developments and How They I...
 
Introduction to Engineering and Profession Ethics Lecture9-Computer Ethics, P...
Introduction to Engineering and Profession Ethics Lecture9-Computer Ethics, P...Introduction to Engineering and Profession Ethics Lecture9-Computer Ethics, P...
Introduction to Engineering and Profession Ethics Lecture9-Computer Ethics, P...
 
data mining privacy concerns ppt presentation
data mining privacy concerns ppt presentationdata mining privacy concerns ppt presentation
data mining privacy concerns ppt presentation
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Security
 
Privacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMSPrivacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMS
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
 
Chapter 3 ethics and privacy
Chapter 3 ethics and privacyChapter 3 ethics and privacy
Chapter 3 ethics and privacy
 
250 words agree or disagreePlease discuss the various limitation.docx
250 words agree or disagreePlease discuss the various limitation.docx250 words agree or disagreePlease discuss the various limitation.docx
250 words agree or disagreePlease discuss the various limitation.docx
 
For this assignment, you are given an opportunity to explore and.docx
For this assignment, you are given an opportunity to explore and.docxFor this assignment, you are given an opportunity to explore and.docx
For this assignment, you are given an opportunity to explore and.docx
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
12-19-14 CLE for South (P Garrett)
12-19-14 CLE for South (P Garrett)12-19-14 CLE for South (P Garrett)
12-19-14 CLE for South (P Garrett)
 
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
Anonos NIST Comment Letter – De–Identification Of Personally Identifiable Inf...
 
[AIIM18] GDPR: whose job is it now? - Paul Lanois
[AIIM18] GDPR: whose job is it now? - Paul Lanois[AIIM18] GDPR: whose job is it now? - Paul Lanois
[AIIM18] GDPR: whose job is it now? - Paul Lanois
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability Scanning
 

Recently uploaded

ASSESSMENT OF THE EYE (1)-Health Assessment.ppt
ASSESSMENT OF THE EYE (1)-Health Assessment.pptASSESSMENT OF THE EYE (1)-Health Assessment.ppt
ASSESSMENT OF THE EYE (1)-Health Assessment.ppt
Rommel Luis III Israel
 
Mohali Call Girls 7742996321 Call Girls Mohali
Mohali Call Girls  7742996321 Call Girls  MohaliMohali Call Girls  7742996321 Call Girls  Mohali
Mohali Call Girls 7742996321 Call Girls Mohali
Digital Marketing
 
一比一原版布里斯托大学毕业证(Bristol毕业证书)学历如何办理
一比一原版布里斯托大学毕业证(Bristol毕业证书)学历如何办理一比一原版布里斯托大学毕业证(Bristol毕业证书)学历如何办理
一比一原版布里斯托大学毕业证(Bristol毕业证书)学历如何办理
obowu
 
Nursing management of the patient with Tonsillitis PPT
Nursing management of the patient with Tonsillitis PPTNursing management of the patient with Tonsillitis PPT
Nursing management of the patient with Tonsillitis PPT
blessyjannu21
 
Linga Mudra(Mark of Siva) generates excessive heat within the body
Linga Mudra(Mark of Siva) generates excessive heat within the bodyLinga Mudra(Mark of Siva) generates excessive heat within the body
Linga Mudra(Mark of Siva) generates excessive heat within the body
Karuna Yoga Vidya Peetham
 
Cyclothymia Test: Diagnosing, Symptoms, Treatment, and Impact | The Lifescien...
Cyclothymia Test: Diagnosing, Symptoms, Treatment, and Impact | The Lifescien...Cyclothymia Test: Diagnosing, Symptoms, Treatment, and Impact | The Lifescien...
Cyclothymia Test: Diagnosing, Symptoms, Treatment, and Impact | The Lifescien...
The Lifesciences Magazine
 
Health Tech Market Intelligence Prelim Questions -
Health Tech Market Intelligence Prelim Questions -Health Tech Market Intelligence Prelim Questions -
Health Tech Market Intelligence Prelim Questions -
Gokul Rangarajan
 
𝔹hopal Call Girls 7023059433 High Profile Independent Escorts 𝔹hopal
𝔹hopal Call Girls 7023059433 High Profile Independent Escorts 𝔹hopal𝔹hopal Call Girls 7023059433 High Profile Independent Escorts 𝔹hopal
𝔹hopal Call Girls 7023059433 High Profile Independent Escorts 𝔹hopal
garge6804
 
The crucial role of mathematics in ai development.pptx
The crucial role of mathematics in ai development.pptxThe crucial role of mathematics in ai development.pptx
The crucial role of mathematics in ai development.pptx
priyabhojwani1200
 
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
Media Logic
 
Hyderabad Call Girls 7023059433 High Profile Escorts Service Hyderabad
Hyderabad Call Girls 7023059433 High Profile Escorts Service HyderabadHyderabad Call Girls 7023059433 High Profile Escorts Service Hyderabad
Hyderabad Call Girls 7023059433 High Profile Escorts Service Hyderabad
garge6804
 
Simple Steps to Make Her Choose You Every Day
Simple Steps to Make Her Choose You Every DaySimple Steps to Make Her Choose You Every Day
Simple Steps to Make Her Choose You Every Day
Lucas Smith
 
Assessment of ear, Eye, Nose, and-Throat.pptx
Assessment of ear, Eye, Nose, and-Throat.pptxAssessment of ear, Eye, Nose, and-Throat.pptx
Assessment of ear, Eye, Nose, and-Throat.pptx
Rommel Luis III Israel
 
Types of Cancer Treatments | Forms of cancer treatment
Types of Cancer Treatments | Forms of cancer treatmentTypes of Cancer Treatments | Forms of cancer treatment
Types of Cancer Treatments | Forms of cancer treatment
RioGrandeCancerSpeci
 
Columbia毕业证书退学办理
Columbia毕业证书退学办理Columbia毕业证书退学办理
Columbia毕业证书退学办理
ozcot
 
EXAMINATION OF HUMAN URINE AND FAECES.pdf
EXAMINATION OF HUMAN URINE AND FAECES.pdfEXAMINATION OF HUMAN URINE AND FAECES.pdf
EXAMINATION OF HUMAN URINE AND FAECES.pdf
Madhusmita Sahoo
 
PRESSURE INJURY CARE AND MANAGEMENT FOR HCW
PRESSURE INJURY CARE AND MANAGEMENT FOR HCWPRESSURE INJURY CARE AND MANAGEMENT FOR HCW
PRESSURE INJURY CARE AND MANAGEMENT FOR HCW
dnee1
 
COLD CREAM AND VANISHING CREAM, IP-I, PCI
COLD CREAM AND VANISHING CREAM, IP-I,  PCICOLD CREAM AND VANISHING CREAM, IP-I,  PCI
COLD CREAM AND VANISHING CREAM, IP-I, PCI
ssuser555edf
 
Call Girls Goa 7023059433 Celebrity Escorts Service in Goa
Call Girls Goa 7023059433 Celebrity Escorts Service in GoaCall Girls Goa 7023059433 Celebrity Escorts Service in Goa
Call Girls Goa 7023059433 Celebrity Escorts Service in Goa
rajni kaurn06
 
Test bank calculating drug dosages a patient safe approach to nursing and mat...
Test bank calculating drug dosages a patient safe approach to nursing and mat...Test bank calculating drug dosages a patient safe approach to nursing and mat...
Test bank calculating drug dosages a patient safe approach to nursing and mat...
rightmanforbloodline
 

Recently uploaded (20)

ASSESSMENT OF THE EYE (1)-Health Assessment.ppt
ASSESSMENT OF THE EYE (1)-Health Assessment.pptASSESSMENT OF THE EYE (1)-Health Assessment.ppt
ASSESSMENT OF THE EYE (1)-Health Assessment.ppt
 
Mohali Call Girls 7742996321 Call Girls Mohali
Mohali Call Girls  7742996321 Call Girls  MohaliMohali Call Girls  7742996321 Call Girls  Mohali
Mohali Call Girls 7742996321 Call Girls Mohali
 
一比一原版布里斯托大学毕业证(Bristol毕业证书)学历如何办理
一比一原版布里斯托大学毕业证(Bristol毕业证书)学历如何办理一比一原版布里斯托大学毕业证(Bristol毕业证书)学历如何办理
一比一原版布里斯托大学毕业证(Bristol毕业证书)学历如何办理
 
Nursing management of the patient with Tonsillitis PPT
Nursing management of the patient with Tonsillitis PPTNursing management of the patient with Tonsillitis PPT
Nursing management of the patient with Tonsillitis PPT
 
Linga Mudra(Mark of Siva) generates excessive heat within the body
Linga Mudra(Mark of Siva) generates excessive heat within the bodyLinga Mudra(Mark of Siva) generates excessive heat within the body
Linga Mudra(Mark of Siva) generates excessive heat within the body
 
Cyclothymia Test: Diagnosing, Symptoms, Treatment, and Impact | The Lifescien...
Cyclothymia Test: Diagnosing, Symptoms, Treatment, and Impact | The Lifescien...Cyclothymia Test: Diagnosing, Symptoms, Treatment, and Impact | The Lifescien...
Cyclothymia Test: Diagnosing, Symptoms, Treatment, and Impact | The Lifescien...
 
Health Tech Market Intelligence Prelim Questions -
Health Tech Market Intelligence Prelim Questions -Health Tech Market Intelligence Prelim Questions -
Health Tech Market Intelligence Prelim Questions -
 
𝔹hopal Call Girls 7023059433 High Profile Independent Escorts 𝔹hopal
𝔹hopal Call Girls 7023059433 High Profile Independent Escorts 𝔹hopal𝔹hopal Call Girls 7023059433 High Profile Independent Escorts 𝔹hopal
𝔹hopal Call Girls 7023059433 High Profile Independent Escorts 𝔹hopal
 
The crucial role of mathematics in ai development.pptx
The crucial role of mathematics in ai development.pptxThe crucial role of mathematics in ai development.pptx
The crucial role of mathematics in ai development.pptx
 
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
2024 Media Preferences of Older Adults: Consumer Survey and Marketing Implica...
 
Hyderabad Call Girls 7023059433 High Profile Escorts Service Hyderabad
Hyderabad Call Girls 7023059433 High Profile Escorts Service HyderabadHyderabad Call Girls 7023059433 High Profile Escorts Service Hyderabad
Hyderabad Call Girls 7023059433 High Profile Escorts Service Hyderabad
 
Simple Steps to Make Her Choose You Every Day
Simple Steps to Make Her Choose You Every DaySimple Steps to Make Her Choose You Every Day
Simple Steps to Make Her Choose You Every Day
 
Assessment of ear, Eye, Nose, and-Throat.pptx
Assessment of ear, Eye, Nose, and-Throat.pptxAssessment of ear, Eye, Nose, and-Throat.pptx
Assessment of ear, Eye, Nose, and-Throat.pptx
 
Types of Cancer Treatments | Forms of cancer treatment
Types of Cancer Treatments | Forms of cancer treatmentTypes of Cancer Treatments | Forms of cancer treatment
Types of Cancer Treatments | Forms of cancer treatment
 
Columbia毕业证书退学办理
Columbia毕业证书退学办理Columbia毕业证书退学办理
Columbia毕业证书退学办理
 
EXAMINATION OF HUMAN URINE AND FAECES.pdf
EXAMINATION OF HUMAN URINE AND FAECES.pdfEXAMINATION OF HUMAN URINE AND FAECES.pdf
EXAMINATION OF HUMAN URINE AND FAECES.pdf
 
PRESSURE INJURY CARE AND MANAGEMENT FOR HCW
PRESSURE INJURY CARE AND MANAGEMENT FOR HCWPRESSURE INJURY CARE AND MANAGEMENT FOR HCW
PRESSURE INJURY CARE AND MANAGEMENT FOR HCW
 
COLD CREAM AND VANISHING CREAM, IP-I, PCI
COLD CREAM AND VANISHING CREAM, IP-I,  PCICOLD CREAM AND VANISHING CREAM, IP-I,  PCI
COLD CREAM AND VANISHING CREAM, IP-I, PCI
 
Call Girls Goa 7023059433 Celebrity Escorts Service in Goa
Call Girls Goa 7023059433 Celebrity Escorts Service in GoaCall Girls Goa 7023059433 Celebrity Escorts Service in Goa
Call Girls Goa 7023059433 Celebrity Escorts Service in Goa
 
Test bank calculating drug dosages a patient safe approach to nursing and mat...
Test bank calculating drug dosages a patient safe approach to nursing and mat...Test bank calculating drug dosages a patient safe approach to nursing and mat...
Test bank calculating drug dosages a patient safe approach to nursing and mat...
 

SXSW 2023 Submission Supplement.pptx

  • 1. 1 Source: Content derived from playbook.dimesociety.org Your Body is a Unique Database. Who Owns It? SXSW 2023 PanelPicker Submission Speakers: Stephen Ruhmel Andy Coravos Oana Cula Sachin Shah
  • 2. 2 2 Failure to safeguard against security threats and violations of individuals’ data rights is also a risk to researchers and clinicians. Theft is a data security issue. Misuse is a data rights issue. Safeguarding patient data is a safety issue The Playbook / Build the shared foundation / Technologies Source: Coravos A. et al, Playbook team analysis 2 Although the security of a system cannot be guaranteed, quality design and execution can decrease the risk of harm from code flaws, configuration weaknesses, or other issues. Notably, some data and system access may be authorized (or perhaps “not forbidden”), though unwelcome or undisclosed to the patient or other stakeholders. This type of access will also be covered in the next section. While the most likely and most harmful data risks stem from data loss through accidental deletion or failure of continuity measures, it is also critical to protect against data abuse:
  • 3. 3 3 Overview of security risks posed by connected sensor technologies The Playbook / Build the shared foundation / Technologies Source: Coravos A. et al, Playbook team analysis 3 By definition, connected sensor technologies transfer data over the internet, which introduces immediate risks because: • an actor could attack and access the product remotely, and • often in near-real time. Cybersecurity involves: • protecting internet-connected systems, data, and networks from unauthorized access and attacks • including human error (e.g., the loss of a company’s unencrypted laptop).
  • 4. 4 4 As a result more responsibilities are now placed on companies to deal with cybersecurity threats, which many organizations are unprepared to handle. HHS FTC FDA SEC State laws HIPAA • Security Rule • Breach Notification Rule FTC Act • Section 5: “unfair or deceptive acts or practices” FDA Guidances • Postmarket Management of Cybersecurity in Medical Devices Guidance SEC Guidances • CF Disclosure Guidance: Topic No. 2: public company disclosures re cybersecurity risks & cyber incidents • Unofficial guidance • Ransomware Alert Consumer protection laws: • Little FTC Acts, laws based on the Uniform Deceptive Trade Practice Act Breach notification laws In the U.S. there is no single regulatory agency tasked with enforcing a uniform set of cybersecurity standards The Playbook / Build the shared foundation / Technologies Source: Playbook team analysis 4
  • 5. 5 5 GDPR Cybersecurity Act DGA Data Rights Act Member states GDPR • Principles and conditions for the processing of personal data • Individuals’ rights • Data transfers • Breach reporting Cyber Act • Establishes a permanent EU agency • Create an EU ICT certification framework Data Governance Act • Draft released in late 2020 • Sets out requirements for data re-use by public bodies, intermediaries and data altruism Data Rights Act • First draft anticipated in 2021 • Will likely update the rights of individuals and organisations in the GDPR Cyber security laws Consumer protection laws The E.U. has a growing catalogue of centralised regulations The Playbook / Build the shared foundation / Technologies Source: Playbook team analysis 5 These cover aspects of both security and data rights, privacy, and governance.
  • 6. 6 6 White hat • Considered to be good; known as “Security researchers” • Perform ethical style of hacking on mission critical networks • Report vulnerabilities by following policies of coordinated disclosure Grey hat • Considers themselves acting for good, but does so in accordance to their own values and ethics, which may not track with governing laws and regulations • Prioritize their own perception of right vs. wrong over what the lawyer might say Black hat • Exploit security flaws for personal or political gain - or for fun • Considered cybercriminals; not concerned if they do something illegal or wrong If it’s connected to the internet, it can be hacked Learn about the different types of hackers: The Playbook / Build the shared foundation / Technologies Source: Adapted from Lahjaty: White hat vs black hat, Playbook team analysis 6
  • 7. 7 7 White hat • Considered to be good; known as “Security researchers” • Perform ethical style of hacking on mission critical networks • Report vulnerabilities by following policies of coordinated disclosure Grey hat • Considers themselves acting for good, but does so in accordance to their own values and ethics, which may not track with governing laws and regulations • Prioritize their own perception of right vs. wrong over what the lawyer might say Black hat • Exploit security flaws for personal or political gain - or for fun • Considered cybercriminals; not concerned if they do something illegal or wrong Build strong relationships with security researchers The Playbook / Build the shared foundation / Technologies Some “hackers” can be your friends and others are foe. Source: Adapted from Lahjaty: White hat vs black hat, Playbook team analysis 7
  • 8. 8 8 The FDA has been building relationships with security researchers through initiatives like WeHeartHackers.org at DEFCON The Playbook / Build the shared foundation / Technologies Source: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - FDA, We heart hackers, Playbook team analysis 8
  • 9. 9 9 To get more involved in the security research community, I Am the Cavalry and Biohacking Village @ DEFCON, a 501(c)3, can support you The Playbook / Build the shared foundation / Technologies Source: I am the Cavalry, Biohacking village, Wired, Playbook team analysis 9
  • 10. 10 10 DRAFT FOR PUBLIC COMMENT Source: https://healthpolicy.duke.edu/publications/roadmap-developing-study-endpoints-real-world-settings, Playbook team analysis 10 Figure 3. Multiple vulnerability pathways The risk of including third-party software components in healthcare technologies can be managed, in part, by leveraging a software bill of materials (SBOM). Analogous to an ingredients list on food packaging, an SBOM is a list of all included software components. SBOMs provide transparency into a medical technology’s components, which can eventually reduce the feasibility of attacks. SPOTLIGHT Use a software bill of materials (SBOM) to make your supply chain more resilient The Playbook / Build the shared foundation / Technologies Source: Carmody S. et al, Playbook team analysis 10
  • 11. 11 11 HHS FTC State laws HIPAA • Privacy Rule FTC Act • Section 5: “unfair or deceptive acts or practices” Patient privacy laws based on HIPAA, e.g.: • CMIA (California) • TMPA (Texas) Consumer privacy laws, e.g.: • CCPA (California) • BIPA (Illinois) U.S. law does not have explicit regulations that give consumers full control over how their data is collected, used, and shared. Data rights are limited to a patchwork of protections. U.S. legal protections for data rights are limited The Playbook / Build the shared foundation / Technologies Source: Playbook team analysis
  • 12. 12 12 Example: Data rights considerations The Playbook / Build the shared foundation / Technologies Source: Coravos A. et al, Playbook team analysis Does the device have any end-user license agreements (EULA) or terms of service (ToS) and privacy policies (PP)? Are these policy documents comprehensive? Are these documents easily accessible (e.g., publicly accessible online)? Is the information contained in them comprehensible by broad audiences? ILLUSTRATIVE 12