SXSW 2023 Submission Supplement: Your Body is a Unique Database. Who Owns It?

1. 1
Source: Content derived from playbook.dimesociety.org
Your Body is a Unique Database.
Who Owns It?
SXSW 2023 PanelPicker Submission
Speakers:
Stephen Ruhmel
Andy Coravos
Oana Cula
Sachin Shah

2. 2
2
Failure to safeguard against security threats and violations of
individuals’ data rights is also a risk to researchers and clinicians.
Theft is a data
security issue.
Misuse is a data rights
issue.
Safeguarding patient data is a safety issue
The Playbook / Build the shared foundation / Technologies
Source: Coravos A. et al, Playbook team analysis 2
Although the security of a
system cannot be guaranteed,
quality design and execution
can decrease the risk of harm
from code flaws, configuration
weaknesses, or other issues.
Notably, some data and system
access may be authorized (or perhaps
“not forbidden”), though unwelcome
or undisclosed to the patient or other
stakeholders. This type of access will
also be covered in the next section.
While the most likely and
most harmful data risks
stem from data loss
through accidental deletion
or failure of continuity
measures, it is also critical
to protect against data
abuse:

3. 3
3
Overview of security risks posed by connected sensor
technologies
The Playbook / Build the shared foundation / Technologies
Source: Coravos A. et al, Playbook team analysis 3
By definition, connected sensor
technologies transfer data over the
internet, which introduces immediate
risks because:
• an actor could attack and access the
product remotely, and
• often in near-real time.
Cybersecurity involves:
• protecting internet-connected systems,
data, and networks from unauthorized
access and attacks
• including human error (e.g., the loss of
a company’s unencrypted laptop).

4. 4
4
As a result more responsibilities are now placed on companies to deal with
cybersecurity threats, which many organizations are unprepared to handle.
HHS FTC FDA SEC State laws
HIPAA
• Security Rule
• Breach
Notification Rule
FTC Act
• Section 5: “unfair
or deceptive acts
or practices”
FDA Guidances
• Postmarket
Management of
Cybersecurity in
Medical Devices
Guidance
SEC Guidances
• CF Disclosure
Guidance: Topic
No. 2: public
company
disclosures re
cybersecurity risks
& cyber incidents
• Unofficial guidance
• Ransomware Alert
Consumer protection
laws:
• Little FTC Acts,
laws based on the
Uniform Deceptive
Trade Practice Act
Breach notification
laws
In the U.S. there is no single regulatory agency tasked
with enforcing a uniform set of cybersecurity standards
The Playbook / Build the shared foundation / Technologies
Source: Playbook team analysis 4

5. 5
5
GDPR Cybersecurity Act DGA Data Rights Act Member states
GDPR
• Principles and
conditions for the
processing of
personal data
• Individuals’ rights
• Data transfers
• Breach reporting
Cyber Act
• Establishes a
permanent EU
agency
• Create an EU ICT
certification
framework
Data Governance Act
• Draft released in
late 2020
• Sets out
requirements
for data re-use
by public
bodies,
intermediaries
and data
altruism
Data Rights Act
• First draft
anticipated in 2021
• Will likely update
the rights of
individuals and
organisations in
the GDPR
Cyber security laws
Consumer protection
laws
The E.U. has a growing catalogue of centralised
regulations
The Playbook / Build the shared foundation / Technologies
Source: Playbook team analysis 5
These cover aspects of both security and data rights, privacy, and governance.

6. 6
6
White hat
• Considered to be good; known as
“Security researchers”
• Perform ethical style of hacking on
mission critical networks
• Report vulnerabilities by following
policies of coordinated disclosure
Grey hat
• Considers themselves acting for
good, but does so in accordance to
their own values and ethics, which
may not track with governing laws
and regulations
• Prioritize their own perception of
right vs. wrong over what the
lawyer might say
Black hat
• Exploit security flaws for personal
or political gain - or for fun
• Considered cybercriminals; not
concerned if they do something
illegal or wrong
If it’s connected to the internet, it can be hacked
Learn about the different types of hackers:
The Playbook / Build the shared foundation / Technologies
Source: Adapted from Lahjaty: White hat vs black hat, Playbook team analysis 6

7. 7
7
White hat
• Considered to be good; known as
“Security researchers”
• Perform ethical style of hacking on
mission critical networks
• Report vulnerabilities by following
policies of coordinated disclosure
Grey hat
• Considers themselves acting for
good, but does so in accordance to
their own values and ethics, which
may not track with governing laws
and regulations
• Prioritize their own perception of
right vs. wrong over what the
lawyer might say
Black hat
• Exploit security flaws for personal
or political gain - or for fun
• Considered cybercriminals; not
concerned if they do something
illegal or wrong
Build strong relationships with security researchers
The Playbook / Build the shared foundation / Technologies
Some “hackers” can be your friends and others are foe.
Source: Adapted from Lahjaty: White hat vs black hat, Playbook team analysis 7

8. 8
8
The FDA has been building relationships with security researchers
through initiatives like WeHeartHackers.org at DEFCON
The Playbook / Build the shared foundation / Technologies
Source: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - FDA, We heart hackers, Playbook team analysis 8

9. 9
9
To get more involved in the security research community, I Am the
Cavalry and Biohacking Village @ DEFCON, a 501(c)3, can support you
The Playbook / Build the shared foundation / Technologies
Source: I am the Cavalry, Biohacking village, Wired, Playbook team analysis 9

10. 10
10
DRAFT FOR PUBLIC COMMENT
Source: https://healthpolicy.duke.edu/publications/roadmap-developing-study-endpoints-real-world-settings,
Playbook team analysis 10
Figure 3. Multiple vulnerability pathways
The risk of including third-party software
components in healthcare technologies can be
managed, in part, by leveraging a software bill
of materials (SBOM). Analogous to an
ingredients list on food packaging, an SBOM is
a list of all included software components.
SBOMs provide transparency into a medical
technology’s components, which can
eventually reduce the feasibility of attacks.
SPOTLIGHT
Use a software bill of materials
(SBOM) to make your supply chain
more resilient
The Playbook / Build the shared foundation / Technologies
Source: Carmody S. et al, Playbook team analysis 10

11. 11
11
HHS FTC State laws
HIPAA
• Privacy Rule
FTC Act
• Section 5: “unfair or
deceptive acts or
practices”
Patient privacy laws based on HIPAA, e.g.:
• CMIA (California)
• TMPA (Texas)
Consumer privacy laws, e.g.:
• CCPA (California)
• BIPA (Illinois)
U.S. law does not have explicit regulations that give consumers
full control over how their data is collected, used, and shared.
Data rights are limited to a
patchwork of protections.
U.S. legal protections for data rights are limited
The Playbook / Build the shared foundation / Technologies
Source: Playbook team analysis

12. 12
12
Example: Data rights considerations
The Playbook / Build the shared foundation / Technologies
Source: Coravos A. et al, Playbook team analysis
Does the device have
any end-user license
agreements (EULA) or
terms of service
(ToS) and privacy
policies (PP)?
Are these policy
documents
comprehensive?
Are these documents
easily accessible (e.g.,
publicly accessible
online)?
Is the information
contained in them
comprehensible by
broad audiences?
ILLUSTRATIVE
12