The DoD, VA, FDA and other key influencers are requesting that new products and services be engineered to withstand serious cyber threats. Strict standards must be developed and deployed ubiquitously across all systems. This requires an unwavering attention to risk assessment, and adherence to security-based product development protocols and testing.
Here are 5 actions to consider when coordinating an approach to this challenge:
1. Build security into your product lifecycle
As you build your systems take a look at critical checkpoints, testing and harmonizing protection aspects each step of the way –build security into your products from the ground up. At Philips, we make certain our new systems meet expectations of today and are prepared for future upgradeability.
2. Include 3rd party software in your security plans
Companies reliant on the integration of 3rd party software open themselves to hidden risks posed by programming code that is not their own. To prepare for upcoming potential federal legislation on this topic, we are working to create a software Bill of Materials (BOM) for every product. This is critical in identifying and describing open source and 3rd party software components and allowing organizations to quickly respond to possible security vulnerabilities/breaches.
3. Establish a formal process for dealing with security incidents
It is important to handle all security incidents with a sense of urgency and sensitivity. Transparency is key. For example, our formal incident response management process includes documenting all communication, opening a corrective action program, developing a solution, and authoring an incident report.
4. Develop a robust Responsible Disclosure policy
Development of a Responsible Disclosure policy reassures customers that proper effort will be made to repair any vulnerabilities and prevent future damage. To ensure we are pulling in objective and real-time feedback, we collaborate proactively with the ‘ethical hacker’ research community to maintain a coordinated Responsible Disclosure process. This process provides additional input for Philips to manage potential vulnerabilities identified in products and solutions.
5. Form an accountable Product Cybersecurity team
Put together a team dedicated to product security. Their priority must always be to mitigate any situation by hypothesizing worse case scenarios before they happen and developing solutions and workarounds. Our Security Center of Excellence (SCoE) helps us manage these vulnerabilities. The Philips Product Security Incident Response Team evaluates potential security incidents and discovered vulnerabilities and develops response plans as necessary.