This document discusses Philips' product security program and response to cybersecurity risks in healthcare. It reviews Philips' objectives around medical device security, the evolution of its product security program including governance, testing, and responsible disclosure policies. It also discusses industry challenges around patient safety, data integrity, and legal obligations. The document provides an overview of Philips' stakeholder management activities and security communications initiatives.
Presentation Isabel Martinho Sustainability Ii Debate Lisbon 2008Dianova
Sustainabilty approach at Portugal Telecom, presentation by Isabel Martinho, CSR/Communication Department at Portugal Telecom, at the II Regional Debate EACD Lisbon, 4th december 2008, under the theme "Challenges of Integrated Communications"
"Where Agri Meets Tech, Driving Research to Market" Ultan O’Raghallaigh Asia Matters
Ultan O’Raghallaigh of Tyndall National Institute gave the speech at the Asia Ireland Food and Agritech Forum in Cork, 14 July as part of Asia Business Week Ireland 2015
Philips Mini Case review created during Marketing Internship by Prof. Sameer Mathur, IIM Lucknow. This presentation is based on Mini Case of Philips in Marketing Management book by Kotler and Keller.
Presentation Isabel Martinho Sustainability Ii Debate Lisbon 2008Dianova
Sustainabilty approach at Portugal Telecom, presentation by Isabel Martinho, CSR/Communication Department at Portugal Telecom, at the II Regional Debate EACD Lisbon, 4th december 2008, under the theme "Challenges of Integrated Communications"
"Where Agri Meets Tech, Driving Research to Market" Ultan O’Raghallaigh Asia Matters
Ultan O’Raghallaigh of Tyndall National Institute gave the speech at the Asia Ireland Food and Agritech Forum in Cork, 14 July as part of Asia Business Week Ireland 2015
Philips Mini Case review created during Marketing Internship by Prof. Sameer Mathur, IIM Lucknow. This presentation is based on Mini Case of Philips in Marketing Management book by Kotler and Keller.
Patching software is a constant challenge. The Equifax hack and subsequent FTC investigation has shown us that required patches aren’t limited to those published by commercial vendors. Open source updates are just as critical; tracing new vulnerabilities and updates to applications in which those components are used isn’t just a good practice, it’s a regulatory requirement.
A focused approach to managing open source risk is essential as the legal landscape quickly evolves, including requirements under the FTC Act, HIPAA, and the European Union’s General Data Protection Regulation (GDPR). Coupled with heightened regulatory enforcement, these requirements increase the pressures on companies to maintain data privacy and security. This session will cover common misconceptions about these requirements, and explain why open source management is essential to your overall security strategy.
Network Connected Medical Devices - A Case StudySophiaPalmira
In this session, we welcome Shankar Somasundaram, CEO of Asimily, Priyanka Upendra, Quality Compliance Director at Banner Health, and Carrie Whysall. Director of Managed Security Services at CynergisTek.
Together, they will discuss medical device security, covering all you need to know from medical device assessments to remediation efforts. Attendees will leave this session knowing how to apply what they have learned about medical device security in real life.
Breakout Session: Cybersecurity in Medical DevicesHealthegy
Presentation by PwC at Medtech Conference 2016.
Participant:
Geoff Fisher, Director – PwC
Powered by:
Healthegy
For more healthcare innovation
Visit us at Healthegy.com
Doug Copley presented on cybersecurity challenges in healthcare including threats, trends in healthcare, practical steps and building security without boundaries.
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at RiskClearDATACloud
Healthcare PHI breaches resulting from technology vendor mistakes and misunderstandings have spiked over the past 2-3 years. Litigation, fines, remediation, and restitution can reach into the millions of dollars. This presentation will cover five common, but frequently overlooked, ways that technology vendors put their healthcare customer's PHI at risk. Just as importantly, it provides real world examples and pragmatic recommendations for addressing these issues to significantly reduce risk to you and your customers.
Technology is constantly transforming healthcare for the better, but getting technology right is an understated challenge for the industry. This webinar addresses three of healthcare's top challenges in tapping technology's full potential: cost, privacy and adoption. Experts and providers share tips, strategies and stories to help overcome these challenges to truly harness the power of transformative healthcare technology.
In the new world of connected healthcare, medical device manufacturers are challenged with cybersecurity issues to comply with the new FDA regulations. We examine the 5 domain areas of cybersecurity which apply to IoT HealthCare Vendors/ Providers.
Cybersecurity Measures and Privacy Protection.pdfLarisaAlbanians
In this blog, we will explore the significance of cybersecurity and privacy protection in healthcare software development, discussing essential measures and best practices to mitigate risks and ensure data security.
Achieving Cloud-based Healthcare without Jeopardizing Data.pdfTriyam Inc
Healthcare organizations embrace cloud tech for collaboration & patient care, but face challenges in data security & HIPAA compliance. Strategies include encryption, access control, audits, and staff training. Collaboration with stakeholders crucial for future secure, patient-centric cloud integration.
Mobile devices are enforcing its use in all aspects of life, health care is one major area where mobile device could enhance operations, or improve quality and efficincy. Here is a presentation I gave at HIMSS which may be useful to you if you are considering using mobile device in your health care discpline.
2015 Global Threat Intelligence Report - an analysis of global security trendsDImension Data
The 2015 Global Threat Intelligence Report is an annual report which gives an overview of the biggest threats, and most prominent trends in the cyber security landscape.
Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage your Technology and The Cloud” with Raymond Lowe, Senior Director, Information Technology, Dignity Health
How CIOs Can Bridge the Gap Between Executive Leadership and IT Teams - Greg ...IT Network marcus evans
Ahead of the marcus evans Australian CIO Summit 2023, Greg Cassis discusses how managing the impact of change can be more effective when the executive leadership, technical and operational teams are better aligned.
Patching software is a constant challenge. The Equifax hack and subsequent FTC investigation has shown us that required patches aren’t limited to those published by commercial vendors. Open source updates are just as critical; tracing new vulnerabilities and updates to applications in which those components are used isn’t just a good practice, it’s a regulatory requirement.
A focused approach to managing open source risk is essential as the legal landscape quickly evolves, including requirements under the FTC Act, HIPAA, and the European Union’s General Data Protection Regulation (GDPR). Coupled with heightened regulatory enforcement, these requirements increase the pressures on companies to maintain data privacy and security. This session will cover common misconceptions about these requirements, and explain why open source management is essential to your overall security strategy.
Network Connected Medical Devices - A Case StudySophiaPalmira
In this session, we welcome Shankar Somasundaram, CEO of Asimily, Priyanka Upendra, Quality Compliance Director at Banner Health, and Carrie Whysall. Director of Managed Security Services at CynergisTek.
Together, they will discuss medical device security, covering all you need to know from medical device assessments to remediation efforts. Attendees will leave this session knowing how to apply what they have learned about medical device security in real life.
Breakout Session: Cybersecurity in Medical DevicesHealthegy
Presentation by PwC at Medtech Conference 2016.
Participant:
Geoff Fisher, Director – PwC
Powered by:
Healthegy
For more healthcare innovation
Visit us at Healthegy.com
Doug Copley presented on cybersecurity challenges in healthcare including threats, trends in healthcare, practical steps and building security without boundaries.
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at RiskClearDATACloud
Healthcare PHI breaches resulting from technology vendor mistakes and misunderstandings have spiked over the past 2-3 years. Litigation, fines, remediation, and restitution can reach into the millions of dollars. This presentation will cover five common, but frequently overlooked, ways that technology vendors put their healthcare customer's PHI at risk. Just as importantly, it provides real world examples and pragmatic recommendations for addressing these issues to significantly reduce risk to you and your customers.
Technology is constantly transforming healthcare for the better, but getting technology right is an understated challenge for the industry. This webinar addresses three of healthcare's top challenges in tapping technology's full potential: cost, privacy and adoption. Experts and providers share tips, strategies and stories to help overcome these challenges to truly harness the power of transformative healthcare technology.
In the new world of connected healthcare, medical device manufacturers are challenged with cybersecurity issues to comply with the new FDA regulations. We examine the 5 domain areas of cybersecurity which apply to IoT HealthCare Vendors/ Providers.
Cybersecurity Measures and Privacy Protection.pdfLarisaAlbanians
In this blog, we will explore the significance of cybersecurity and privacy protection in healthcare software development, discussing essential measures and best practices to mitigate risks and ensure data security.
Achieving Cloud-based Healthcare without Jeopardizing Data.pdfTriyam Inc
Healthcare organizations embrace cloud tech for collaboration & patient care, but face challenges in data security & HIPAA compliance. Strategies include encryption, access control, audits, and staff training. Collaboration with stakeholders crucial for future secure, patient-centric cloud integration.
Mobile devices are enforcing its use in all aspects of life, health care is one major area where mobile device could enhance operations, or improve quality and efficincy. Here is a presentation I gave at HIMSS which may be useful to you if you are considering using mobile device in your health care discpline.
2015 Global Threat Intelligence Report - an analysis of global security trendsDImension Data
The 2015 Global Threat Intelligence Report is an annual report which gives an overview of the biggest threats, and most prominent trends in the cyber security landscape.
Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage your Technology and The Cloud” with Raymond Lowe, Senior Director, Information Technology, Dignity Health
Similar to Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips Healthcare (20)
How CIOs Can Bridge the Gap Between Executive Leadership and IT Teams - Greg ...IT Network marcus evans
Ahead of the marcus evans Australian CIO Summit 2023, Greg Cassis discusses how managing the impact of change can be more effective when the executive leadership, technical and operational teams are better aligned.
What CIOs Need to Know about the Future of Technology - Steve Sammartino, Fu...IT Network marcus evans
Ahead of the marcus evans Australian CIO Summit 2022, Steve Sammartino discusses disruptive technologies, the future of the internet, and what CIOs need to plan for.
Time Machines: The Evolution and Application of Predictive Analytics-Dr Steve...IT Network marcus evans
Dr Steven P. Pratt, PhD., Chief Technology Officer, CenterPoint Energy, Inc. delivered his presentation entitled Time Machines: The Evolution and Application of Predictive Analytics at the marcus evans CIO Summit 2016 held in Los Angeles, CA
Where marcus evans fits in our business development mix
Andrew Flaherty, General Manager at BillView (Fastlane Software Pty Limited), shares his thoughts about the company’s business development activities.
Crafting the Right Mobile Device Management Framework to Mitigate Risks and M...IT Network marcus evans
Crafting the Right Mobile Device Management Framework to Mitigate Risks and Maximise Benefits of BYOD by Gary Pettigrove, ANAO at the Australian CIO Summit 2014
A New Approach to the CIO role by Redefining the IT Department’s Contribution...IT Network marcus evans
A New Approach to the CIO role by Redefining the IT Department’s Contribution to the Bottom Line
by Barry Lerner, Huawei Technologies at the Australian CIO Summit 2014
Bigger and Better: Employing a Holistic Strategy for Big Data toward a Strong...IT Network marcus evans
Bigger and Better: Employing a Holistic Strategy for Big Data toward a Strong Value-Adding Proposition
by Patrick Hadley, Australian Bureau of Statistics at the Australian CIO Summit 2014
Active Defence: Safeguarding Crucial Capability while Boosting Functionality ...IT Network marcus evans
Active Defence: Safeguarding Crucial Capability while Boosting Functionality and Delivering on ROI
Presentation by Ricardo Alberto, CTO & Acting CIO , The Treasury, Australian Government at the Australian CIO Summit 2014
Outsourcing to Save IT Costs: Interview with: George Bower, President and Chi...IT Network marcus evans
Outsourcing to Save IT Costs: Interview with: George Bower, President and Chief Executive Officer, Axis Technologies, a solution provider at the marcus evans CIO Summit 2012, discusses the benefits to CIOs of outsourcing features of their enterprise software management.
Affordable Stationery Printing Services in Jaipur | Navpack n PrintNavpack & Print
Looking for professional printing services in Jaipur? Navpack n Print offers high-quality and affordable stationery printing for all your business needs. Stand out with custom stationery designs and fast turnaround times. Contact us today for a quote!
Cracking the Workplace Discipline Code Main.pptxWorkforce Group
Cultivating and maintaining discipline within teams is a critical differentiator for successful organisations.
Forward-thinking leaders and business managers understand the impact that discipline has on organisational success. A disciplined workforce operates with clarity, focus, and a shared understanding of expectations, ultimately driving better results, optimising productivity, and facilitating seamless collaboration.
Although discipline is not a one-size-fits-all approach, it can help create a work environment that encourages personal growth and accountability rather than solely relying on punitive measures.
In this deck, you will learn the significance of workplace discipline for organisational success. You’ll also learn
• Four (4) workplace discipline methods you should consider
• The best and most practical approach to implementing workplace discipline.
• Three (3) key tips to maintain a disciplined workplace.
Personal Brand Statement:
As an Army veteran dedicated to lifelong learning, I bring a disciplined, strategic mindset to my pursuits. I am constantly expanding my knowledge to innovate and lead effectively. My journey is driven by a commitment to excellence, and to make a meaningful impact in the world.
Unveiling the Secrets How Does Generative AI Work.pdfSam H
At its core, generative artificial intelligence relies on the concept of generative models, which serve as engines that churn out entirely new data resembling their training data. It is like a sculptor who has studied so many forms found in nature and then uses this knowledge to create sculptures from his imagination that have never been seen before anywhere else. If taken to cyberspace, gans work almost the same way.
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...Kumar Satyam
According to TechSci Research report, “India Orthopedic Devices Market -Industry Size, Share, Trends, Competition Forecast & Opportunities, 2030”, the India Orthopedic Devices Market stood at USD 1,280.54 Million in 2024 and is anticipated to grow with a CAGR of 7.84% in the forecast period, 2026-2030F. The India Orthopedic Devices Market is being driven by several factors. The most prominent ones include an increase in the elderly population, who are more prone to orthopedic conditions such as osteoporosis and arthritis. Moreover, the rise in sports injuries and road accidents are also contributing to the demand for orthopedic devices. Advances in technology and the introduction of innovative implants and prosthetics have further propelled the market growth. Additionally, government initiatives aimed at improving healthcare infrastructure and the increasing prevalence of lifestyle diseases have led to an upward trend in orthopedic surgeries, thereby fueling the market demand for these devices.
Memorandum Of Association Constitution of Company.pptseri bangash
www.seribangash.com
A Memorandum of Association (MOA) is a legal document that outlines the fundamental principles and objectives upon which a company operates. It serves as the company's charter or constitution and defines the scope of its activities. Here's a detailed note on the MOA:
Contents of Memorandum of Association:
Name Clause: This clause states the name of the company, which should end with words like "Limited" or "Ltd." for a public limited company and "Private Limited" or "Pvt. Ltd." for a private limited company.
https://seribangash.com/article-of-association-is-legal-doc-of-company/
Registered Office Clause: It specifies the location where the company's registered office is situated. This office is where all official communications and notices are sent.
Objective Clause: This clause delineates the main objectives for which the company is formed. It's important to define these objectives clearly, as the company cannot undertake activities beyond those mentioned in this clause.
www.seribangash.com
Liability Clause: It outlines the extent of liability of the company's members. In the case of companies limited by shares, the liability of members is limited to the amount unpaid on their shares. For companies limited by guarantee, members' liability is limited to the amount they undertake to contribute if the company is wound up.
https://seribangash.com/promotors-is-person-conceived-formation-company/
Capital Clause: This clause specifies the authorized capital of the company, i.e., the maximum amount of share capital the company is authorized to issue. It also mentions the division of this capital into shares and their respective nominal value.
Association Clause: It simply states that the subscribers wish to form a company and agree to become members of it, in accordance with the terms of the MOA.
Importance of Memorandum of Association:
Legal Requirement: The MOA is a legal requirement for the formation of a company. It must be filed with the Registrar of Companies during the incorporation process.
Constitutional Document: It serves as the company's constitutional document, defining its scope, powers, and limitations.
Protection of Members: It protects the interests of the company's members by clearly defining the objectives and limiting their liability.
External Communication: It provides clarity to external parties, such as investors, creditors, and regulatory authorities, regarding the company's objectives and powers.
https://seribangash.com/difference-public-and-private-company-law/
Binding Authority: The company and its members are bound by the provisions of the MOA. Any action taken beyond its scope may be considered ultra vires (beyond the powers) of the company and therefore void.
Amendment of MOA:
While the MOA lays down the company's fundamental principles, it is not entirely immutable. It can be amended, but only under specific circumstances and in compliance with legal procedures. Amendments typically require shareholder
Premium MEAN Stack Development Solutions for Modern BusinessesSynapseIndia
Stay ahead of the curve with our premium MEAN Stack Development Solutions. Our expert developers utilize MongoDB, Express.js, AngularJS, and Node.js to create modern and responsive web applications. Trust us for cutting-edge solutions that drive your business growth and success.
Know more: https://www.synapseindia.com/technology/mean-stack-development-company.html
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptxmy Pandit
Explore the world of the Taurus zodiac sign. Learn about their stability, determination, and appreciation for beauty. Discover how Taureans' grounded nature and hardworking mindset define their unique personality.
Remote sensing and monitoring are changing the mining industry for the better. These are providing innovative solutions to long-standing challenges. Those related to exploration, extraction, and overall environmental management by mining technology companies Odisha. These technologies make use of satellite imaging, aerial photography and sensors to collect data that might be inaccessible or from hazardous locations. With the use of this technology, mining operations are becoming increasingly efficient. Let us gain more insight into the key aspects associated with remote sensing and monitoring when it comes to mining.
What are the main advantages of using HR recruiter services.pdfHumanResourceDimensi1
HR recruiter services offer top talents to companies according to their specific needs. They handle all recruitment tasks from job posting to onboarding and help companies concentrate on their business growth. With their expertise and years of experience, they streamline the hiring process and save time and resources for the company.
Enterprise Excellence is Inclusive Excellence.pdfKaiNexus
Enterprise excellence and inclusive excellence are closely linked, and real-world challenges have shown that both are essential to the success of any organization. To achieve enterprise excellence, organizations must focus on improving their operations and processes while creating an inclusive environment that engages everyone. In this interactive session, the facilitator will highlight commonly established business practices and how they limit our ability to engage everyone every day. More importantly, though, participants will likely gain increased awareness of what we can do differently to maximize enterprise excellence through deliberate inclusion.
What is Enterprise Excellence?
Enterprise Excellence is a holistic approach that's aimed at achieving world-class performance across all aspects of the organization.
What might I learn?
A way to engage all in creating Inclusive Excellence. Lessons from the US military and their parallels to the story of Harry Potter. How belt systems and CI teams can destroy inclusive practices. How leadership language invites people to the party. There are three things leaders can do to engage everyone every day: maximizing psychological safety to create environments where folks learn, contribute, and challenge the status quo.
Who might benefit? Anyone and everyone leading folks from the shop floor to top floor.
Dr. William Harvey is a seasoned Operations Leader with extensive experience in chemical processing, manufacturing, and operations management. At Michelman, he currently oversees multiple sites, leading teams in strategic planning and coaching/practicing continuous improvement. William is set to start his eighth year of teaching at the University of Cincinnati where he teaches marketing, finance, and management. William holds various certifications in change management, quality, leadership, operational excellence, team building, and DiSC, among others.
Buy Verified PayPal Account | Buy Google 5 Star Reviewsusawebmarket
Buy Verified PayPal Account
Looking to buy verified PayPal accounts? Discover 7 expert tips for safely purchasing a verified PayPal account in 2024. Ensure security and reliability for your transactions.
PayPal Services Features-
🟢 Email Access
🟢 Bank Added
🟢 Card Verified
🟢 Full SSN Provided
🟢 Phone Number Access
🟢 Driving License Copy
🟢 Fasted Delivery
Client Satisfaction is Our First priority. Our services is very appropriate to buy. We assume that the first-rate way to purchase our offerings is to order on the website. If you have any worry in our cooperation usually You can order us on Skype or Telegram.
24/7 Hours Reply/Please Contact
usawebmarketEmail: support@usawebmarket.com
Skype: usawebmarket
Telegram: @usawebmarket
WhatsApp: +1(218) 203-5951
USA WEB MARKET is the Best Verified PayPal, Payoneer, Cash App, Skrill, Neteller, Stripe Account and SEO, SMM Service provider.100%Satisfection granted.100% replacement Granted.
"𝑩𝑬𝑮𝑼𝑵 𝑾𝑰𝑻𝑯 𝑻𝑱 𝑰𝑺 𝑯𝑨𝑳𝑭 𝑫𝑶𝑵𝑬"
𝐓𝐉 𝐂𝐨𝐦𝐬 (𝐓𝐉 𝐂𝐨𝐦𝐦𝐮𝐧𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬) is a professional event agency that includes experts in the event-organizing market in Vietnam, Korea, and ASEAN countries. We provide unlimited types of events from Music concerts, Fan meetings, and Culture festivals to Corporate events, Internal company events, Golf tournaments, MICE events, and Exhibitions.
𝐓𝐉 𝐂𝐨𝐦𝐬 provides unlimited package services including such as Event organizing, Event planning, Event production, Manpower, PR marketing, Design 2D/3D, VIP protocols, Interpreter agency, etc.
Sports events - Golf competitions/billiards competitions/company sports events: dynamic and challenging
⭐ 𝐅𝐞𝐚𝐭𝐮𝐫𝐞𝐝 𝐩𝐫𝐨𝐣𝐞𝐜𝐭𝐬:
➢ 2024 BAEKHYUN [Lonsdaleite] IN HO CHI MINH
➢ SUPER JUNIOR-L.S.S. THE SHOW : Th3ee Guys in HO CHI MINH
➢FreenBecky 1st Fan Meeting in Vietnam
➢CHILDREN ART EXHIBITION 2024: BEYOND BARRIERS
➢ WOW K-Music Festival 2023
➢ Winner [CROSS] Tour in HCM
➢ Super Show 9 in HCM with Super Junior
➢ HCMC - Gyeongsangbuk-do Culture and Tourism Festival
➢ Korean Vietnam Partnership - Fair with LG
➢ Korean President visits Samsung Electronics R&D Center
➢ Vietnam Food Expo with Lotte Wellfood
"𝐄𝐯𝐞𝐫𝐲 𝐞𝐯𝐞𝐧𝐭 𝐢𝐬 𝐚 𝐬𝐭𝐨𝐫𝐲, 𝐚 𝐬𝐩𝐞𝐜𝐢𝐚𝐥 𝐣𝐨𝐮𝐫𝐧𝐞𝐲. 𝐖𝐞 𝐚𝐥𝐰𝐚𝐲𝐬 𝐛𝐞𝐥𝐢𝐞𝐯𝐞 𝐭𝐡𝐚𝐭 𝐬𝐡𝐨𝐫𝐭𝐥𝐲 𝐲𝐨𝐮 𝐰𝐢𝐥𝐥 𝐛𝐞 𝐚 𝐩𝐚𝐫𝐭 𝐨𝐟 𝐨𝐮𝐫 𝐬𝐭𝐨𝐫𝐢𝐞𝐬."
Putting the SPARK into Virtual Training.pptxCynthia Clay
This 60-minute webinar, sponsored by Adobe, was delivered for the Training Mag Network. It explored the five elements of SPARK: Storytelling, Purpose, Action, Relationships, and Kudos. Knowing how to tell a well-structured story is key to building long-term memory. Stating a clear purpose that doesn't take away from the discovery learning process is critical. Ensuring that people move from theory to practical application is imperative. Creating strong social learning is the key to commitment and engagement. Validating and affirming participants' comments is the way to create a positive learning environment.
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips Healthcare
1. Royal Philips
Michael C. McNeil
Global Product Security & Services Officer
June, 2016
Data Breaches and Security:
Ditching Data Disasters
2. Objectives
• Review emerging and established drivers for increased focus
and resources on medical device security and safety
• Review the evolution of Philips Product Security Program and
key priorities
• Understand how manufacturers and healthcare delivery
organizations are responding to the emergence of cybersecurity
risk
• Introduce how Philip manages Responsible Disclosure and
Incident Response Management in the Healthcare industry
3. Product Security Increasing complexity
And now we use
personal health apps on
mobile devices, connect
more health systems,
sometimes using cloud
based solutions, while
also moving more
healthcare functions to
the patient home.
Furthermore we
develop and open up
standardized medical
device platforms for
shared rapid application
development and access
to health data.
Security
5. Product Security Program Evolution
Governance
•Organizational Alignment
•Executive Leadership visibility (Board, Audit)
•Stakeholder Thought Leadership Strategy (Internal & External) – “Walk the Talk” (Risk Assessment, Information Sharing, 3-Deadly Sins, etc)
Testing
•“Security Ninjas” – dedicated team and Center of Excellence
•Leveraged across the enterprise
•Standardized Use Cases for common and comparable results
Responsible
Disclosure
•Enhancements and ability to leverage existing Incident Response Management Programs
•Integrated into Customer Complaint Handling processes
Build of
Material
•Continuously monitor software BOM for new vulnerabilities and security SW updates
????
•Continuous Assessment and Monitoring of existing modules of the program and seek improvements where appropriate
Fast response
6. Industry Challenges
Patient Safety
• Potential threats demonstrated from ethical hackers
Data Integrity
• Demands from customers and patients for accurate and available data
Legal/Regulatory Obligations
• Meeting the privacy and security needs of our customers in the healthcare delivery
industry
• Stringent laws around securing data and the transfer of data throughout the world
Protecting Intellectual Property
• Nation State attacks to gain network access and critical assets
• Ensuring security during expansion in emerging markets
8. Changing attack landscape
Security
Malicious attackers are targeting Healthcare facilities:
• Hospital infrastructures are often very complex, contain legacy
equipment and sometimes organizations lag behind in implementing
industry best security practices, making it easier to:
• 2016 “Year of the Ransomware” on an all time growing high
• Penetrate and take over systems
• Hide to maintain a presence in the network
The value of Electronic Health Records on the black markets is
increasing, making it more interesting for hackers to specifically target
hospital infrastructure.
9. Concerns about
anti-virus definition
updates on
medical devices?
Can your
network and
device user be
fully trusted
to never make an unauthorized
connection to the outside
world?
Does your device
store or display
ePHI and could
non-authorized
users potentially access this?
Is the device only used by
clinical users on a daily basis,
without a need to access
outside of the application?
Could someone walk
out with the device?
Could the device be found in an
openly accessible area in your
facility?
Medical Device Challenges
Control
10. Regulators increasingly address
‘the lack off’ security/privacy
• 2013-02-22: HTC (mobile phones) settles with FTC by issuing software security
patches, and creating a security program to be monitored 20 years.
• 2013-06-13: FDA and DHS/ICS-CERT require risk information of 40 Medical Device
Manufacturers regarding the use of fixed passwords in over 300 medical devices.
• 2014-03-07: The British Pregnancy Advice Service (BPAS) has been fined £200,000
after a serious breach revealed thousands of records to a malicious hacker.
• 2014-05-07: The Office for Civil Rights (OCR) settles with the New York Presbyterian
Hospital and Columbia University for 4.8 million US$ after failing security controls
leaked 6800 patient records onto the internet.
• 2014-08-20: FBI warned US healthcare industry companies that they are targeted by
hackers after the new threat where a group of Chinese hackers stole personal
information from 4.5 million patients after targeting the computer network of
Community Health Systems Inc.
• 2014-11-06: Dutch DPA publishes a report about the Groene Hart Hospital for failing
to protect patient information due to the lack of proper network security controls
and the ongoing use of end of life software such as Windows 2000 and Windows XP.
Security
13. ICS-CERT Vulnerability Disclosure Policy
• ICS-CERT will attempt to coordinate all reported vulnerabilities with the affected
vendor.
• An appropriate timeframe for mitigation development and the type and
schedule of disclosure will be determined based on the factors
involved. Extenuating circumstances, such as active exploitation, threats of an
especially serious nature, or situations that require changes to an established
standard may result in earlier or later disclosure.
• Other factors include:
• whether the vulnerability has already been publicly disclosed
• the severity of the vulnerability
• potential impact to critical infrastructure
• possible threat to public health and safety
• immediate mitigations available
• vendor responsiveness and feasibility for creating an upgrade or patch
• vendor estimate of time required for customers to obtain, test and apply the
patch
14. ICS-CERT Vulnerability Disclosure Policy
The ICS-CERT vulnerability remediation process involves five basic steps:
1. Detection/Collection—ICS-CERT collects vulnerability reports in three ways: ICS-CERT
vulnerability analysis, monitoring public sources of vulnerability information, and direct
notification of vulnerabilities to ICS-CERT. After receiving a report, ICS-CERT does an initial
surface analysis to eliminate duplicates and false alarms. ICS-CERT then catalogs the
vulnerabilities, including all of the information (public and private) that is known at that
point.
2. Analysis—Once the vulnerabilities are catalogued, vendor and ICS-CERT analysts work to
understand the vulnerabilities by examining and identifying the issues, as well as the
potential threat.
3. Mitigation Coordination—After analyzing a vulnerability, ICS-CERT will continue to work
with the vendor for mitigation and patch issuance. ICS-CERT has established secure and
trusted partnerships with control systems vendors for vulnerability disclosure and overall
technology assessment and testing functions. ICS-CERT will work with the vendors to allow
sufficient time to effectively resolve and perform patch regression testing against any given
vulnerability. Additionally ICS-CERT has experience successfully coordinating response to
vulnerabilities that affects multi-vendor products.
4. Application of Mitigation—ICS-CERT will work with the vendor to allow sufficient time for
affected end users to obtain, test, and apply mitigation strategies prior to disclosure.
5. Disclosure—After coordinating with vendors and gathering technical and threat information,
ICS-CERT will take appropriate steps to notify end users about the vulnerability. ICS-CERT
strives to disclose accurate, neutral, objective information focused on technical remediation
and mitigation for asset owners and operators. ICS-CERT will reference other available
information and correct misinformation when possible.
16. Philips Responsible Disclosure Positioning
• Royal Philips recognizes the need for a clear Responsible Disclosure Policy and protocols as part of its
Product Security function.
• One of the 1st Medical Device company’s to implement a Responsible Disclosure Policy according to
current industry best practices.
• Our policy is publicly accessible, with clear communications channels for customers, researchers and
other security community stakeholders.
• The policy is based on principles of transparency, accountability and responsiveness.
• The policy outlines defined protocols for reporting and response, managed by the Philips Product
Security Team.
The policy protocols encompasses:
• Monitoring and response of inbound communications
• Managing confirmation receipt and follow-up communication with senders
• Evaluation of vulnerability notifications and status tracking
• Alignment with incident response, stakeholder notification, remediation and prevention
protocols as required
• Philips continues to actively seek out researcher and analyst in assistance and guidance towards policy
design changes and updates.
• The company has increasingly engaged with the security research community over the past few
years.
• Philips is committed to ongoing dialogue with the security community and to productive
partnerships.
17. 2015-10-05 Product and Services Security Office Confidential
Responsible Disclosure Process
ISO/IEC 29147 and 30111 called out by FDA
Responsible Disclosure UX00461
Complaint handling / CAPA process
should already be in the BU QMS.
For most Healthcare BU’s this is
defined by the overarching PHQD in
policies such as PHPR0264
Shared responsibilities of the PSSO
and the Responsible Organization
18. 34 2015-05-21 Product and Services Security Office Confidential
Responsible Disclosure Process
Summary
Vulnerability
Report Received
• Email Monitoring Team receives email, acknowledges receipt and passes the
information to the Event Handler and Responsible Organization
Verification
• The Responsible Organization initiates the complaint/CAPA process as
defined in their local Quality System and verifies the vulnerability
Resolution
Development
• The Responsible Organization executes its standard complaint/CAPA process
to determine prioritization and to develop a solution and/or workaround
Release
• The Responsible Organization releases the solution and/or workaround
Post Release
• Post mortem analysis by the Responsible Organization shared with the teams
19. 14 2015-05-21 Product and Services Security Office Confidential
Why is Responsible Disclosure different?
• For non-customers it is often unclear how or whom to contact
within Philips.
• The motivation of the person is often unknown, so the Product
Security & Services Office (PSSO) will be the single point of
contact. The motivation might be:
• White Hat: An ethical computer hacker, or a computer security expert,
who specializes in penetration testing and in other testing
methodologies to ensure the security of systems (who might be part of
a customer organization). Willing to cooperate, no hidden agenda.
• Gray Hat: As above but also personally motivated for compensation
either from the organization or by establishing name and fame in the
security community (conferences).
• Black Hat: Only out for financial gain. Might be using this process when
motivated to damage Philips reputation.
20. How many believe that Responsible
“Coordinated” Disclosure is a Contact Sport?
Mfg. versus Researcher
21. __________________________________________________
10 Philips Products:
- 3 Healthcare products
- 4 Personal Health products
- 3 TVs and Smartphones
25 Philips IT Infrastructure: mainly websites
Since the start of the program in Nov.
2014,we received 35 reports on
vulnerabilities via responsible disclosure.
Philips Responsible Disclosure – Program Execution
[…]
22. First Contact: 4th of July, 2015 (email)
• PGP encrypted email to Philips Product Security
• List of exploitable vulnerabilities
• Deadlines until disclosures to CERT and public
• Contact information
Vulnerabilities Reported:
• Unencrypted hard-coded passwords in firmware.
• Unencrypted, unauthenticated access to backend
web application over the public Internet.
• Locating and accessing the device over the Internet
to monitor video, enable remote access (via Telnet),
and change settings.
• Other vulnerabilities to access & control the device.
__________________________________________________Philips Responsible Disclosure – Experience of a Major Event
[…]
23. Philips experiences of vulnerabilities In.Sight wireless HD Baby
Monitor
2 Confidential
• Report madebyTod Beardsley,Security Research Manager at
Rapid7.
• More developed and orchestrated vulnerability disclosures
• Media campaign, conferences and webinar globally
scheduled once report wen live
24. Major Media Communications
Media Outlet Article Reporter
The Wall Street Journal Flaws in Baby Monitors Open Door For Hackers Jennifer Valentino-DeVries
Forbes It’s Depressingly Easy to Spy on Vulnerable Baby Monitors
Using Just a Browser
Thomas Fox-Brewster
Christian Science
Monitor
Researcher gives baby monitors an ‘F’ in cybersecurity Joe Uchill
Dark Reading Baby Monitors Expose Home – And Business – Networks Kelly Jackson Higgins
ZD Net New security flaws found in popular IoT baby monitors Zack Whittaker
Fusion Watch out, new parents – internet-connected baby
monitors are easy to hack
Kashmir Hill
The Verge There are lots of ways to spy on baby monitors Ariha Setalvad
25. Typical Reactions Across the Med Devices Industry:
“What are you trying to sell us?”
“Who are you and why would you ever want to do this?”
“Thank you for your report, we’ll be contacting the Police.”
“That’s not possible, we didn’t design our system to allow that.”
“Please speak to our lawyers so we can scare you away.”
“Thank you for letting us know.” Then, hope you go away.
Philips Response:
Positive tone, communications, “our policy and process”.
Resolution of high/very-high risks within 90 days.
Philips Responsible Disclosure – Setting a New Standard
[…]
26. Media attention
Philips was the only baby monitor
manufacturer praised for responding
to vulnerability warnings.
Another five were said to be selling
vulnerable kit, allowing hackers to
spy on babies.
28. Stakeholder Management
• External and Internal stakeholder management must be
improved
• Goals are:
• Determine annual plans
• Who should participate
• Assignment of primary and secondary key resources
29. Key Stakeholder Key Activities
FDA Finalized 2014 Pre-Market Submission Guidance
Developed a partnership / leveraging MITRE to execute Vulnerability / Information Sharing strategy
Formed an Alliance and signed a MOU with NH-ISAC
Post- Market Surveillances Guidance released Jan. 2016 – Final targeted for December 2016
Collaborative Approaches to Medical Device Cybersecurity Jan. 2016 Workshop
MDISS Recently conducted a Medical Device Security Workshop at NIST & MITRE (11/15)
Working collectively and aggressively with FDA / NH-ISAC collaboration regarding Vulnerability Disclosure & Information
Sharing
HITRUST Recently formed a new Cyber Security Working Group with Sara Coulter named in a Press Release as the Philips
representative
NH-ISAC Formed an Alliance and signed a MOU with FDA
Formed a Medical Device Security Information Sharing Council (MDSISC) sub-committee group
AdvaMed Formed a Cyber Security Working Group (Philips & Abbotts Co-Chair)
Meeting Scheduled for (11/15)
AAMI Sm-wg05 Device Security Working Group completing Risk Assessment Framework Standard (draft comments 11/15)
MITA Recently formed a Cyber Security Working Group
Department of Health & Human Services
(HHS)
Health Care Industry Cybersecurity Task Force. formed March 2016 – Task Force Member
Department of Homeland Security Cyber Storm V – National Cybersecurity and Communications Integration Center
Digital Millennium Copyright Act (DMCA) The DMCA Copyright Office recently approved the ability for “Researchers” -Proposed Class 27A, and Class 27B concerning
security research on medical devices
External Stakeholder Update
30. Proactive Security Communications
Initiative Key Activities
Security PR Outreach • Engagement with Philips Healthcare PR agencies for security communications
opportunities
• FleishmanHilliard and Lois Paul and Partners (LPP)
• Security Point-of-View interview with LPP scheduled to help drive
identification and securing of editorial opportunities (early June)
• News-driven interviews to be a feature of PR outreach
Editorial Calendar
Opportunities
• 12 possible feature article inclusions identified in 10 key publications
• Ongoing calendar monitoring and updates
Contributed Articles • Inaugural article by Philips Healthcare security leadership published
• “Strategies and Practices for Mitigating Data Breaches and Their Impact on
Patient Privacy” – by Michael McNeil, February 2014
• 24/7 Magazine 2014 News Article by Michael McNeil
• MDDI, Wireless Security, A Work in Progress Article
• 2015 mHealth Summit presentations
• 2015 November Bloomberg Article
31. 1 November 11, 2015
Workshop 2015
Cyber Security for Healthcare Summit
June 29-July 1, 2015, Philadelphia
2015
2015
Summit 2015
32. Conclusions
• Better external communication across the ecosystem is critical for a
robust security program
• Continuous Threat monitoring of the Healthcare landscape is a
critical component in maintaining that vigilance
• Transparency, accountability and responsiveness must be ongoing
features, as we maintain and evolve programs
• Wider dialogue between medical device makers, hospitals,
regulators and security professionals – particularly around
interoperability – will advance innovations in security and the
Healthcare industry