5 ways to improve healthcare cybersecurity

Today’s world of connected care is fast becoming the foundation for a healthier society. Yet sophisticated, persistent cyberattacks threaten to compromise this effort. You can help prevent such threats by establishing a strong cybersecurity program – starting with these 5 actions.

 

A balancing act

 

Healthcare providers and patients need assurance that the technology they interact with on a daily basis is as secure as possible. Demands from customers and patients for accurate and accessible data must be balanced with stringent requirements for the security of that data. Governments and industry regulators take this matter very seriously and continue to address cyber-threats with rigorous legislation and regulation that also accommodates data sharing.

Product Security
See our global policy addressing the evolving nature of security in medical technology.
“Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access1.”

Government entities push to set strict security standards

 

The DoD, VA, FDA and other key influencers are requesting that new products and services be engineered to withstand serious cyber threats. Strict standards must be developed and deployed ubiquitously across all systems. This requires an unwavering attention to risk assessment, and adherence to security-based product development protocols and testing.

 

Here are 5 actions to consider when coordinating an approach to this challenge:

 

1. Build security into your product lifecycle

 

As you build your systems take a look at critical checkpoints, testing and harmonizing protection aspects each step of the way –build security into your products from the ground up. At Philips, we make certain our new systems meet expectations of today and are prepared for future upgradeability.

 

2. Include 3rd party software in your security plans

 

Companies reliant on the integration of 3rd party software open themselves to hidden risks posed by programming code that is not their own. To prepare for upcoming potential federal legislation on this topic, we are working to create a software Bill of Materials (BOM) for every product. This is critical in identifying and describing open source and 3rd party software components and allowing organizations to quickly respond to possible security vulnerabilities/breaches.

 

3. Establish a formal process for dealing with security incidents

 

It is important to handle all security incidents with a sense of urgency and sensitivity. Transparency is key. For example, our formal incident response management process includes documenting all communication, opening a corrective action program, developing a solution, and authoring an incident report.

 

4. Develop a robust Responsible Disclosure policy

 

Development of a Responsible Disclosure policy reassures customers that proper effort will be made to repair any vulnerabilities and prevent future damage. To ensure we are pulling in objective and real-time feedback, we collaborate proactively with the ‘ethical hacker’ research community to maintain a coordinated Responsible Disclosure process. This process provides additional input for Philips to manage potential vulnerabilities identified in products and solutions.

 

5. Form an accountable Product Cybersecurity team

 

Put together a team dedicated to product security. Their priority must always be to mitigate any situation by hypothesizing worse case scenarios before they happen and developing solutions and workarounds. Our Security Center of Excellence (SCoE) helps us manage these vulnerabilities. The Philips Product Security Incident Response Team evaluates potential security incidents and discovered vulnerabilities and develops response plans as necessary.

Become a proactive cybersecurity leader

 

Patient safety in today’s connected care environment is a task we all take very seriously. As we all evolve our cybersecurity programs, transparency, accountability and responsiveness must be priorities we continue to maintain.

 

Converting areas of potential concern into knowledge-sharing engagement opportunities can help refine critical thinking and lead to the development of solutions that enable regulatory compliance.

 

That’s why we’ve entered into ongoing productive dialogue with leaders in the cybersecurity ecosystem – customers, regulators, standards development organizations, industry groups, and security researchers, among others.

 

And we look forward to working with you, as well.

Best practice: Responsible Disclosure Policy

 

‘Responsible disclosure’ is a computer security term describing a vulnerability disclosure model2. Recognizing this need as part of our product security policy, Philips became one of only two major medical device manufacturers to design and implement a Responsible Disclosure Policy. Our policy has been singled out as a ‘best practice’ by industry stakeholders. Following the guidelines detailed in the Responsible Disclosure Policy, there is a certain timeline for us to respond to suspected vulnerabilities. Confirmed vulnerabilities result in a direct report into government agencies such as DHS (ICS-CERT program) and are then communicated through the press to the public.

Related topics

HHS cybersecurity task force underway

HHS cybersecurity taskforce underway

 

The Department of Health and Human Services (HHS) formed a healthcare industry Cybersecurity Task Force with the intent to examine best practices for keeping connected medical devices safe and secure.