Connected Devices: Cybersecurity & Compliance Summit

http://connected-devices-summit.com

December 11-12, 2018 at the Hotel Kabuki in San Francisco.

On December 11^th, I was joined by a great team to conduct a 2.5-hour workshop entitled “Cybersecurity for Medical Devices is a “Team Sport.” Assisting with the workshop were:

• Jason Johnson, Information Security Officer, Marin General Hospital
• Matthew Jones, Clinical Engineering Security Specialist, Intermountain Healthcare
• Deb Muro, Chief Information Officer, El Camino Hospital
• Christine Sublett, President & Principal Consultant, Sublett Consulting, LLC

The workshop focused on how device developers can collaborate with hospitals and clinics to help make sure medical devices are set up and managed to protect patients’ privacy and safety.

The highly interactive session was conducted by a team with diverse backgrounds, including a hospital CIO, a clinical engineer, a hospital information security officer, and two neutral cybersecurity consultants to facilitate and moderate. Topics covered included:

• Considerations during procurement, integration and operations
• Defining best practices for device inventory management and monitoring device behavior and network traffic for potential cybersecurity attack indications
• Ways of thinking about the issues in terms of people, process, and technology
• Views on how connected medical device cybersecurity can be approached as a ‘team sport’ involving collaboration among manufacturers, regulators, providers (hospitals and physicians), supply chain, and patients
• Understanding how hackers plan their attacks
• Ideas for ways potential risks may be mitigated

Group exercises and case studies were included.

There are over 5,000 hospitals in the U.S. and I’ve seen the number 6,000 as the number of medical device manufacturers. Medical devices are increasingly built with network connectivity. Examples include heart monitors, infusion pumps, glucose monitors, and assorted other treatment and diagnostic devices.

Cybersecurity has traditionally been concerned with Confidentiality, Availability, and Integrity of data. However, in medical devices and critical infrastructure (such as the electric power grid), the potential for harm means we have to include Safety when we think about cybersecurity.

On December 11, 2018, I’ll be leading the INTERACTIVE WORKSHOP: Cybersecurity For Medical Devices Is A “Team Sport” at the Connected Devices: Cybersecurity & Compliance Summit in San Francisco at the Kabuki Hotel. See http://connected-devices-summit.com. This interactive workshop will focus on how device developers can collaborate with hospitals and clinics, who purchase network-connected medical devices and need to operate them in their complex networks. This highly interactive and hands-on session will be conducted by a team with diverse backgrounds, including a hospital CIO, a clinical engineer, a hospital information security officer, and two neutral cybersecurity consultants to facilitate and moderate.

My collaborators for this workshop include:

• Deb Muro, Chief Information Officer, El Camino Hospital
• Jason Johnson, Information Security Officer, Marin General Hospital
• Matthew Jones, Clinical Engineering Security Specialist, Intermountain Healthcare
• Christine Sublett, President & Principal Consultant, Sublett Consulting, LLC

If you’d like to read more on the subject, see the following or contact me for more references.

• Click Here to Kill Everybody: Security and Survival in a Hyper-connected World (2018)
  A Book by Bruce Schneier https://www.schneier.com/books/click_here/
• Report on Improving Cybersecurity in the Health Care Industry https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf

Free Sneak Preview Event:

Network-Connected Medical Devices: What Could Possibly Go Wrong?

A presentation at Triple Ring Technologies’ MedTech Frontiers the evening of March 1, 2018. See http://www.tripleringtech.com/march-1-2018-network-connected-medical-devices-possibly-go-wrong-examining-iot-security-blockchain-technologies/

---

The Main Event:

The Symposium on Securing The Internet of Things (http://securingthenet.com) took a deep dive on what it will take to protect the billions of devices on which we depend for critical infrastructure, healthcare, and our homes. I led a panel discussion on Security for Network-Connected Medical Devices.

The event was March 5 – 7, 2018 at the Crowne Plaza Hotel in Burlingame, CA (near San Francisco Airport). [See agenda at https://42tek.com/STIOTAGENDArev6.pdf] 
My session addressed security topics in medical device design and manufacturing, usage in hospitals, remote monitoring, and related legislative, regulatory, and standards initiatives. Bill Saltzstein of Code Blue Communications, Peyton Paulick Kochel, Ph.D. of Proteus Digital Health, and Eric Pancoast of Medcrypt participated in the panel and May Wang of Zingbox gave a keynote presentation.

Please use the contact form if you would like to request the slides.

Some references on the medical devices topic may be found here.

I gave a webinar on Blockchain and IoT at Global IoT DevFest Virtual Conference Nov 7-8, 2017. See http://globaliotfest.withthebest.com [link to video]

I gave a presentation on Blockchain and IoT for the Silicon Valley Insurance Accelerator Blockchain Bootcamp in Palo Alto on December 6, 2017. See http://sviaccelerator.com/insurtech-bootcamp-block-chain-01/.

I am helping a Fortune 500 company prepare for its annual assessment for compliance with the Payment Card Industry Data Security Standard (PCI DSS). I should be done with this around May 2018.

Did you know that Northeastern University has a Silicon Valley campus? Not only that, but they offer a 13-week course on the Internet of Things (http://info.leveledu.com/iot). I’m just wrapping up the capstone project for the class. Among other things, we did some interesting work with small sensors and some Arduino devices, worked with networks and Raspberry Pi devices, and explored Fog Computing. My capstone project involves a sensor to detect when a collection box is full. Of course, one of my main interests in this is how to design and maintain security for Internet-connected devices.

In addition to the talks I have been giving, here is a selection of references to help you get up to speed on Blockchain Technology and how it may be used. Please use the Contact Form if you want to get in touch to discuss a specific question or need that you may have for Product Development, Implementations, or Program Management.

 

YouTube

“Blockchain 101 – A Visual Demo” at https://www.youtube.com/watch?v=_160oMzblY8 and a great interactive tool to try out at https://anders.com/blockchain/hash.html (click on the tabs at the top to see different parts)

How Bitcoin Works Under the Hood: https://www.youtube.com/watch?v=Lx9zgZCMqXE

Building a Blockchain in Under 15 Minutes – Programmer explains: https://www.youtube.com/watch?v=baJYhYsHkLM

Books

The Business Blockchain: Promise, Practice, and Application of the Next Internet Technology by William Mougayar

Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World by Don Tapscott

Blockchain and IoT

http://infocastinc.com/insights/technology/blockchain-using-bitcoins-robust-architecture-to-secure-the-internet-of-things/

https://www.ericsson.com/hyperscale/cloud-infrastructure/data-centric-security/data-integrity-assurance

http://www.bloomberg.com/news/articles/2016-05-19/built-for-bitcoin-blockchain-goes-beyond-crypto-currency

Trusted IoT Alliance: https://www.trusted-iot.org

More Articles & Blog Posts

A Beginner’s Guide to Blockchain Technology: https://www.coindesk.com/information/

https://hbr.org/2017/01/the-truth-about-blockchain

http://fortune.com/2017/08/22/bitcoin-ethereum-blockchain-cryptocurrency

http://fortune.com/2017/08/22/fortune-500-blockchain-ledger-delaware/

http://www.newsweek.com/blockchain-technology-will-remake-global-financial-system-462537

https://www.coindesk.com/us-centers-disease-control-launch-first-blockchain-test-disaster-relief/

http://fortune.com/2016/05/23/blockchain-definition/

http://www.cio.com/article/3055847/security/what-is-blockchain-and-how-does-it-work.html

http://www.kayescholer.com/docs/IntrotoBitcoinandBlockchainTechnology.pdf

http://www.economist.com/news/briefing/21677228-technology-behind-bitcoin-lets-people-who-do-not-know-or-trust-each-other-build-dependable

https://www.hyperledger.org

https://www.ethereum.org

Courses

The Basics of Blockchain: https://www.udemy.com/the-basics-of-blockchain/

Blockchain 101: https://www.udemy.com/blockchain101/

Bitcoin and Cryptocurrency Technologies: https://www.coursera.org/learn/cryptocurrency

Blockchain for Business – An Introduction to Hyperledger Technologies: https://www.edx.org/course/blockchain-business-introduction-linuxfoundationx-lfs171x

Blockchain Basics: A Practical Approach: https://www.creded.ai/Course/udemy/blockchain-basics-a-practical-approach-by-toshendra-sharma

“$700 Billion Senate Defense Bill Calls for Blockchain Cybersecurity Study”

https://www.coindesk.com/700-billion-senate-defense-bill-calls-blockchain-cybersecurity-study/

“A $700 billion defense bill passed by the US Senate includes a mandate for a blockchain study to be conducted by the Department of Defense.”

“Yesterday, the US Senate passed a massive defense spending package that provides hundreds of billions of dollars to the US military. Public records show that an amendment included in that bill, proposed by Senator Rob Portman of Ohio, would “require a report on cyber applications of blockchain technology” if signed into law.”

Perhaps a good idea, but probably deserves some discussion.

The amendment specifically calls for

“…a report on the potential offensive and defensive cyber applications of blockchain technology and other distributed database technologies and an assessment of efforts by foreign powers, extremist organizations, and criminal networks to utilize these technologies. Such report shall also include an assessment of the use or planned use of blockchain technologies by the United States Government or critical infrastructure networks and the vulnerabilities of such networks to cyber attacks.”

For one thing, I would recommend deleting the option for the report to be submitted in classified form, while possibly still allowing it to be submitted “…in unclassified form with a classified annex.” I hope people will discuss this, or at least get the issue into the legislative history, before this goes through. It would be a shame to spend taxpayer dollars for such a study, only to have it buried as a classified document.

Here’s an excerpt from the Sept 18, 2017 version of the proposed amendment to the National Defense Authorization Act for Fiscal Year 2018:

https://www.congress.gov/amendment/115th-congress/senate-amendment/1055/text

AMENDMENT NO. 1055

(Purpose: To require a report on cyber applications of blockchain technology)

At the end of subtitle C of title XVI, add the following:

SEC. 1630C. REPORT ON CYBER APPLICATIONS OF BLOCKCHAIN

TECHNOLOGY.

(a) Report Required.–Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense, in consultation with the heads of such other agencies and departments as the Secretary considers appropriate, shall submit to the appropriate committees of Congress a report on the potential offensive and defensive cyber applications of blockchain technology and other distributed database technologies and an assessment of efforts by foreign powers, extremist organizations, and criminal networks to utilize these technologies. Such report shall also include an assessment of the use or planned use of blockchain technologies by the United States Government or critical infrastructure networks and the vulnerabilities of such networks to cyber attacks.

(b) Form of Report.–The report required by (a) may be submitted–

(1) in classified form; or

(2) in unclassified form with a classified annex.

(c) Appropriate Committees of Congress Defined.–In this section, the term “appropriate committees of Congress” means–

[[Page S5795]]

(1) the Committee on Armed Services, the Select Committee on Intelligence, and the Committee on Homeland Security and Governmental Affairs of the Senate; and

(2) Committee on Armed Services, the Permanent Select Committee on Intelligence, and the Committee on Homeland Security of the House of Representatives.

 

 

• Reference on what happened at Equifax
• Digital identity tokens
• Obstacles to national ID
• Blockchain for securing personal identity
• Upcoming events / discount codes

The Equifax data breach is another wake-up call regarding the security of personal information. Perhaps it will add impetus to the idea of enhancing ways for individuals to safeguard their personal information that is stored by institutions. Maybe some of the ideas for using blockchain technology will be helpful.

SC Magazine published an article detailing what is thought to have occurred in the Equifax breach: “Apache Struts vulnerability likely behind Equifax breach, Congress launches probes.” (https://www.scmagazine.com/apache-struts-vulnerability-likely-behind-equifax-breach-congress-launches-probes/article/687955/) The author notes,

“The incident could also ‘have wide-reaching implications for how Americans identify themselves in the future, such as when applying for banking and credit services – simply knowing a name, date of birth, address and Social Security number shouldn’t ever be enough,’ says [Alex] Smith. ‘This breach could finally be the security wakeup call the US needs to widely adopt digital identity tokens, and potentially a digital national identity scheme similar to other countries such as Belgium.’” [see “The Belgian Electronic Identity Card (Overview)” https://www.esat.kuleuven.be/cosic/publications/article-769.pdf]

There are two reasons why a national digital identity scheme may be a long time coming in the US. First, it would run into conflicts with our having 50 states and other jurisdictions like the District of Columbia, Puerto Rico, and Guam, each issuing identity credentials, such as driver’s licenses. Second, we have a history of shunning national identification (paradoxically for fear of privacy concerns), as evidenced by Congress specifically saying that no federal funds shall be spent on a national health identification number (see PUBLIC LAW 105–277—OCT. 21, 1998, “None of the funds made available in this Act may be used to promulgate or adopt any final standard under section 1173(b) of the Social Security Act (42 U.S.C. 1320d–2(b)) providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider), until legislation is enacted specifically approving the standard.”).

Given these national obstacles to updating how identity is managed in the US, it seems we may have to rely on the marketplace to come up with solutions, instead of waiting for government to take the lead. I expect we’ll see some Congressional hearings as a result of the Equifax breach, but probably no meaningful legislation.

One possibility for marketplace activity is for institutions that rely on identity, such as banks, insurers, and so on, to adopt blockchain technology. Earlier this year, there was an article in Forbes on this: “How The Blockchain Will Secure Your Online Identity” (https://www.forbes.com/sites/jonathanchester/2017/03/03/how-the-blockchain-will-secure-your-online-identity/#e9d4bda55234).

I can imagine organizations making it a selling point to be able to provide customers with apps that allow them to control who and when their information can be accessed.

The idea is not new. It is discussed in “How GDPR plus blockchain leads to the future of self-sovereign identity” (http://www.janrain.com/how-gdpr-plus-blockchain-leads-to-the-future-of-self-sovereign-identity/). This article references a 2015 paper that concludes, “Personal data, and sensitive data in general, should not be trusted in the hands of third-parties, where they are susceptible to attacks and misuse. Instead, users should own and control their data without compromising security or limiting companies’ and authorities’ ability to provide personalized services.” (“Decentralizing Privacy: Using Blockchain to Protect Personal Data” http://web.media.mit.edu/~guyzys/data/ZNP15.pdf)

[Update 9/15/17: “Equifax has confirmed that attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March.” (https://www.wired.com/story/equifax-breach-no-excuse/) and “Equifax (EFX) says its chief information officer and chief security officer are leaving the company…” (https://www.cbsnews.com/news/2-equifax-executives-exit-after-massive-data-breach/).

If you want to hear more on blockchain technology, here are a couple of opportunities:

• September 18-20, 2017: A half-day workshop by renowned blockchain author Melanie Swan, plus two other blockchain presentations, including mine on Blockchain and the Internet of Things,at the 38th IEEE Sarnoff Symposium at the New Jersey Institute of Technology in Newark, NJ. See https://ewh.ieee.org/conf/sarnoff/2017/. For a 20% discount, email Deepak Kataria at dkinnovate77@gmail.com and mention David Snyder.
• October 23-24, 2017: Blockchain 360, InterContinental Times Square,
  New York City. See https://tmt.knect365.com/blockchain-360/
• November 28-30, 2017: Blockchain Expo / IoT Expo / AI Expo in Santa Clara, CA. See https://blockchain-expo.com/northamerica/. Register with promo code 42TEK20 for a 20% discount. Free Expo Pass also available. Email me at david@42tek.com if you want to connect there.

I am available for presentations and consulting on blockchain technology and data security: david@42tek.com.

 

Please take a look to see whether any of these items are of interest. Especially the upcoming meetings with discount codes.

You probably know of my interest in data security and digital health. Over the last year, I’ve also been working on ways to use blockchain technology in these areas and am available for consulting and presentations.

– Check out my earlier blog posting about data provenance, data quality, and data security for Internet-connected devices at https://42tek.com/2017/07/23/iot-data-provenance-quality-and-security/

– Last year, I conceived and produced a half-day Blockchain Symposium in Redwood City, CA. (http://events.42tek.com – the site includes a number of references) Since then, I’ve either moderated or presented at several other blockchain events. See https://42tek.com/meetingsreferences-html/

– September 19, 2017, I presented Blockchain and the Internet of Things at the 38th IEEE Sarnoff Symposium at the New Jersey Institute of Technology in Newark, NJ. See https://ewh.ieee.org/conf/sarnoff/2017/. For a version of the slides, please request via the Contact Form on this web site.

–  October 1-4, 2017, I’ll be working at the Health 2.0 11^th Annual Fall Conference in Santa Clara, CA. See https://fall2017.health2con.com. Email me at david@42tek.com if you want to connect there.

–  November 28-30, 2017, I’ll be attending the Blockchain Expo / IoT Expo / AI Expo in Santa Clara, CA. See https://blockchain-expo.com/northamerica/. Register with promo code 42TEK20 for a 20% discount. Free Expo Pass also available. (details below) Email me at david@42tek.com if you want to connect there.

If we are not already connected on LinkedIn, please see http://www.linkedin.com/in/dmsnyder and send an invitation to connect.

++++++++++++++++++++++

Blockchain Expo North America 2017 (co-located with IoT Tech Expo and AI Expo)

Santa Clara Convention Center 

November 28-30, 2017

See https://blockchain-expo.com/northamerica/

The world’s largest Blockchain conference and exhibition

Blockchain Expo will be arriving in the Santa Clara Convention Center on November 28-30 2017, bringing together 2000 people across key industries for three days of world-class content from leading brands embracing and developing cutting edge blockchain technologies.

Co-located with IoT Tech Expo and AI Expo which attract in excess of 7000 attendees, Blockchain Expo will showcase the latest developments in the Blockchain arena, in both emerging and more established markets.

The Blockchain for Industry conference track will look at a variety of platforms and services from startups to cloud providers, including developer networks, applications and APIs as well as the impact on legal, finance and government sectors with smart contracts.

Blockchain Technologies & Development will focus on the evolution of blockchain and its applications. The conference will explore the many launches and trials being conducted, the different uses of blockchain technology in these verticals, and the vast opportunities in these sectors.

>> 20% discount code valid for use with the Blockchain Expo, IoT Tech Expo and AI Expo: 42TEK20

 

I’ve long been concerned with the quality of data generated by field sampling and remote monitoring programs. First in environmental investigations — then in healthcare.

Internet-connected devices need to be designed to ensure that the data they provide is sufficiently reliable for its intended use, such as big data analytics.

“Gartner, Inc. forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected every day.” (http://www.gartner.com/newsroom/id/3165317).

Many of these “Internet of Things” (IoT) devices contain sensors that will collectively generate petabytes of data and there has been much discussion of so-called “Big Data” analytics for managing and making sense of this data. Most of these big data discussions seem to assume that the data is good. The phrase “garbage in/garbage out” is fairly well known, but there does not seem to be much discussion of its importance for data analytics. Decisions based on poor data may yield the wrong results.

Key considerations to make sure that good data is used include the provenance of the data and its quality. That is, reliable knowledge about the source of the data (provenance) and an appropriate level of certainty about the timeliness and correctness of the data (quality). In this context, “correctness” means that the data is sufficiently accurate, precise, and specific. Correctness also means that the data is appropriate for its intended use.

Data users depend on an appropriate level of security for the data. This includes data at rest (in storage), data in motion (being transmitted), and data in use (being analyzed). Security is not just about confidentiality, but includes integrity (not corrupted or deleted), availability (able to be accessed when desired), and non-repudiation (once established, cannot be revoked or denied). Remote patient monitoring devices and environmental sensors are examples where high assurance regarding provenance, quality, and security can be important.

Until recently, more attention has been given to confidentiality than to integrity and availability. Thousands of articles have been written about preventing hackers from stealing information. Additionally, consciousness about security for Internet-connected devices has been raised due to the role of Internet-connected devices in recent Distributed Denial of Service (DDoS) attacks on web sites and Domain Names Services (DNS). While these are important issues to address, going forward, industry and government need to pay more attention to also ensuring these Internet-connected devices are producing high quality data and that the source of the data is adequately identified, so that consumers of such data can have confidence in what they are receiving.

Besides Internet-connected devices collecting and reporting data, other connected devices are used for executing actions, such as opening and closing valves. Some of these devices operate autonomously or semi-autonomously using data delivered via local, wide-area, or cloud networks to trigger actions. For example, local or remote sensors that trigger controls to shut down an overheating machine or shut it down when other conditions make it necessary.

Similar to remote data sensing devices, remotely-triggered devices need to have confidence regarding data provenance, quality, and security. In other words, confidence that information or commands are coming from an authorized and trusted source, that the information is correct, and that the system has not been compromised.

During the design, development, and implementation of IoT devices and associated structures, a systematic approach is needed to ensure that data provenance, quality, and security are adequately addressed. It is not sufficient to conduct security reviews after products have already been developed. Strategies and tactics are needed to (i) establish appropriate levels for provenance, quality, and security, (ii) ensure they are implemented and maintained, and then (iii) monitor compliance. Ideally, these will be expressed in a set of best practices for the design, manufacture, and implementation of Internet-connected devices.

Additional notes:

Blockchain technology, which is the underlying technology supporting Bitcoin and other cryptocurrencies, is starting to be used to address the issues of Provenance. Distributed ledgers built with blockchain technology provide a trusted, immutable, time-stamped record of transactions or assets.

Here are just a few examples:

• “Chronicled leverages blockchain and smart labels to create an open system of authenticity, ownership, provenance & connectivity for assets” and “We sign sensor data and log to blockchain to secure data provenance.” See http://chronicled.com
• “Health Linkages is the Data Provenance Company. We use blockchain and big data technologies to enable healthcare institutions to trust, protect, and share their data.” See http://healthlinkages.com
• “Maureen Downey and Everledger have joined forces to launch the Chai Wine Vault, an unprecedented solution for securing the authenticity and provenance of fine wine. See https://www.winefraud.com/chai-wine-vault/. Also, “Everledger provides an immutable ledger for diamond ownership and related transaction history verification for insurance companies, owners, claimants, and law enforcement agencies. It was founded on April 10, 2015, and is based in London, United Kingdom.” See https://www.everledger.io
• “Catenis Enterprise thwarts hacking attacks by always ensuring that every single communication sent to and from all devices uses cryptographic signature verification. This ensures that devices only accept commands and signals that are verified by military grade cryptography. Creating peace of mind for your security team and your company.” See http://blockchainofthings.com/downloads/CatenisDataSheet.pdf
• “The blockchain is becoming the new standard for trust and verification of data. Tierion turns the blockchain into a global platform for verifying any data, file, or process. Use Tierion’s API and tools to anchor a permanent, timestamped proof of your data in the blockchain.” See https://tierion.com

* * *

See https://42tek.com/meetingsreferences-html/ , http://events.42tek.com/about-blockchain/ , and http://events.42tek.com/presentations/ for links to articles and presentations regarding blockchain technology.

Contact david@42tek.com to participate in discussions of best practices for IoT data provenance, quality, and security.

On July 13, 2017, I gave a presentation at the evening meeting of the Professional and Technical Consultants Association (PATCA) in Sunnyvale, California.  PATCA is Silicon Valley’s longest operating non-profit professional association dedicated to serving independent consultants and the client companies that use them. See https://patca.org/meetup/patca-evening-networking-discussion-meeting-30/.

The presentation explained how Blockchain technology works and how it is being adopted for a variety of IoT use cases. For example, distributed ledgers containing time-stamped, immutable records of device configurations and data generated by IoT devices. Also, enabling devices to interact and transact at the “edge” of the network, instead of in the “cloud.”