Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins...
Transcript of Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins...
![Page 1: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/1.jpg)
HackingHealth
ProfessorAviRubinComputerScience
JohnsHopkinsUniversity
1
![Page 2: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/2.jpg)
![Page 3: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/3.jpg)
MyfirstsecurityevaluaAon,2003
- RentalreceiptwithprintedCC#- Easyaccesstoconsumerdata- PoordatasecuritypracAces- WeakauthenAcaAon,ifany
![Page 4: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/4.jpg)
FoundedsecurityevaluaAoncompany
![Page 5: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/5.jpg)
GeNngtoknowHealthITSecurity• In2009,transiAonedfrome-voAngsecurity– TohealthcareITsecurity
• BeganwithIT-focusedtoursofseveralhospitals– Radiology,Pathology,Children’shospital,etc.– About6visits
– SecuritysituaAonwasabysmal• 8,000hospitalemployees100%access• Nursew/“specialtask”• HomeVPNasbridge• DesktopEHRaccess
![Page 6: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/6.jpg)
Example:X-rays
Oldway: Newway:
![Page 7: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/7.jpg)
• BloodGasAnalyzers(BGA)compromised• PACSsystemcompromised
![Page 8: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/8.jpg)
![Page 9: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/9.jpg)
HealthcareisUnique• Theplayers:
– Doctors• (Godcomplex;don’tlikenewwaysofdoingthings)
– PaAents• (ogennottechsavvy;don’tfollowinstrucAons)• Includesallofus
– Nurses&otherClinicalstaff– Regulators:Congress,FDA
• (wellmeaning;maynotunderstandimplicaAons)– Insurancecompanies– Medicaldevicemanufacturers– Entrepreneurs
• Mobile,Wearables,• InternetofThings
![Page 10: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/10.jpg)
HealthcareapplicaAons• ConnecAvity
– Moderndevices,alwaysconnected,alwayson– Databasesalwaysonline
• Mobile/cloud– DatainmulApleplaces– Dataownernotinpossessionofdata
• ExpectaAonthatdataisalwaysavailable
Keypoint:mostinteracAonwithhealthdatacontrolledbySOFTWARE
![Page 11: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/11.jpg)
Controlledbysogware• RadiaAondosage• DosageofmedicaAon• StockingofsuppliesinICU• ShigscheduleforDoctors&Nurses• EHRs• Drugdispensingrobot• CommunicaAonsofdevices
Threatmodel:
Anythingcontrolledbyso1wareispoten5allyexploitable.
![Page 12: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/12.jpg)
![Page 13: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/13.jpg)
![Page 14: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/14.jpg)
![Page 15: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/15.jpg)
![Page 16: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/16.jpg)
Biggestbangforthebuck1. ApplicaAonwhitelisAngonmedicaldevices2. Hygieneforbackendsystems3. DatabaseAcAvityMonitoring–anomalousqueries4. MulAfactorauthenAcaAonforremoteaccess5. VirtualizaAonforaccesstoclinicaldata6. UniversalencrypAonofdata7. Termsofagreementwithcloudserviceproviders8. Automatedsupportforsecurityinchartaccesses9. Privacyforself-idenAfydata(e.g.genomesequences)– HIPAAsafeguardsinadequate
10. AuthenAcaAonforclinicalpersonnel
![Page 17: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/17.jpg)
FinalThoughts• HealthcareSectorhasuniquesecuritychallengesdueto:
– regulatoryenvironment– Stakeholders– Dependenceonsogware– Availabilityrequirementsfordata– Affectsusallpersonally!– Trendtowardscloud/mobile
• NeedtoconsidersecurityimplicaAonsofnewtechnologies,
e.g.network-connectedinfusionpumps
![Page 18: Hacking Health - USENIX · Hacking Health Professor Avi Rubin Computer Science Johns Hopkins University 1 ... Healthcare applicaons • ConnecAvity – Modern devices, always connected,](https://reader033.fdocuments.net/reader033/viewer/2022060222/5f0788f97e708231d41d76af/html5/thumbnails/18.jpg)
SpeakerinformaAon
ProfessorAviRubinDept.ofComputerScienceJohnsHopkinsUniversityEmail:[email protected]:avirubin.com:@avirubin