As the leader of the Global Product Security and Services program at Philips Healthcare, Michael McNeil oversees the company’s efforts to ensure the safety of its products for its customers. That’s a broad remit that includes everything from staying on top of emerging software bugs and anticipating how they might affect Philips products, to communicating with regulatory agencies and individual hospitals to close security loopholes. With patient safety a critical concern and the financial stakes of a breach ever rising, McNeil spoke with 24×7 to discuss how hospitals should approach internal and external threats, and how he’s stepping up the company’s cybersecurity efforts.
24×7: What led you to your current position?
McNeil: I have worked in a variety of different industries. My background predominantly had been in product development and product management—bringing solutions to the marketplace. I started out in telecommunications, which dealt with a lot of data solutions and product offerings. I then moved into the healthcare space, developing medical and surgical products and devices. I previously worked as the global chief product and privacy security program officer for Medtronic. I’ve also had security roles and responsibilities at Liberty Mutual, Pitney Bowes, and Reynolds & Reynolds.
I started officially at Philips in December 2013. There was a lapse of about a year from when they started the search and I actually came on board. They ended up having a little bit of a public relations issue in terms of communication and an incident. Clearly, Philips has had product security as a component of its development and its processes for a number of years. Some of the mechanics that we had in place weren’t as strong as they needed to be in terms of communicating with the researchers, and it identified a greater opportunity to make sure we shore this area up with a key stakeholder.
24×7: What are your roles and responsibilities on a daily basis?
McNeil: I try to make sure we start with patient safety. We need to understand how security threats could impact the solutions we offer to the patient, because the integrity of the data and the information could have implications around the accuracy of the diagnosis and the treatment that they’re getting. Another major industry challenge that I deal with is the appropriate legal and regulatory obligations and customer requirements. The fact that Philips is a global company means we can’t just be focused on US laws and regulations like the Health Insurance Portability and Accountability Act (HIPAA).
I take into account those industry challenges and impact vectors, and then try to put together and manage a very holistic program, which covers the appropriate governance structure, policies, and customer and regulator requirements. I make sure we have elements around incident response management, and work with our customers, other associations, the research community, peer manufacturer organizations, and key stakeholders in the process, making sure that we’re taking their input and really developing that appropriate positioning and understanding, because that’s what leads to overall thought leadership. I also have to make sure that my key stakeholders, the external as well as the internal ones, have appropriate training and awareness regarding critical issues and Philip’s strategies regarding our program direction.
24×7: What kind of equipment and technology is most vulnerable to attack?
McNeil: Obviously, software and solutions that have Internet capability, wireless devices, and devices where there is a requirement to gather information and for information to be shared. These could include our home healthcare preventive care solutions, in which individuals are trying to communicate back to a call center. It could be our imaging systems solutions, where information has to be transmitted across the hospital or network environment, and access to those systems needs to be available 24/7. It could be the actual patient monitoring systems at the nurses station, as well as those connected inside the rooms of the patients. A lot of what used to be closed-loop networks, because of the advent of the Internet and interconnectivity, has now opened up, which opens up risks and threat vectors.
That’s from a Philips perspective. Implantable medical devices like defibrillators, pacemakers, and insulin pumps are also capable of transmitting vital information. Originally, those were not a major concern. Now, the risk gamut is pretty broad because of the types of technology and solutions we want to put in place.
24×7: What concerns do hospitals express when you speak with them?
McNeil: We usually have larger institutions that have a much greater bulls-eye on their back—there’s a greater potential exposure from a risk perspective. What we’re seeing is that they now have a lot of legacy-type equipment and systems in place. Those systems may not be up to appropriate operating system levels with appropriate security, passwords, encryption, and other abilities required in today’s cyber security and “Internet of all things” world to ensure their devices minimize potential risks. Hospitals tend to keep equipment in their ecosystem for a much longer time, going well beyond manufacturers’ warranties. These systems can also be much more exploitable because they are connected to the Internet.
Hospitals are really trying to clean up their environment. They’re trying to work with the manufacturers to identify legacy solutions out there, and explain how and what we are doing together to bring them up to a higher standard. We’re seeing a lot more specialization around information security systems within the hospital network than what we might have had before.
24×7: Are hospitals mainly concerned with external security breaches, or is there also a threat of someone internally accessing critical information?
McNeil: Hospitals try to follow the principles of a good security program. The internal threats, and the vectors of either intended or unintended uses of solutions, are definitely top of mind, and are also the reason why they have to have the appropriate awareness and training programs internally. They also have the added potential of unintended hazards with patients and guests of patients in those environments. There have definitely been a lot of anecdotal situations where someone unintentionally tried to charge their phone or other types of devices, with significant consequences. By having USB ports and other modalities that can connect into some of the devices in the hospital setting, you have the ability to introduce viruses or other types of malware into those environments. Or your employees come in and do the same thing, which could impact your internal environment as much as someone trying to attack you from an external perspective.
24×7: Do you work with hospitals in a consulting capacity, or service existing customers as part of an ongoing service package?
McNeil: In some respects, it’s a combination. I always state that in order to be able to sell those services and to have that competency, you have to make sure you have your house in order. Our focus is to make sure that we are buttoned down and have appropriate processes and procedures in place. Doing that will afford us the ability to work with hospital organizations and any other partners in that ecosystem to bring that full suite of capabilities together and extend additional services. There have been proposals with some of our customers, but I want to make sure that we pilot and understand our capabilities and the capacities we have to put in place to fully launch a program.
24×7: How do you partner with hospital staff to make sure you implement an effective solution?
McNeil: Part of it is having these kinds of conversations, and also making sure I’m working with regulatory bodies and other types of consortia that are made up of a mix of manufacturers and health delivery networks. Making sure that I’m going out and meeting with them, and really understanding their environment, what their needs are, what some of their pressure points are, and being able to come back and articulate how our solutions can fit within their environments, and explain additional considerations that need to be put in place. It starts with us truly understanding their environment and their road map.
24×7: In the event of a widespread security issue like the Shellshock bug, what steps does Philips take to protect its customers?
McNeil: For the Heartbleed, Linux, and Bash types of activities, we first get an understanding of our exposure in that environment. Each of the different business areas where there could be implications undertakes efforts to understand what they need to do in order to implement appropriate remediation. We make appropriate communications to our customers and our field service engineers. And if necessary, there would be appropriate levels of patching or change to the impacted systems. Incident response management really deals with the entire understanding of the implications of a potential incident, how we understand what our scope of exposure might be, what the remediation is, how we isolate our environments, how we work with our customers so that they can understand what those isolations need to be, and then make sure that we’re working with them on getting appropriate access to the solutions to make sure remediation has taken place.
24×7: Do you have general tips or guidelines for our readers as far as security vulnerabilities they should especially watch for?
McNeil: There are a variety of industry best practices and standards they need to take into consideration and be able to follow. We as a manufacturer try to provide security services based on ISO and NIST standards. From the hospital perspective, the international standards 8000-1 and its accompanying procedures provide best practice alignment. If they’re following certain sets of standards and procedures, they should also expect their vendors to align with those standards and artifacts. That’s the one critical step. That will move their positioning along in a very strategic way going forward.
Jenny Lower is associate editor of 24×7 magazine. Contact her at email@example.com.