Tag Archives: Threat modeling

Killed by code – back to the future

Back in 2011, I thought it’s only a question of time before we have a drive by execution of a politician with an ICD (implanted cardiac device).

Fast forward to Jan 9, 2017 FDA reported in a FDA Safety Communication on “Cybersecurity Vulnerabilities Identified in St. Jude Medical’s Implantable Cardiac Devices and Merlin@home Transmitter.

At risk:

  • Patients with a radio frequency (RF)-enabled St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter
  • Caregivers of patients with an RF-enabled St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter
  • Cardiologists, electrophysiologists, cardiothoracic surgeons, and primary care physicians treating patients with heart failure or heart rhythm problems using an RF-enabled St. Jude Medical implantable cardiac device and corresponding Merlin@home Transmitter

I’ve been talking to our medical device customers about mobile security of implanted devices for over 4 years now.

I  gave a talk on mobile medical device security at the Logtel Mobile security conference in Herzliya in 2012 ago and discussed proof of concept attacks on implanted cardiac devices with mobile connectivity.

But – ICD are the edge, the corner case of mobile medical devices.  If a typical family of 2 parents and 3 children have 5 mobile devices, it is a reasonable scenario that this number will double withe devices for fetal monitoring, remote diagnosis of children, home-based urine testing and more.

Mobile medical devices are becoming a pervasive part of the Internet of things; a space of  devices that already outnumber workstations on the Internet by about five to one, representing a $900 billion market that’s growing twice as fast as the PC market.

There are 3 dimensions to medical device security – regulatory (FDA), political (Congress) and cyber (vendors implementing the right cyber security countermeasures)

The FDA is taking a tailored, risk-based approach that focuses on the small subset of mobile apps that meet the regulatory definition of “device” and that:

  • are intended to be used as an accessory to a regulated medical device, or
  • transform a mobile platform into a regulated medical device.

Mobile apps span a wide range of health functions. While many mobile apps carry minimal risk, those that can pose a greater risk to patients will require FDA review. The FDA guidance document  provides examples of how the FDA might regulate certain moderate-risk (Class II) and high-risk (Class III) mobile medical apps. The guidance also provides examples of mobile apps that are not medical devices, mobile apps that the FDA intends to exercise enforcement discretion and mobile medical apps that the FDA will regulate in Appendix A, Appendix B and Appendix C.

Mobile and medical and regulatory is a pretty sexy area and I’m not surprised that politicians are picking up on the issues. After all, there was an episode of CSI New York  that used the concept of an EMP to kill a person with an ICD, although I imagine that a radio exploit of  an ICD or embedded insulin pump might be hard to identify unless the device itself was logging external commands.

Congress is I believe, more concerned about the regulatory issues than the patient safety and security issues:

Representatives Anna Eshoo (D-CA) and Ed Markey (D-MA), both members of the House Energy and Commerce Committee sent a letter last August asking the GAO to Study Safety, Reliability of Wireless Healthcare Tech and report on the extent to which FCC is:

  • Identifying the challenges and risks posed by the proliferation of medical implants and other devices that make use of broadband and wireless technology.
  • Taking steps to improve the efficiency of the regulatory processes applicable to broadband and wireless enabled medical devices.
  • Ensuring wireless enabled medical devices will not cause harmful interference to other equipment.
  • Overseeing such devices to ensure they are safe, reliable, and secure.Coordinating its activities with the Food and Drug Administration.

At  Black Hat August 2011, researcher Jay Radcliffe, who is also a diabetic, reported how he used his own equipment to show how attackers could compromise instructions to wireless insulin pumps.

Radcliffe found that his monitor had no verification of the remote signal. Worse, the pump broadcasts its unique ID so he was able to send the device a command that put it into SUSPEND mode (a DoS attack). That meant Radcliffe could overwrite the device configurations to inject more insulin. With insulin, you cannot remove it from the body (unless he drinks a sugary food).

The FDA position that it is sufficient for them to warn medical device makers that they are responsible for updating equipment after it’s sold and the downplaying of  the threat by industry groups like The Advanced Medical Technology Association is not constructive.

Following the proof of concept attack on ICDs by Daniel Halperin from the University of Washington, Kevin Fu from U. Mass Amherst et al “Pacemakers and Implantable Cardiac Defibrillators:Software Radio Attacks and Zero-Power Defenses”  this is a strident wakeup call to medical device vendors  to  implement more robust protocols  and tighten up software security of their devices.

Tell your friends and colleagues about us. Thanks!
Share this
Security is not fortune telling

The importance of risk analysis for HIPAA compliance

A chain of risk analysis

The HIPAA Final Rule creates a chain of risk analysis and compliance from the hospital, downstream to the business associates who handle / process PHI for the hospital and sub-contractors who handle / process PHI for the business associate.

And so on.

The first thing an organization needs to do is a risk analysis.   How important is a risk analysis?  Ask Cancer Care Group who were just fined $750,000 for non-compliance with the Security Rule.

$750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies

Cancer Care Group, P.C. agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Cancer Care paid $750,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. Cancer Care Group is a radiation oncology private physician practice, with 13 radiation oncologists serving hospitals and clinics throughout Indiana.

On August 29, 2012, OCR received notification from Cancer Care regarding a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients.

OCR’s subsequent investigation found that, prior to the breach, Cancer Care was in widespread non-compliance with the HIPAA Security Rule. It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization. For more information see the HHS Press Release from Sep 2, 2015 $750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies

Risk analysis is the first step in meeting Security Rule requirements

I have written here, here, here and here about the importance of risk analysis as a process of understanding the value of your assets, the impact of your threats and the depth of your vulnerabilities in order to implement the best security countermeasures.

The HIPAA Security Rule begins with the analysis requirement in § 164.308(a)(1)(ii)(A). Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is fundamental to the entire process of HIPAA Security Rule compliance, and must be understood in detail by the organization in order to specifically address safeguards and technologies that will best protect electronic health information. See Guidance on Risk Analysis Requirements under the HIPAA Security Rule. Neither the HHS Guidance nor NIST specify a methodology – we have been using the Practical Threat Analysis methodology for HIPAA Security risk analysis with Israeli medical device companies since 2009 and it works smoothly and effectively helping Israeli medical device vendors comply and implement robust security at the lowest possible cost.

§ 164.308(a)(1)(ii)(A) Risk Analysis (R1): As part of the risk management process, the company performs information security risk analysis for its services (see company procedure XYZ) analyzing software application  security, data security and human related vulnerabilities. Risk analysis is performed according to the Practical Threat Analysis methodology.

1 A refers to addressable safeguards, and R refers to required safeguards.

Do it.  Run Security like you Run your business

Tell your friends and colleagues about us. Thanks!
Share this
selling security products with fear, ignorance and online marketing

Why security defenses are a mistake

Security defenses don’t improve our understanding of the root causes of data breaches

Why is this so? Because when you defend against a data breach – you do not necessarily understand the vulnerabilities that can be exploited.

If do not understand the root causes of your vulnerabilities, how can you justify and measure the effectiveness of your defensive measures?

Let me provide you with an example.

Conventional IT security practice says that you must install a firewall in front of a server farm.

Firewalls prevent the bad guys from getting in. They don’t prevent sensitive data assets from leaving your network during a data breach.

If you have a dozen servers, running Ubuntu 12.04 with the latest patches, hardened and only serving responses to requests on SSH and HTTPS services not only is there no added value in a firewall but installing and maintaining a firewall will be a waste of money that doesn’t defend against a data breach.

First of all – defenses are by definition, not a means of improving our understanding of strategic threats. Think about the Maginot Line in WWI or the Bar-Lev line in 1973. Network and application security products that are used to defend the organization are rather poor at helping us understand and reduce the operational risk of insecure software.

Second of all – it’s hard to keep up. Security defense products have much longer product development life cycles then the people who develop day zero exploits. The battle is also extremely asymmetric – as it costs millions to develop a good application firewall that can mitigate an attack that was developed at the cost of three man months and a few Ubuntu workstations. Security signatures (even if updated frequently) used by products such as firewalls, IPS and black-box application security are no match for fast moving, application-specific source code vulnerabilities exploited by attackers and contractors.

Remember – that’s your source code, not Microsoft.

Third – threats are evolving rapidly. Current defense in depth strategy is to deploy multiple tools at the network perimeter such as firewalls, intrusion prevention and malicious content filtering. Although content inspection technologies such as DPI and DLP are now available, current focus is primarily on the network, despite the fact that the majority of attacks are on the data – customer data and intellectual property.

The location of the data has also become less specific as the notion of trusted systems inside a hard perimeter has practically disappeared with the proliferation of cloud services, Web 2.0 services, SSL VPN and convergence of almost all application transport to HTTP.

In summary – before handing over a PO to your local information security integrator – I strongly suggest a systematic threat analysis of your systems. After you have prioritized set of countermeasures – you’ll be buying, but not necessarily what he’s selling.

Tell your friends and colleagues about us. Thanks!
Share this
dannyl_sax_shablul

The best cybersecurity strategy may be counter-terror

Danny Lieberman  suggests that a demand-side strategy with peer-review may work best  for cyber-security.

A conventional military paradigm does not work for cyber-security

Government cyber  security policy, molded by the military; traditionally frames cyber-security in the context of a defensive strategy based on intelligence gathering, threat analysis,  modeling and  monitoring  with  deployment of defensive network security technologies such as  firewalls, DDOS protection, intrusion prevention and honey-pots.

The problem with a defensive cyber-security strategy is that it does not address the root cause of threats.

 Combating cyber-terror  with offensive strategies by using anti-terror techniques to dismantle terrorist infrastructures and social fabrics is a highly effective alternative to a defensive strategy.

Attacking social networks of hackers

Although there are offensive alternatives such as mounting systematic DDos attacks on the attackers or developing targeted spyware such as Stuxnet, even more intriguing is the notion of using a demand-side strategy to reduce the social value of being a hacker. We can learn from the counter terror success of the Italians in the late 60s with dismantling the Brigatisti. The Italian government infiltrated the Red Brigades – bred mistrust and quickly rolled up the organization.

Attacking the social networks of people who develop and distribute malware would involve infiltrating the hacker underground, arresting hackers for criminal activity and cutting deals in return for actionable intelligence.

Since cyber attacks on Israel is a form of terrorism – I believe that this strategy could be effective since it goes directly to the source and potentially denies a key hacker benefit – the social gratification.

While an interesting idea – the key barrier to this strategy is deploying it where hackers operate and obtaining the cooperation of local law enforcement.

It’s clear that cooperation with other countries and a variety of partners inside and outside the Israeli government is a critical success factor for an offensive cyber-security strategy.

Getting more eyeballs on the problem

A cyber-security strategy that is not reviewed by outside people cannot correctly evaluate the economic effectiveness of cyber-security measures since political considerations will always override common sense.

 Representatives from the newly formed Israeli Cyber Command need to work closely with private industry and share information about threats and vulnerabilities – since in most cases – privately held technology security developers and analysts have better and more up-to-date knowledge than government agencies who may have better intelligence.

The effort to defend Israel in cyberspace will only succeed if it is coordinated across the government, with allies, and with partners in the commercial sector combining high-quality intelligence with deep understanding of evolving threats and peer review of the security measures.

Tell your friends and colleagues about us. Thanks!
Share this

The valley of death between IT and information security

IT is about executing predictable business processes.

Security is about reducing the impact of unpredictable attacks to a your organization.

In order ot bridge the chasm – IT and security need to adopt a common goal and a common language – a language  of customer-centric threat modelling

Typically, when a company ( business unit, department or manager) needs a line of business software application, IT staffers will do a system analysis starting with business requirements and then proceed to buy or build an application and deploy it.

Similarly, when the information security group needs an anti-virus or firewall, security staffers will make some requirements, test products, and proceed to buy and deploy or subscribe and deploy the new anti-virus or firewall solution.

Things have changed – both in the IT world and in the security world.

Web 2.0 SaaS (software as a service) offerings (or  Web applications in PHP that the CEO’s niece can whip together in a week…) often replace those old structured systems development methodologies. There are of course,  good things about not having to develop a design (like not coming down with an advanced case of analysis paralysis) and iterating quickly to a better product, but the downside of not developing software according to a structured systems design methodology is buggy software.

Buggy software is insecure software. The response to buggy, insecure software is generally doing nothing or installing a product that is a security countermeasure for the vulnerability  (for example, buying a database security solution) instead of fixing the SQL injection vulnerability in the code itself.   Then there is lip-service to so called security development methodologies which despite their intrinsic value, are often too detailed for practioners to follow), that are not a replacement for a serious look at business requirements followed by a structured process of implementation.

There is a fundamental divide, a metaphorical valley of death of  mentality and skill sets between IT and security professionals.

  • IT is about executing predictable business processes.
  • Security is about reducing the impact of unpredictable attacks.

IT’s “best practice” security in 2011 is  firewall/IPS/AV.  Faced with unconventional threats  (for example a combination of trusted contractors exploiting defective software applications, hacktivists or competitors mounting APT attacks behind the lines), IT management  tend to seek a vendor-proposed, one-size-fits-all “solution” instead of performing a first principles threat analysis and discovering  that the problem has nothing to do with malware on the network and everything to do with software defects that may kill customers.

Threat modeling and analysis is the antithesis of installing a firewall, anti-virus or IPS.

Analyzing the impact of attacks requires hard work, hard data collection and hard analysis.  It’s not a sexy, fun to use, feel-good application like Windows Media Player.   Risk analysis  may yield results that are not career enhancing, and as  the threats  get deeper and wider  with  bigger and more complex systems – so the IT security valley of death deepens and gets more untraversable.

There is a joke about systems programmers – they have heard that there are real users out there, actually running applications on their systems – but they know it’s only an urban legend. Like any joke, it has a grain of truth. IT and security are primarily systems and procedures-oriented instead of  customer-safety oriented.

Truly – the essence of security is protecting the people who use a company’s products and services. What utility is there in running 24×7 systems that leak 4 million credit cards or developing embedded medical devices that may kill patients?

Clearly – the challenge of running a profitable company that values customer protection must be shouldered by IT and security teams alike.

Around this common challenge, I  propose that IT and security adopt a common goal and a common language – a language  of customer-centric threat modelling – threats, vulnerabilities, attackers, entry points, assets and security countermeasures.  This may be the best or even only way for IT and security  to traverse the valley of death successfully.

Tell your friends and colleagues about us. Thanks!
Share this

Risk assessment for your medical device

We specialize in  cyber-security and privacy compliance for medical device vendors in Israel like you.

We’ve assissted dozens of Israeli software medical device that use Web, mobile, cloud and hospital IT networks achieve cost-effective HIPAA compliance and meet FDA guidance on Premarket Submissions for Management of Cybersecurity in Medical Devices.

As part of our service to our trusted clients, we provide the popular PTA  threat modeling tool, free of charge – with 12 months maintenance included and unlimited threat models.

If you’re not a client  – contact us now for a free phone consultation.

Software Associates threat models are used by thousands of professional security analysts all over the world who use PTA Professional in their risk and compliance practice.

Download the  free risk assessment software now.

What you get with the PTA Software:

  • It’s quantitative: enables business decision makers to state asset values, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
  • It’s robust: enables analysts to preserve data integrity of complex multi-dimensional risk models versus Excel spreadsheets that tend to be unwieldy, unstable and difficult to maintain.
  • It’s versatile: enables organizations to reuse existing threat libraries in new business situations and perform continuous risk assessment and what-if analysis on control scenarios without jeopardizing the integrity of the data.
  • It’s effective: helps determine the most effective security countermeasures and their order of implementation, saving you money.
  • It’s databased: based on a robust threat data model with the 4 dimensions of threats, assets, vulnerabilities and countermeasures
  • It’s management level: with a few clicks, you can product VaR reports and be a peer in the boardroom instead of staffer waiting in the hall.

 

Tell your friends and colleagues about us. Thanks!
Share this

Is network PVR the best direction for the big studios ?

The distribution of video over multicast-broadcast networks and content storage at by users with Windows PCs and PVRs has created a huge threat surface for digital content.

Typical to flawed security countermeasures, HDCP and AACS exacerbate and enlarge the threat surface rather than enhance revenues and reduce risk.

In this article we will show that Network PVR services may be an effective strategy for studios to mitigate the risk of content piracy.

Background

NetFlix, Vudu and Universal Studios Home Entertainment are skipping over HD-DVD/Blu-ray formats in favor of what some industry observers say is inevitable – download-only distribution.

Beginning November 23 2007, Vudu started giving new buyers “The Bourne Identity” and “The Bourne Supremacy” pre-loaded on their set-top boxes in HD. Buyers can purchase a downloaded copy of “The Bourne Ultimatum”, for $25 starting December 11, 2007.

The VUDU box and services sounded pretty cool to me when I first saw it – until I realized that the price of the “The Bourne Ultimatum HD” on Amazon is $27.99 with free Super Saver Shipping and the I don’t need to buy the Vudu and commit to their service. It’s two bucks less with Vudu but the VUDU STB sets you back $250 (reduced from $400). The Vudu business model does not seem extremely compelling. Although you have a hard disk – you cannot go back and view a movie if you ran out of time in a single sitting. The Netflix business model of having 3-5 movies for unlimited usage still seems a winner and in comparison, Vudu just doesn’t seem to have all the movies we’d want to see.

The price of SD (standard definition) DVDs is between USD2-5, depending on where you live and HD DVD seems to be going for about USD25-30, depending on the movie and season of the year. It’s cheaper and more convenient for a consumer to rent or buy a DVD from NetFlix or Blockbuster then to pay Vudu. if you want to see the latest episode ofDexter you can’t even get it on Vudu, and BitTorrent is more accessible not to mention, free.

While Vudu seem to have done some impressive engineering work on their STB, if they get any widespread traction, it may only be a matter of time until some irritated user cracks their box or bypassess the content protection.

What is HD (High Definition) video?

There is a good deal of confusion regarding exact definitions and consumer electronics product requirements for HD (high definition). HD refers to the quality of the picture (not to the means of digital content protection). Digital HDTV broadcast systems are defined by the number of lines in the vertical display resolution, the scanning system: (progressive (p) or interlaced (i) and the number of frames per second. The 720p60 format is 1280×720 pixels, with progressive encoding at 30 frames per second. The 1080i50 format is 1920×1080 pixels, with interlaced encoding at 25 frames per second. For commercial naming of the product, either the frame rate or the field rate is dropped, e.g. a “1080i television set” label indicates only the image resolution.

Is HD for digital TV only? (no)

If you have have an older TV set with an analog RCA interface, you’re in luck – the issues of digital HDTV are eliminated by connecting your TV set to a DVD player using the analog HD signal output with RCA connectors instead of HDMI. The analog outputs of most HD devices will replicate the resolutions of the digital outputs i.e. 720p and 1080i, so fidelity of the picture is maintained. Connectivity is via standard VGA HD15 connector or high-resolution component video output using 3 x RCA connectors. Analog HD signals can also be distributed over standard Cat5 cable up to a few hundred meters, which is pretty convenient if you have a large house or a small hotel.

What is HDCP?

High-bandwidth Digital Content Protection (HDCP) is a proprietary DRM scheme for protecting premium HD content. HDCP was developed by Intel Corporation to control digital audio and video content transmitted on DVI (digital video) and HDMI (high definition media) interfaces in consumer electronics devices such as DVD, STB, TV Sets. Compliance with HDCP requires a license from Digital Content Protection LLC, a subsidiary of Intel. In addition to paying fees, manufacturers agree to downgrade quality when interfacing to non-HDCP compliant devices. For example, HD video is downgraded to DVD quality on a non-HDCP compliant TV set. HDCP also incorporates a black-listing scheme of cracked devices using a key-revocation scheme where the black list is stored on the DVD media.

HD content protection – fundamentally flawed

The HDCP black-listing scheme defies the laws of physics and reason. For example, you may be a perfectly law-abiding citizen, but if someone in Timbuktu hacks your model XY500 DVD player, the device key is revoked, and you will never be able to play discs that came out after the date the device was compromised. If a hacker taps into the HDMI / HDCP signal copies a movie enroute to your model TV Set, the HDCP device key can be revoked and your 80 inch TV will never play high-definition again.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

A cyber-terror derivatives market?

I first heard the idea about hedging risk against actual future disasters (man-made or natural) around the time of Hurricane Katrina.

The essay below by professor Avinash Persaud considers the creation of a terrorism futures market. The ideas are particularly timely in the context of the unrest in Libya and the uptick in oil prices.

Right now, the closest thing we have to “terrorist futures” are crude oil futures. One way of looking at them is as a loose proxy for the sell-by date on the Saudi monarchy. For example, oil prices above $99 would be a function of geopolitical instability, and not just the supply-demand dynamic.

Futures prices convey information in its raw form. They tell you what individual participants are betting on and how they’re evaluating risk.  They tell us something about Quaddaffi. Even if Libya is not a major oil producer, Muamer Quaddaffi is a major source of instability.

Can a Country Take out Financial Insurance Against Macro-Risks Like Currency Instability or Global Terrorism?
by Professor Avinash Persaud

Good evening, ladies and gentlemen. I would like to begin today by discussing the link between the personal insurance you and I take out every day and financial futures markets. I will then turn to a proposal to establish a terrorism futures market and how that would work. I will address the moral objections to such a market and its possible benefits to our democracy. It should be a thought-provoking tour.

Tell your friends and colleagues about us. Thanks!
Share this

Medical device security trends

Hot spots for medical device software security

I think that 2011 is going to be an exciting year for medical device security as the FDA gets more involved in the approval and clearance process with software-intensive medical device vendors. Considering how much data is exchanged between medical devices and customer service centers/care givers/primary clinical care teams and how vulnerable this data really is, there is a huge amount of work to be done to ensure patient safety, patient privacy and delivery of the best medical devices to patients and their care givers.

On top of a wave of new mobile devices and more compliance, some serious change is in the wings in Web services as well.

The Web application execution model is going to go through an inflection point in the next two years transitioning from stateless HTTP, heterogeneous stacks on clients and servers and message passing in the user interface (HTTP query strings) to WebSocket and HTML5 and running the application natively on the end point appliance rather than via a browser communicating to a Web server.

That’s why we are in for interesting times I believe.

Drivers
There are 4 key drivers for improving software security of medical devices, some exogenous, like security, others product-oriented like ease of use and speed of operation.  Note that end-user concerns for data security don’t seem to be a real market driver.

  1. Medical device quality (robustness, reliability,usability, ease of installation, speed of user interaction)
  2. Medical device safety (will the device kill the patient if the software fails, or be a contributing factor to damaging the patient)
  3. Medical device availability (will the device become unavailable to the user because of software bugs, security vulnerabilities that enable denial of service attacks)
  4. Patient privacy (HIPAA – aka – data security, does the device store ePHI and can this ePHI be disclosed as a result of malicious attacks by insiders and hackers on the device)

Against the backdrop of these 4 drivers, I see 4 key verticals: embedded devices, mobile applications, implanted devices and Web applications.

Verticals

Embedded devices (Device connected to patient)

  1. Operating systems, Windows vs. Linux
  2. Connectivity and integration into enterprise hospital networks: guidelines?
  3. Hardening the application verus bolting on security with anti-virus and network segmentation

Medical applications on mobile consumer devices (Device held in patient hand)

  1. iPhone and Android – for example, Epocrates for Android
  2. Software vulnerabilities that might endanger patient health
  3. Is the Apple Store, Android Market a back door for medical device software with vulnerabilities?
  4. Application Protocols/message passing methods
  5. Use of secure tokens for data exchange
  6. Use of distributed databases like CouchDB to store synchronized data in a head end data provider and in the mobile device The vulnerability is primarily patient privacy since a distributed setup like this probably increases total system reliability rather than decreasing it. For the sake of discussion, CouchDB is already installed on 10 million devices world wide and it is a given that data will be pushed out and stored at the end point hand held application.

Implanted devices (Device inside patient)

  1. For example ICD (implanted cardiac defibrillators)
  2. Software bugs that results in vulnerabilities that might endanger patient health
  3. Design flaws (software, hardware, software+hardware) that might endanger patient health
  4. Vulnerability to denial of service attacks, remote control attacks when the ICD is connected for remote
  5. programming using GSM connectivity

Web applications  (Patient interacting with remote Web application using a browser)

  1. Software vulnerabilities that might endanger patient health because of a wrong diagnosis
  2. Application Protocols/message passing methods
  3. Use of secure tokens for data exchange
  4. Use cloud computing as service delivery model.

In addition, there are several “horizontal” areas of concern, where I believe the FDA may be involved or getting involved

  1. Software security assessment standards
  2. Penetration testing
  3. Security audit
  4. Security metrics
  5. UI standards
  6. Message passing standards between remote processes
Tell your friends and colleagues about us. Thanks!
Share this

Small business data security

Here are 7 steps to protecting your small business’s data and and intellectual property in 2011 in the era of the Obama Presidency and rising government regulation.

Some of these steps are about not drinking consultant coolade (like Step # 1- Do not be tempted into an expensive business process mapping project) and others are adopting best practices that work for big business (like Step #5 – Monitor your business partners)

Most of all, the 7 steps are about thinking through the threats and potential damage.

Step # 1- Do not be tempted into an expensive business process mapping exercise
Many consultants tell businesses that they must perform a detailed business process analysis and build data flow diagrams of data and business processes. This is an expensive task to execute and extremely difficult to maintain that can require large quantity of billable hours. That’s why they tell you to map data flows. The added value of knowing data flows between your business, your suppliers and customers is arguable. Just skip it.

Step #2 – Do not punch a compliance check list
There is no point in taking a non-value-added process and spending money on it just because the government tells you to. My maternal grandmother, who spoke fluent Yiddish would yell at us: ” grosse augen” (literally big eyes) when we would pile too much food on our plates. Yes, US publicly traded companies are subject to multiple regulations. Yes, retailers that  store and processes PII (personally identifiable data)  have to deal with PCI DSS 2.0, California State Privacy Law etc. But looking at all the corporate governance and compliance violations, it’s clear that government regulation has not made America more competitive nor better managed.  It’s more important for you to think about how much your business assets are worth and how you might get attacked than to punch a compliance check list.

Step #3 – Protecting your intellectual property doesn’t have to be expensive
If you have intellectual property, for example, proprietary mechanical designs in Autocad of machines that you build and maintain, schedule a 1 hour meeting with your accountant  and discuss how much the designs are worth to the business in dollars. In general, the value of any digital, reputational, physical or operational asset to your business can be established fairly quickly  in dollar terms by you and your accountant – in terms of replacement cost, impact on sales and operational costs.  If you store any of those designs on computers, you can get free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux. That way if there is a break-in and the computer is stolen, or if you lose your notebook on an airport conveyor belt, the data will be worthless to the thief.

Step #4 – Do not store Personally identifiable information or credit cards
I know it’s convenient to have the names, phone numbers and credit card numbers of customers but the absolutely worst thing you can do is to store that data. VISA has it right. Don’t store credit cards and magnetic strip data. It will not help you sell more anyway, you can use Paypal online or simply ask for the credit card at the cash register.  Get on Facebook and tell your customers how secure you are because you don’t store their personal data.

Step #5 – Don’t be afraid of your own employees, but do monitor your business partners
Despite the hype on trusted insiders, most data loss is from business partners. Write a non-disclosure agreement with your business partners and trust them, and audit their compliance at least once a year with a face-to-face interview.

Step #6 – Do annual security awareness training but keep it short and sweet
Awareness is great but like Andy Grove said – “A little fear in the workplace is not necassarily a bad thing”. Have your employees and contractors read, understand and sign a 1 page procedure for information security.

Step #7 – Don’t automatically buy whatever your IT consultant is selling
By now – you are getting into a security mindset.  Thinking about asset value, attacks and cost-effective security countermeasures like encryption. Download the free risk assessment software and get a feel for your value at risk.  After you’ve done some practical threat analysis of your business risk exposure you will be in an excellent position to talk with your IT consultant. While most companies don’t like to talk about data theft issues, we have found it invaluable to talk to colleagues in your market and get a sense of what they have done and how well the controls perform.

Tell your friends and colleagues about us. Thanks!
Share this