Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access1.
The DoD, VA, FDA and other key influencers are requesting that new products and services be engineered to withstand serious cyber threats. Strict standards must be developed and deployed ubiquitously across all systems. This requires an unwavering attention to risk assessment, and adherence to security-based product development protocols and testing.
Here are 5 actions to consider when coordinating an approach to this challenge:
1. Build security into your product lifecycle
As you build your systems take a look at critical checkpoints, testing and harmonizing protection aspects each step of the way –build security into your products from the ground up. At Philips, we make certain our new systems meet expectations of today and are prepared for future upgradeability.
2. Include 3rd party software in your security plans
Companies reliant on the integration of 3rd party software open themselves to hidden risks posed by programming code that is not their own. To prepare for upcoming potential federal legislation on this topic, we are working to create a software Bill of Materials (BOM) for every product. This is critical in identifying and describing open source and 3rd party software components and allowing organizations to quickly respond to possible security vulnerabilities/breaches.
3. Establish a formal process for dealing with security incidents
It is important to handle all security incidents with a sense of urgency and sensitivity. Transparency is key. For example, our formal incident response management process includes documenting all communication, opening a corrective action program, developing a solution, and authoring an incident report.
4. Develop a robust Responsible Disclosure policy
Development of a Responsible Disclosure policy reassures customers that proper effort will be made to repair any vulnerabilities and prevent future damage. To ensure we are pulling in objective and real-time feedback, we collaborate proactively with the ‘ethical hacker’ research community to maintain a coordinated Responsible Disclosure process. This process provides additional input for Philips to manage potential vulnerabilities identified in products and solutions.
5. Form an accountable Product Cybersecurity team
Put together a team dedicated to product security. Their priority must always be to mitigate any situation by hypothesizing worse case scenarios before they happen and developing solutions and workarounds. Our Security Center of Excellence (SCoE) helps us manage these vulnerabilities. The Philips Product Security Incident Response Team evaluates potential security incidents and discovered vulnerabilities and develops response plans as necessary.
Patient safety in today’s connected care environment is a task we all take very seriously. As we all evolve our cybersecurity programs, transparency, accountability and responsiveness must be priorities we continue to maintain.
Converting areas of potential concern into knowledge-sharing engagement opportunities can help refine critical thinking and lead to the development of solutions that enable regulatory compliance.
That’s why we’ve entered into ongoing productive dialogue with leaders in the cybersecurity ecosystem – customers, regulators, standards development organizations, industry groups, and security researchers, among others.
And we look forward to working with you, as well.
‘Responsible disclosure’ is a computer security term describing a vulnerability disclosure model2. Recognizing this need as part of our product security policy, Philips became one of only two major medical device manufacturers to design and implement a Responsible Disclosure Policy. Our policy has been singled out as a ‘best practice’ by industry stakeholders. Following the guidelines detailed in the Responsible Disclosure Policy, there is a certain timeline for us to respond to suspected vulnerabilities. Confirmed vulnerabilities result in a direct report into government agencies such as DHS (ICS-CERT program) and are then communicated through the press to the public.
