Photo of Sarah T. Hogan

Sarah Hogan represents companies in the life sciences and digital health industries on structuring and negotiating intellectual property licenses, strategic collaborations and other complex commercial transactions – helping her clients leverage intellectual property assets and collaborate to develop and deliver innovative solutions that improve health and health care. Sarah uses her science background and comprehensive life sciences industry knowledge as an asset to understand critical business concerns and effectively manage complex issues. As a result of the diverse range of clients and transactions she manages, Sarah has in-depth understanding of the implications of each deal on various aspects of the business, including downstream transactions. Sarah is known for her practical approach – focusing on achieving business objectives while balancing legal risks and preserving her clients’ relationship with their partners. Read Sarah Hogan's full bio.

Throughout 2017, the health care and life sciences industries experienced a widespread proliferation of digital health innovation that presents challenges to traditional notions of health care delivery and payment as well as product research, development and commercialization for both long-standing and new stakeholders. At the same time, lawmakers and regulators made meaningful progress toward modernizing the existing legal framework in a way that will both adequately protect patients and consumers and support and encourage continued innovation, but their efforts have not kept pace with what has become the light speed of innovation. As a result, some obstacles, misalignment and ambiguity remain.

We are pleased to bring you this review of key developments that shaped digital health in 2017, along with planning considerations and predictions for the digital health frontier in the year ahead.

Read the full Special Report.

On Friday, February 13, 2015, the Payment Cards Industry (PCI) Security Standards Council (Council) posted a bulletin to its website, becoming the first regulatory body to publicly pronounce that Secure Socket Layers  (SSL) version 3.0 (and by inference, any earlier version) is “no longer… acceptable for protection of data due to inherence weaknesses within the protocol” and, because of the weaknesses, “no version of SSL meets PCI SSC’s definition of ‘strong cryptography.’”  The bulletin does not offer an alternative means that would be acceptable, but rather “urges organizations to work with [their] IT departments and/or partners to understand if [they] are using SSL and determine available options for upgrading to a strong cryptographic protocol as soon as possible.”   The Council reports that it intends to publish soon an updated version of PCI-DSS and the related PA-DSS that will address this issue.  These developments follow news of the Heartbleed and POODLE attacks from 2014 that exposed SSL vulnerabilities.

Although the PCI standards only apply to merchants and other companies involved in the payment processing ecosystem, the Council’s public pronouncement that SSL is vulnerable and weak is a wakeup call to any organization that still uses an older version of SSL to encrypt its data, regardless of whether these standards apply.

As a result, every company should consider taking the following immediate action:

  1. Work with your IT stakeholders and those responsible for website operation to determine if your organization or a vendor for your organization uses SSL v. 3.0 (or any earlier version);
  2. If it does, evaluate with those stakeholders how to best disable these older versions, while immediately upgrading to an acceptable strong cryptographic protocol as needed;
  3. Review vendor obligations to ensure compliance with a stronger encryption protocol is mandated and audit vendors to ensure the vendor is implementing greater protection;
  4. If needed, consider retaining a reputable security firm to audit or evaluate your and your vendors’ encryption protocols and ensure vulnerabilities are properly remediated; and
  5.  Ensure proper testing prior to rollout of any new protocol.

Additional resources and materials:

  • NIST SP 800-57: Recommendation for Key Management – Part 1: General (Revision 3)
  • NIST SP 800-52: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (Revision 1)