Four Steps for Securing Medical DevicesPhilips Healthcare Security Leader Describes Strategy
As new cyberthreats emerge, medical device maker Philips Healthcare is implementing a four-prong strategy for ensuring the cybersecurity of its products, says Michael McNeil, global product security and services officer.
The company's diverse medical device products range from medical imaging systems, such as MRIs, to patient monitoring systems, including fetal monitoring equipment.
In an interview with Information Security Media Group, McNeil says the manufacturer must guard against potential unauthorized access to devices and data leakage, as well as hacker attacks. He describes the company's four-step approach to security, starting with an enhanced risk assessment.
"We have reinforced and have deployed a risk assessment process for all our products releases, where we are tracking the very high vulnerabilities and putting together appropriate remediation plans," he says. "This should allow us to ultimately remove any vulnerabilities within our environment, as we look at items such as unpatched systems, default passwords, and encryption not being in place."
The second step, McNeil says, involves enhancing the product development process by "including secure software development lifecycle [practices], and putting in appropriate controls throughout our innovation-to-market process."
The third component of the strategy is ensuring that Philips' has consistent product security training, he says, including stressing the need for testing of products.
"I've put in place a centralized team for that testing capability. I have a security center of excellence to make sure we are using consistent penetration and other testing throughout our [product] lifecycle," he explains.
Finally, Philips Healthcare is implementing a new consolidated incident response management process, which is aligned with the "responsible disclosure policy" that the company put into place late last year.
"This provides a safe haven for external parties, such as researchers, potential hackers and others who that want to be able to communicate [security related] information to Philips," he says. "This enhances our intelligence ... and vital information that we might need to have about potential threats or potential vulnerabilities of our services and offerings."
In the interview, McNeil also discusses:
- Emerging cyberthreats in the healthcare sector, including distributed denial-of-service attacks and other hacker threats;
- The biggest misconception that many healthcare providers have about medical device cybersecurity;
- Steps that healthcare organizations should take to protect the security of medical devices in their environments.
As global product security and services officer for Philips Healthcare, McNeil heads the global product security and data protection program for the company. Prior to joining Philips Healthcare in 2013, McNeil was global chief privacy and security officer at medical device maker Medtronic. Earlier, McNeil held positions as chief IT security officer at Liberty Mutual Group; global chief privacy officer at Pitney Bowes; and vice president and chief privacy officer of data services for Reynolds & Reynolds. McNeil is also a member of the Visual Privacy Advisory Council, the Medical Device Privacy Consortium, and the Medical Device Innovation, Safety and Services Consortium.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.