White hat hacker talks mobile security
November 12, 2014 in Medical Technology
At just 16 years old, he was system administrator for a high school, with access to hundreds of computers. “At the time, the late ’80s, computer networks were very open. I was logging into servers all over the world with pretty much free reign,” he said.
Now an independent consultant in Washington, D.C., and lead instructor for the SANS Institute’s Mobile Device Security and Ethical Hacking course, Crowley will moderate “BYOD and MDM: Managing Risk on the Mobile Perimeter,” part of the Privacy Security Symposium on Sunday, Dec. 7, at the mHealth Summit.
He is one of more than 20 privacy and security experts from leading healthcare, academic and government organizations who will speak at the one-day symposium. Speakers will share best practices, lessons learned, case studies and advice to help providers address BYOD, malware, medical device security and other prominent mobile privacy and security challenges and threats.
Crowley’s career path led him to network management roles at Tulane University, the National Institutes of Health and the Department of Energy, where he managed incident response for the agency’s highly sensitive nationwide network.
“At NIH and Energy, I did a lot of web application penetration testing,” he said. “I would identify flaws that developers might have in their applications and would work with them to remediate the flaws.”
Crowley said his interests have migrated to the acceptance of mobile devices into today’s networks, which he sees as “the future of computing for the average person.”
“I really think that within a couple of years — maybe less than that — most people will no longer be buying laptops,” he said. “Aside from IT professionals, most people will have a tablet and a phone, and that will probably be enough. They won’t need anything else.”
One of healthcare’s biggest security concerns is the “pushing” of important data from the organization to mobile devices, in some cases owned and managed by the entity but in others owned by caregivers and patients.
“It’s essentially wrestling data out of these protected enclaves that we used to think of as our networks, and now distributing them all over the place,” he said. “Data is everywhere. It is very difficult to secure data when you don’t actually control the environment that it’s living on.”
“I recently saw an iPhone app that allows you to read information from a medical device actually embedded in the patient,” he added. “The iPhone gathers information by Bluetooth from the device and monitors the patient’s vital statistics. You need to be aware that such information becomes personally identifiable information covered by HIPAA, and you need to protect it in that regard.”
The challenge comes down to whether healthcare organizations are equipped to assess the security capabilities of mobile applications and devices. At present, he said, most are not.
Nonetheless, despite what he knows about penetrating networks, Crowley thinks hospitals, health systems and medical practices can get into position to protect themselves and their patients.
“It’s not just throwing money at the problem, it’s making sure that the organization has the fundamental belief that they want to secure the data that they’re entrusted with,” he said. “So it’s not that they can’t do it. It’s just a matter of having the right strategy for the long term.”
Click here to register for the Dec. 7 Privacy Security Symposium and for more information on the mHealth Summit, which runs from Dec. 7-11 at the Gaylord National Resort and Conference Center just outside Washington, D.C.