Establishing Best Practices for a Comprehensive Risk-based Product Security Program
By Michael McNeil, Global Product Security & Services Officer, Philips [NYSE:PHG]
Michael McNeil, Global Product Security & Services Officer, Philips [NYSE:PHG]
One of the more critical challenges facing medical device manufacturers and their customers today is to ensure that all products and solutions can withstand cyber attacks. The protection of customer networks and private patient health data is of utmost importance. With a flourishing digital revolution and connected ecosystem, it is clear that to meet these challenges manufacturers must take a strategic and integrated view of product security and establish a comprehensive risk-based security program.
"Integrating product security into new product development and consistently deploying product security processes across the portfolio sets the stage for a manageable future"
To address complex and growing best practice security needs, as well as regulatory and legal compliance requirements, internal entities charged with managing product security must also be charged with designing and monitoring mitigation structures and strategies. This entails creation of policies, procedures, and processes for safe and effective deployment of technology solutions. Additionally, this requirement calls for notification and management of incident response through monitoring of deployed technology solutions.
Key goals and drivers include:
• Prevent unauthorized access of medical devices and patient information • Prevent compromise or loss of patient data • Ensure medical device functional integrity and services availability to enable safe and reliable patient care • Enable up-to-date security patching to remediate unsecure systems and vulnerabilities • Integrate security compliance controls into product software development processes
Demands from customers and patients for accurate and accessible data must be balanced with stringent requirements for the security of that data. Medical device manufacturers should seek to collaborate with industry stakeholders and establish long-term strategies for the lifecycle management of their products.
Core Elements of a Comprehensive Risk-based Security Program
In a connected, interoperable healthcare ecosystem the potential for exposure to vulnerabilities and attack is significant. This reality prompts Philips to devote extensive resources to mitigate such threats. Years of advancing innovation and product security capabilities has lead Philips to embody five essential elements of a successful product security program.
3. Coordinated vulnerability disclosure
4. Software bill of materials
5. Maturity roadmap
Defining goals, drivers, and main areas of focus help ensure ubiquitous deployment of strict security standards.
Alignment of executive leadership within the organization secures the ‘buy-in’ necessary to move forward successfully. This in-house team provides oversight throughout the course of program development.
Coordinating the efforts of external players across the cyber security ecosystem (customers, vendors, regulators, standards development organizations, industry groups and security researchers, among others) by entering into ongoing dialogue is extremely productive in refining program thinking and execution, as well as building key relationships.
Clearly articulated strategies must cover all aspects of the security program as they relate to policy/quality, risk assessment, systems development lifecycle (SDLC), passwords/encryption/patching, monitoring, training, event response, and more.
Philips is involved in the newly established Health and Human Resources (HHS) Cyber security Taskforce—one of only two medical device manufacturers to be invited to participate as taskforce members. The group will work to examine best practices for keeping connected medical devices safe and secure.
A dedicated team of ethical hackers, or ‘security ninjas,’ engages in continuous vulnerability and penetration testing to proactively identify product weaknesses. Processes and results are defined in standardized use-case scenarios for a common approach, which can then be leveraged across the enterprise and integrated into risk assessment, SDLC, and maintenance procedures.
Philips has established a Security Center of Excellence (SCoE) assigned to handle security vulnerability and penetration testing, risk assessment, source code analysis, DoD security technical implementation, metrics for product development, and more.
Coordinated vulnerability disclosure
Development of a coordinated vulnerability disclosure program begins with creation of a Coordinated Vulnerability Disclosure Policy to reassure customers that proper effort will be made to repair any vulnerability and prevent future damage.
Concurrently, it is important to handle all security incidents with a sense of urgency and sensitivity. A formal incident response management process includes documenting all communication, opening a corrective action program, developing a solution, and authoring an incident report.
Confirmed vulnerabilities result in a direct report into government agencies such as DHS (ICS-CERT program) and are then communicated through the press to the public. FDA pre-and post-market ‘Management of Cyber security in Medical Devices’ guidelines (12/28/16), provide direction. Transparency is key.
Philips is currently one of only a few major medical device manufacturers to design, implement, and operate from years of experience a Coordinated Vulnerability Disclosure Policy (previously entitled since 2014, Responsible Disclosure Policy).
Software bill of materials
Companies reliant on integration of third party software are subject to hidden risks posed by programming code within that software that is not their own. To prepare for upcoming potential federal legislation on this topic, creation of a Software Bill of Materials (SBOM) for every product is essential. This identifies and describes open source and third party software components and allows organizations to quickly respond to possible security vulnerabilities/breaches. SBOM practices should be implemented across the SDLC continuum.
Philips is taking the industry lead to create a SBOM for every product. In doing so, standard practices will also be implemented to identify SBOM vulnerability risk and enable proactive risk management and remediation.
Integrating product security into new product development and consistently deploying product security processes across the portfolio sets the stage for a manageable future. Ongoing assessment and monitoring of the install-base and legacy products detects OS obsolescence, incompatibilities, developing threats in the connected ecosystem, and hardware/firmware problems. This allows for timely event response, maintenance, and product security management over the life of products and services.
Philips is continuously developing, defining, and refining a comprehensive product security roadmap and lifecycle management security process.
An evolving process
Better external communication across the ecosystem is critical for a robust security program. Focused dialogue between medical device manufacturers, hospitals, regulators, and security professionals—particularly around interoperability—will advance innovations in security and the healthcare industry. Converting areas of potential concern into knowledge-sharing engagement opportunities can help refine critical thinking and lead to product security innovation and development of solutions that enable regulatory compliance.
As a cyber security program continues to evolve, transparency, accountability and responsiveness must be maintained. Thoughtful execution of the five essential components provides a strong foundation for growth.
Product security for patent safety in today’s connected care environment is a task we all must take very seriously.