Scribd
Upload
113 views26 pages

Marlin Pohlman Interview Questions

The document discusses defending privacy and integrating security in the age of genetics. It proposes a vision for the future where genetic attack surfaces include the Internet of Things and medical devices. The author argues that a tailored cyber-physical defense framework should be applied to research labs and data processors that handle genetic data. This framework should incorporate the traditional CIA triad of confidentiality, integrity and availability, along with the additional pillars of safety and resilience from operational technology environments. The goal is to ensure the trustworthiness of genetic data by addressing attributes like reliability, dependability, performance, and privacy under potential threats.

Uploaded by

Marlin Pohlman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
113 views26 pages

Marlin Pohlman Interview Questions

The document discusses defending privacy and integrating security in the age of genetics. It proposes a vision for the future where genetic attack surfaces include the Internet of Things and medical devices. The author argues that a tailored cyber-physical defense framework should be applied to research labs and data processors that handle genetic data. This framework should incorporate the traditional CIA triad of confidentiality, integrity and availability, along with the additional pillars of safety and resilience from operational technology environments. The goal is to ensure the trustworthiness of genetic data by addressing attributes like reliability, dependability, performance, and privacy under potential threats.

Uploaded by

Marlin Pohlman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

Background Research

Defending Privacy (and Integrating Security)


in the Age of Genetics
Conversation Guide

1 Thought Leadership: Vision for the future

2 Premise & Thesis: Safety in a cyber-physical world

3 Trustworthiness: The CIA triad meets Safety and Resilience

4 Bio Data: In Precision Medicine—Data Security, Privacy, Safety

5 The Framework: Compliance, Pushbutton topics, NIST, controls

2
About the Author
David Wolf
Principal Security Researcher
Cyber Security Architect

• Threat analyst, Offensive security researcher


• CPHIMS, CISSP-ISSAP, SANS training
• AWS Machine Learning and Big Data
• Ex-Splunker and ProdSec specialist
• Many personal positive experiences from genetic testing
• Recent research in WIRED, NextGov, CyberScoop,
discussed by Bruce Schneier

3
0. Overview

4
0. Overview
• Challenges are welcomed!
• Constructive questions lead to idea and framework hardening
• Credit goes to the source, you can green-light it
• All quotes or mentions are subject to your final review and approval
• Target comprehension level
• First-year university student
1. A vision for the future

6
1. Thought Leadership: A vision for the future
• From your view, what are the key issues in genetic privacy and
security?
2. Thought Leadership: A vision for the future
• How can things go right?
• Best case scenario?
• Milestones?
• How can things go wrong?
• Gut check – what’s the worst that can happen?
• Blockers?
3. Labs: A vision for the future
• Labs:
• What do security and privacy mean in a labs context?
• What’s the difference between the B2B and B2C models, from a labs
perspective?
• How are samples stored and data retained?
• How does data come from labs (to the cloud)?
• Will sequencing labs move to the hospitals?
• Compliance & Regulation:
• Headache or helper?
3. Data: A vision for the future
• Data Ownership: Will individuals really own their data, and when?
Did Google Health and Microsoft HealthVault fail?
• Data Storage: Cloud, Blockchain, EMR/EHR -- what's the future?
• Value: Does genetic data have value without the medical record
context?
• Safety: Are the contexts of biodefense, biosecurity, and biowarfare
actually relevant to genetic data security?
4. DNA Data Security
• Storage: DNA data at rest and in transit
• Physical devices
• EHR/EMR
• Blockchain
• Processing: Cloud processing, regional jurisdictions, GDPR
• Medical devices: Device-based security and challenges to protocols
• Network security
• e.g., NIST SP 800-8 infusion pumps
• IDVR
5. DNA Data Privacy
• PHI: Medical Records, DNA
• How long do the records last?
• Biometrics: Facial recognition, DNA
• “Something you are”
• Inference attacks via genetic data
• When genealogy becomes criminal forensics
• Biodefense: Bioterrorism and eugenics
6. Pushbutton topics
• Sci-Fi topics
• Printing human organs
• Designer babies
• Blockchain
• CRISPR: Ethics and safety
• Agrigenomics and industrial outputs
• News headline chasing
7. A vision for the future
• In a nutshell, what do you expect for our genetic future?
ENISA:
European Union Agency for Cybersecurity
• As of today, ISO is developing more than 25 new standards in Medical
Informatics, some of the most interesting being:
• ISO/DTR 22696 Health informatics — Guidance for identification and
authentication for connectable personal healthcare devices ,
• ISO/DTR 21332 Health informatics — Cloud computing considerations for
health information systems security and privacy,
• ISO/WD 13131 Health informatics — Telehealth services — Quality planning
guidelines,
• ISO/AWI 22697 Health informatics — Application of privacy management to
personal health information
Healthcare Protocols: Potential Attacks
P R OTO C O L AT TA C K DESCRIPTION

An attacker can retrieve sensitive patient data such as clinical and financial
HL7v2 Data theft
information as the data is sent unencrypted

An attacker can modify arbitrarily the electronic health records of patients (e.g.,
HL7v2 Tamper with EHR
change the allergies or medication prescription)

An attacker can tamper medical images by virtually adding or removing tumors for
DICOM Tamper with test results
respectively healthy or sick patients

POCT1-A Tamper with test results An attacker can change the results of point of care equipment used at HDO's bedside

LIS2-A2 Tamper with test results An attacker can modify the test results of laboratory equipment

Data Export Tamper with vitals An attacker can tamper with patients’ vital signs read by Philips patient monitors

RWHAT Tamper with vitals An attacker can tamper with patients’ vital signs read by GE patient monitors
ENISA:
ENISA:
2. Premise and Thesis

19
1. A vision for the future
• Key Issues: What do you believe are the key issues in genetic privacy and
security?
• Data Ownership: Will individuals really own their data, and when? Why did
Google Health and Microsoft HealthVault fail?
• Data Storage: Blockchain vs EHR -- what's the future?
• Value: Does genetic data have value without the medical record context?
• Safety: Are the contexts of biodefense, biosecurity, and biowarfare actually
relevant to genetic data security?
2. Premise and Thesis

21
2. Premise and Thesis
• Premise: Today’s genetic attack surface includes the IoT and IoMT
• Where IT in the real world becomes cyber-physical
• Includes Healthcare and Research Labs
2. Premise and Thesis
• Thesis: A tailored cyber-physical defense framework and control set
should be applied to research labs and data processors that store,
process, or transform genetic data.
3. Trustworthiness

24
Trustworthiness
• CIA triad: The three now five pillars
• OT environments add Safety and Resilience/Reliability
• Some models include Privacy
Trustworthiness
• Trustworthiness:
• Attributes of reliability, dependability, performance, resilience, safety,
security, privacy, and survivability under a range of potential adversity in the
form of disruptions, hazards, threats, and privacy risks.

You might also like