“Secure by Design”, IoT in health

Though my subject is Medical Security, this post  extends to devices within our home, auto and our pocket.  If the device is connected we need security to insure privacy.

The most important step to ensuring our privacy and protecting our data starts long before you purchase a device or a new connected devices is added to a hospital or doctors office network.

Security starts in the design of the device and is based on software best practice, many that are not known or enforced in to coder community today. The practice is called  Secure Software Development Life Cycle (S-SDLC) an is taught in the first semester of most Computer Science college curriculum.  This is where I normally lose the Agile designers, but wait, this will work for Agile as well  We just need to consider the sprints as smaller circles/life cycles, more about this later.

There is one large caveat to designing medical software, if it fall under the FDA definition of a medical device it must follow IEC 62304, which is waterfall design, at least for the documentation.  Not all software for medical use need FDA approved, e.g., EHR Electronic Health Records do not fall under FDA jurisdiction, why?  Good question, however we will leave this for another discussion.

One issue software faces today is the lack of Computer Scientists,  there are many great coders doing good work, however the oversight seems to be lax.  Oversight is the responsibility of the vendor that owns the software and the customer who purchases the software, e.g., a hospital purchase a solution to store PHI, something goes wrong and the data is compromised.  It is the hospital responsibility to report and most likely compensate the patient's that have been damaged by the breach.    

S-SDLC

Secure SDLC is based on SDLC, a best practice for designing and delivering robust software.

A series of steps starting at the top of the circle describing the life cycle of the development.
S-SDLC  takes into account security at every step of the cycle, e.g., Requirements phase, add Security requirements.

One of the most important parts of the cycle is testing,  it is the last chance to catch a problem before it gets to the customer.  Because of the emphasis placed on iterations and quick to deliver, many coder today do not agree.

There is a V-Model for SDLC that stresses the testing phase, by including 5 levels of testing.  Many in the Agile community feel that this model is to close to Waterfall design,  I do not wish to debate, however I did want to show the testing phases that must be implemented in-order to protect data.

• 
  

• Unit testing
• Integration testing
• System testing
• User acceptance testing
• 
  

User Acceptance Testing is one of the most important phases because it test in a way that the customer will use the system.  I suggest that organization perform this testing themselves to make sure they are getting the protection and operation that was sold to them.

As IoT solutions become more available in healthcare, we will need to be more diligent in protecting our privacy and the privacy of our patients.  We can no longer except that notion that a product, service or vendor is secure, we must follow through and be sure.

Security isn't something that you can buy as much as it is a way of thinking, designing testing and implementing.   Organization must train their people to think about security first, in everything they do.  We also must implement system that allow employees to report suspected security problem without repercussions, i.e., shooting the messaging .  Security is a team effort, both strategic and tactical.

The passwords have met their match

Yesterday, it was announced that a Russian Crime syndicate has stolen 1.2 billion identities.  As of the next day it is was still not known where or who’s IDs were stolen.  The media is suggesting that we change all usernames and passwords.  I like many, have at least one hundred usernames and password and this would be no small feat to change them and most likely won't.  Many times it is difficult or impossible to change usernames.

One of the primary issues leading to all of these cyber attacks is that millions of places that passwords are stored.  Each website keeps your username and password on their systems.  There are systems (OAuth) that allow sites like Google and Facebook to share credentials with other sites to allow access to their systems without setting up new credentials, however that means you have to trust sites like Facebook to store your credentials.  Since these companies make their money from selling information via advertising, well you get it.

We must ask why these passwords were not encrypted? It was poor design and oversight.  Data at rest is always vulnerable; it is the “edge” that gets hacked, i.e., data can be sent over a secure links, such as SSL but when it is moved or temporarily stored during processing it vulnerable and if the data is not encrypted when stored, it remains vulnerable to thief.  Credit Card data before PCI compliance rules had the same issues.  Compliance, however isn’t a law such as HIPAA, but maybe it is time for legislation for all password data.

There needs to be a better system for identification and authorization.  Usernames and passwords have met their match, the well funded, sophisticated hacker, the new cyber criminal.

Jeff Brandt

www.deKaG.com

What's your recipe for a great mHealth App? Sean Broomhead previously posted on Linkedin

Knowing what problem you are trying to solve is the most important part of any product. The next is having a team that understands the problem and how to solve it or find solutions for it.

One of the biggest problem that I have run into is that lack of understanding from both the clinical and technical side of the solution. Many technical people attempt to solve healthcare without domain expertise. Yes, we are all patients, the main reason you see so many patient facing apps, however if you want to build medical apps you will need clinical domain experts. Then you have doctors that want to build apps without having technical knowledge or don't understand the software process. Both roads can quickly lead to failure. It takes BOTH technical and clinical to build mHealth apps or systems.

Systems, apps are mostly worthless without a link into the ecosystem of healthcare. you must think of an app as just the client of the system, it is like the steering wheel of a car. You shouldn't care if it is a iPhone or Android, that is the endusers decision, app developers need to support what the market wants. The system is what is important in mHealth, how you connect, interoperate with providers, family, and patients.

Jeff Brandt 

Mobile changes everything

Mobile presents one of the largest paradigm shift of all time. I recently read a article that ranked the iPhone the eighth top invention of all time. The wheel was first. But mobile is not about communication it is about connectivity. A fully connected society, a connected world. We must rethink our current strategies on everything. From banking to healthcare to communication, mobile changes it all. Advertising industry is going to change significantly. We are moving from print, TV, radio and computers to always "on" (connected and on our person) personal devices. Each time a person looks at the screen of the phone/device they will receive impressions, not the old CPC (Cost Per Click) type, but in many different forms, audio, visual, static and participating impressions. The number if hits (old term) will become more of experiences, (Mx) and will be exponential.

As many of you know I am very interested in HealthCare and it's future in the world. Mobile will have a huge impact on healthcare, soon we will have implanted monitoring devices that will feed data to a site such as Microsoft HealthVault, Decision Support system will analyze the data in realtime and alert the patient/consumer and Provider of changes in your body. But the biggest change that mobile will providein health is the ability for the consumer to become realtime envolved with their own health. Our phones will become the Remote control of our Healthcare and the screens will have dashboards so that we can monitor ourselves in realtime. The next subject that I plan to discuss is changing our views of mobile and opening thoughts up to the possibilities of engagement.

Jeff