Presentation at the SecConX conference by Rajesh Vargheese. The presentation highlights how the Healthcare reforms are driving key healthcare IT transitions, and how it can create security implications. Using Internet of things enabled E-health as an example, the presentation highlights some of considerations that must followed to ensure the sanity of data exchange.

1. At the Security Crossroads of Healthcare
Reforms and IoT enabled e-Health
Rajesh Vargheese
CTO, Cisco Healthcare Solutions
4/16/2014
SecConX Conference 2014

2. 2SecConX Conference 2014 – Session 4 - Rajesh Vargheese
Agenda
• Healthcare Reforms
• Key Healthcare IT transitions
• Transitions created security
challenges
• Internet of everything
enabled e-Health
• E-Health Architecture and
Security touch points
• PHI Data and Healthcare
Attack Vectors
• Healthcare Regulations and
Data breaches
• Influencing Healthcare
outcomes
• Conclusion and Q & A

3. 3SecConX Conference 2014 – Session 4 - Rajesh Vargheese
Let’s start with a Stretching Exercise
Show of Hands
How many of you
use some form of
fitness device?
How many of you
have access to a
patient portal?
How many of you
have a healthcare
mobile app?

4. 4SecConX Conference 2014 – Session 4 - Rajesh Vargheese
How many of you were able to do
this 10 years ago?

5. 5SecConX Conference 2014 – Session 4 - Rajesh Vargheese
Healthcare Information Technology Transition
The Last 10 years
The progress that
Healthcare IT has made in
the last 10 years is much
more that the last 50
years combined.

6. 6SecConX Conference 2014 – Session 4 - Rajesh Vargheese
US Healthcare Reforms
• A paradigm shift in fixing healthcare
challenges
• Technology has a key role
• The Carrot and the Stick Approach
• Incentives for compliance
• Payment penalties for non
compliance
• Focus on
• Access to Care
• Care coordination
• Preventive Care
• Improve the quality of health care
• Decrease the cost of health care

7. Cisco Confidential 7
US Healthcare Reforms
Meaningful Use Stages
2014
Stage 1
Data Capture and
Sharing
Stage 2
Advance Clinical
Processes
Stage 3
Improved
outcomes

8. 8SecConX Conference 2014 – Session 4 - Rajesh Vargheese
Value Adds
Health Care Reforms: Key Healthcare IT Transitions
With relevance to Security
Paper
Charts
Electronic
Medical Record
Data access to
Providers in
network only
Data access
to Providers
and Patients
Devices Inside
Hospitals
Devices
Every where
Any time Access
Any where Access
Closer PoC Access

9. 9SecConX Conference 2014 – Session 4 - Rajesh Vargheese
Value Adds
Health Care Reforms: Key Healthcare IT Transitions
With relevance to Security
Siloes of
Hospital Data
Shared Data
Exchange
Controlled
Enterprise
Networks
Transition to
Cloud, Hybrid
Models
Dedicated
Workstations
BYOD, Mobile
Devices and
Apps More Choices
More Data
More Services

10. 10SecConX Conference 2014 – Session 4 - Rajesh Vargheese
Transitions
Key Healthcare IT Transitions
The Hacker’s Delight
Electronic
Medical Record
Data access
to Providers
and Patients
Devices
Every where
Any time Access
Any where Access
Closer PoC Access
Value Adds
Any time Attack, Confidentiality,
Availability, Integrity Attacks, Data in
Motion, Data in Rest Attacks, Privacy
Critical Attack Vectors close to point
of care, Hijacking and Personal
Injury, Channel Attacks, Reduced
Perimeter Defense
Security Challenges
Any where Attack, More Vulnerable
access points, More Attack Vectors,
Reduced Perimeter Defense, Identity
Based attacks

11. 11SecConX Conference 2014 – Session 4 - Rajesh Vargheese
Transitions Value Adds
Key Healthcare IT Transitions
The Hacker’s Delight
Shared Data
Exchange
Transition to
Cloud, Hybrid
Models
BYOD, Mobile
Devices and
Apps
Increased
Data Path,
Dependency
More Choices
More Data
More Services
More Service Paths, Expanded
Business Associates, Availability,
Integrity Attacks, Data in Rest Attacks
More Devices, Less Control, More
Threats and Vulnerabilities from
Shared Access, Increased Loss and
Theft Probabilities
Security Challenges
More Data Paths, More Attack
Vectors, Borderless Vulnerabilities,
Expanded Trust Entities,
Dependencies

12. 12SecConX Conference 2014 – Session 4 - Rajesh Vargheese
Healthcare Internet of Everything
Process
Things
People
Data
Healthcare
IoE

13. 13SecConX Conference 2014 – Session 4 - Rajesh Vargheese
IoE enabled E-Health Architecture
Increased
Data Path,
Dependency
Cloud enabled, Access
from anywhere, anytime,
any device
Access to care teams and
information enabling
patient engagement
Integrated Platform for
seamless access to
devices and applications

14. 14SecConX Conference 2014 – Session 4 - Rajesh Vargheese
The Journey of the e-Health Data
Home
Hospital A
Hospital B
Exchange
Hospital C

15. 15SecConX Conference 2014 – Session 4 - Rajesh Vargheese
IoE Cloud Based E-Health Architecture
Sample Security Touch points
1. Endpoint Device Security
2. Network Security
3. Cloud based Application
Security
4. Data Storage Security
5. Enterprise Application Access
Security
6. Federated Partner Cloud
Services Access Security

16. 16SecConX Conference 2014 – Session 4 - Rajesh Vargheese
The Healthcare Attack Vectors
Device
Application
Network
Infrastructure
Portal, EMR Access control
- AAA, HIE, API interfaces,
Web Security
Communication Devices,
Medical Devices, OS,
Malware, Patch, Location
Channel Attack, Data in
motion, Trust, Integrity,
Confidentiality, Wireless
Hard drives, Data in Rest,
Theft, Physical Access

17. 17SecConX Conference 2014 – Session 4 - Rajesh Vargheese
The Closest Attack Vector
Medical Devices, Implantable Devices
References:
http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/21/yes-terrorists-could-have-hacked-dick-cheneys-heart/
http://go.bloomberg.com/tech-blog/2012-02-29-hacker-shows-off-lethal-attack-by-controlling-wireless-medical-device/
http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm356423.htm

18. 18SecConX Conference 2014 – Session 4 - Rajesh Vargheese
Healthcare Security Risk Mitigation
• Start with an Information
Security Risk Assessment
• Follow Information Security best
practices with policies
• Control what you can, Monitor and
mitigate the unknown
• Password management – multi
factor authentication
• Mobile device access control and
containerization – separate personal
and business data
• Implement data loss wipe
strategies
• Patch Management
• Threats are constantly evolving
• Leverage an adaptive learning
defense system
• Advanced Malware Protection
• Safety is a Shared Responsibility
• Educate, Enable, at the same time
enforce policies
• Understand Healthcare
Uniqueness
• Half leaked can be more damaging
• Understand PHI life cycle
• Encryption of data in motion and
rest, Business associates

19. 19SecConX Conference 2014 – Session 4 - Rajesh Vargheese
Healthcare Regulations
• HIPAA (Health Insurance
Portability and Accountability
Act)
• HITECH (Health Information
Technology for Economic
and Clinical Health Act)
• HIPAA compliance is a
requirement for meaningful
use.
• HITECH provides financial
incentives for meeting
Meaningful use goals
• Enforced by Department of
Health Human Services
through Office of Civil Rights

20. 20SecConX Conference 2014 – Session 4 - Rajesh Vargheese
Healthcare Data Breaches
Reference: http://datalossdb.org/statistics

21. 21SecConX Conference 2014 – Session 4 - Rajesh Vargheese
Influencing Healthcare Outcomes
Significance of Privacy and Security Health
Outcomes
Evidence
Based
Information
Sharing
Willingness to
Share
AvailabilityIntegrityConfidentiality
Trust
Regulation, Ethics, Rights, Accountability, Safeguards

22. 22SecConX Conference 2014 – Session 4 - Rajesh Vargheese
Conclusion
• Healthcare Reforms is
creating Key Healthcare IT
transitions
• Internet of everything is
connecting the unconnected
• These transitions create new
security challenges
• An Information Security Risk
Mitigation Plan is not an
option, it is a must
• Protect PHI Data and
understand data Life Cycle
• Data breaches are extremely
costly and has a negative
impact
• Leverage best practices of
Information security
• Privacy and Security has an
impact on Healthcare
Outcomes

23. Thank you.