Dear Task Force – you’re missing someone.
I’m not saying that you’re not a bunch of really great people – you are. You’ve got Josh Corman, an individual I’ve always admired since I worked in the same department with him back at IBM. He’s got a fantastic mind for strategy. You’ve got reps from Phillips and Symantec, so you’re solid in thinking about the Internet of Things in Healthcare (ITH – I like it. I’m going to use it a lot), anti-virus, and threat intel. You have a great cross-section in healthcare providers, big pharma, HMOs, and government agencies. I admire all that.
I went looking for who was representing application security, and pulled up short. Crickets chirped.
Naturally, it’s something I hoped WhiteHat might have been asked to participate in (hint hint). Applications are one of the rising attack surfaces in Healthcare today – both for Ransomware and information/data breaches. Currently, between 25-35% of attacks on patient data are coming through server-side breaches, and application security isn’t getting the funding to match the risk.
So where are my AppSec dragons? Patient healthcare information is gold on the black market, and frankly if I go into my doctor’s office and they tell me that they cannot see my records today because the top brass is still trying to decide whether to cough up the bitcoins for ransom, I’m going to be spitting fire mad.
I’ve read you cover to cover, HIPAA. And Task Force, I want you to know right now that I care less about instances of some unauthorized random orderly reading my chart than I care about my personal health information being sold on the market; having to deal with sorting out fraudulent claims made in my name, identity theft, or the endocrinologist saying please come back next week, perhaps my test results will be available then; that’s going to piss me off. I don’t want to read about the next wave of murder victims in the paper based on someone hacking pacemakers because no one checked the web interface for those medical devices to make sure it was secure.
So I hope the Task Torce thinks about that. PCI DSS requires third-party source code reviews. I’d like to see a lot of things written into the new HIPAA guidelines, aligning them with some of the other information security practices out of NIST 800: More enforcement of required encryption – not just data, but stored login information. Good SSL/TLS health. Talk about best practices like patching via WAFs or RASP to support policy where DevOps remediation will take more than 30 days.
If the Task Force can’t address these basic preventative measures in Application Security and HIPAA, that’ll bring out the dragon in me, for sure.