SlideShare a Scribd company logo

Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips Healthcare

IT Network marcus evans
IT Network marcus evans

This document discusses Philips' product security program and response to cybersecurity risks in healthcare. It reviews Philips' objectives around medical device security, the evolution of its product security program including governance, testing, and responsible disclosure policies. It also discusses industry challenges around patient safety, data integrity, and legal obligations. The document provides an overview of Philips' stakeholder management activities and security communications initiatives.

Business
1 of 33
Download to read offline
Royal Philips Michael C. McNeil Global Product Security & Services Officer June, 2016 Data Breaches and Security: Ditching Data Disasters
Objectives • Review emerging and established drivers for increased focus and resources on medical device security and safety • Review the evolution of Philips Product Security Program and key priorities • Understand how manufacturers and healthcare delivery organizations are responding to the emergence of cybersecurity risk • Introduce how Philip manages Responsible Disclosure and Incident Response Management in the Healthcare industry
Product Security Increasing complexity And now we use personal health apps on mobile devices, connect more health systems, sometimes using cloud based solutions, while also moving more healthcare functions to the patient home. Furthermore we develop and open up standardized medical device platforms for shared rapid application development and access to health data. Security
Philips Unites Medical Devices, Apps and Data in The Cloud
Product Security Program Evolution Governance •Organizational Alignment •Executive Leadership visibility (Board, Audit) •Stakeholder Thought Leadership Strategy (Internal & External) – “Walk the Talk” (Risk Assessment, Information Sharing, 3-Deadly Sins, etc) Testing •“Security Ninjas” – dedicated team and Center of Excellence •Leveraged across the enterprise •Standardized Use Cases for common and comparable results Responsible Disclosure •Enhancements and ability to leverage existing Incident Response Management Programs •Integrated into Customer Complaint Handling processes Build of Material •Continuously monitor software BOM for new vulnerabilities and security SW updates ???? •Continuous Assessment and Monitoring of existing modules of the program and seek improvements where appropriate Fast response
Industry Challenges Patient Safety • Potential threats demonstrated from ethical hackers Data Integrity • Demands from customers and patients for accurate and available data Legal/Regulatory Obligations • Meeting the privacy and security needs of our customers in the healthcare delivery industry • Stringent laws around securing data and the transfer of data throughout the world Protecting Intellectual Property • Nation State attacks to gain network access and critical assets • Ensuring security during expansion in emerging markets
Threat Landscape
Changing attack landscape Security Malicious attackers are targeting Healthcare facilities: • Hospital infrastructures are often very complex, contain legacy equipment and sometimes organizations lag behind in implementing industry best security practices, making it easier to: • 2016 “Year of the Ransomware” on an all time growing high • Penetrate and take over systems • Hide to maintain a presence in the network The value of Electronic Health Records on the black markets is increasing, making it more interesting for hackers to specifically target hospital infrastructure.
Concerns about anti-virus definition updates on medical devices? Can your network and device user be fully trusted to never make an unauthorized connection to the outside world? Does your device store or display ePHI and could non-authorized users potentially access this? Is the device only used by clinical users on a daily basis, without a need to access outside of the application? Could someone walk out with the device? Could the device be found in an openly accessible area in your facility? Medical Device Challenges Control
Regulators increasingly address ‘the lack off’ security/privacy • 2013-02-22: HTC (mobile phones) settles with FTC by issuing software security patches, and creating a security program to be monitored 20 years. • 2013-06-13: FDA and DHS/ICS-CERT require risk information of 40 Medical Device Manufacturers regarding the use of fixed passwords in over 300 medical devices. • 2014-03-07: The British Pregnancy Advice Service (BPAS) has been fined £200,000 after a serious breach revealed thousands of records to a malicious hacker. • 2014-05-07: The Office for Civil Rights (OCR) settles with the New York Presbyterian Hospital and Columbia University for 4.8 million US$ after failing security controls leaked 6800 patient records onto the internet. • 2014-08-20: FBI warned US healthcare industry companies that they are targeted by hackers after the new threat where a group of Chinese hackers stole personal information from 4.5 million patients after targeting the computer network of Community Health Systems Inc. • 2014-11-06: Dutch DPA publishes a report about the Groene Hart Hospital for failing to protect patient information due to the lack of proper network security controls and the ongoing use of end of life software such as Windows 2000 and Windows XP. Security
Regulators increasingly address the lack off’ security/privacy Fast response
ICS-CERT Vulnerability Disclosure Policy • ICS-CERT will attempt to coordinate all reported vulnerabilities with the affected vendor. • An appropriate timeframe for mitigation development and the type and schedule of disclosure will be determined based on the factors involved. Extenuating circumstances, such as active exploitation, threats of an especially serious nature, or situations that require changes to an established standard may result in earlier or later disclosure. • Other factors include: • whether the vulnerability has already been publicly disclosed • the severity of the vulnerability • potential impact to critical infrastructure • possible threat to public health and safety • immediate mitigations available • vendor responsiveness and feasibility for creating an upgrade or patch • vendor estimate of time required for customers to obtain, test and apply the patch
ICS-CERT Vulnerability Disclosure Policy The ICS-CERT vulnerability remediation process involves five basic steps: 1. Detection/Collection—ICS-CERT collects vulnerability reports in three ways: ICS-CERT vulnerability analysis, monitoring public sources of vulnerability information, and direct notification of vulnerabilities to ICS-CERT. After receiving a report, ICS-CERT does an initial surface analysis to eliminate duplicates and false alarms. ICS-CERT then catalogs the vulnerabilities, including all of the information (public and private) that is known at that point. 2. Analysis—Once the vulnerabilities are catalogued, vendor and ICS-CERT analysts work to understand the vulnerabilities by examining and identifying the issues, as well as the potential threat. 3. Mitigation Coordination—After analyzing a vulnerability, ICS-CERT will continue to work with the vendor for mitigation and patch issuance. ICS-CERT has established secure and trusted partnerships with control systems vendors for vulnerability disclosure and overall technology assessment and testing functions. ICS-CERT will work with the vendors to allow sufficient time to effectively resolve and perform patch regression testing against any given vulnerability. Additionally ICS-CERT has experience successfully coordinating response to vulnerabilities that affects multi-vendor products. 4. Application of Mitigation—ICS-CERT will work with the vendor to allow sufficient time for affected end users to obtain, test, and apply mitigation strategies prior to disclosure. 5. Disclosure—After coordinating with vendors and gathering technical and threat information, ICS-CERT will take appropriate steps to notify end users about the vulnerability. ICS-CERT strives to disclose accurate, neutral, objective information focused on technical remediation and mitigation for asset owners and operators. ICS-CERT will reference other available information and correct misinformation when possible.
Philips Response - Responsible Disclosure Fast response
Philips Responsible Disclosure Positioning • Royal Philips recognizes the need for a clear Responsible Disclosure Policy and protocols as part of its Product Security function. • One of the 1st Medical Device company’s to implement a Responsible Disclosure Policy according to current industry best practices. • Our policy is publicly accessible, with clear communications channels for customers, researchers and other security community stakeholders. • The policy is based on principles of transparency, accountability and responsiveness. • The policy outlines defined protocols for reporting and response, managed by the Philips Product Security Team.  The policy protocols encompasses: • Monitoring and response of inbound communications • Managing confirmation receipt and follow-up communication with senders • Evaluation of vulnerability notifications and status tracking • Alignment with incident response, stakeholder notification, remediation and prevention protocols as required • Philips continues to actively seek out researcher and analyst in assistance and guidance towards policy design changes and updates. • The company has increasingly engaged with the security research community over the past few years. • Philips is committed to ongoing dialogue with the security community and to productive partnerships.
2015-10-05 Product and Services Security Office Confidential Responsible Disclosure Process ISO/IEC 29147 and 30111 called out by FDA Responsible Disclosure UX00461 Complaint handling / CAPA process should already be in the BU QMS. For most Healthcare BU’s this is defined by the overarching PHQD in policies such as PHPR0264 Shared responsibilities of the PSSO and the Responsible Organization
34 2015-05-21 Product and Services Security Office Confidential Responsible Disclosure Process Summary Vulnerability Report Received • Email Monitoring Team receives email, acknowledges receipt and passes the information to the Event Handler and Responsible Organization Verification • The Responsible Organization initiates the complaint/CAPA process as defined in their local Quality System and verifies the vulnerability Resolution Development • The Responsible Organization executes its standard complaint/CAPA process to determine prioritization and to develop a solution and/or workaround Release • The Responsible Organization releases the solution and/or workaround Post Release • Post mortem analysis by the Responsible Organization shared with the teams
14 2015-05-21 Product and Services Security Office Confidential Why is Responsible Disclosure different? • For non-customers it is often unclear how or whom to contact within Philips. • The motivation of the person is often unknown, so the Product Security & Services Office (PSSO) will be the single point of contact. The motivation might be: • White Hat: An ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of systems (who might be part of a customer organization). Willing to cooperate, no hidden agenda. • Gray Hat: As above but also personally motivated for compensation either from the organization or by establishing name and fame in the security community (conferences). • Black Hat: Only out for financial gain. Might be using this process when motivated to damage Philips reputation.
How many believe that Responsible “Coordinated” Disclosure is a Contact Sport? Mfg. versus Researcher
__________________________________________________ 10 Philips Products: - 3 Healthcare products - 4 Personal Health products - 3 TVs and Smartphones 25 Philips IT Infrastructure: mainly websites Since the start of the program in Nov. 2014,we received 35 reports on vulnerabilities via responsible disclosure. Philips Responsible Disclosure – Program Execution […]
First Contact: 4th of July, 2015 (email) • PGP encrypted email to Philips Product Security • List of exploitable vulnerabilities • Deadlines until disclosures to CERT and public • Contact information Vulnerabilities Reported: • Unencrypted hard-coded passwords in firmware. • Unencrypted, unauthenticated access to backend web application over the public Internet. • Locating and accessing the device over the Internet to monitor video, enable remote access (via Telnet), and change settings. • Other vulnerabilities to access & control the device. __________________________________________________Philips Responsible Disclosure – Experience of a Major Event […]
Philips experiences of vulnerabilities In.Sight wireless HD Baby Monitor 2 Confidential • Report madebyTod Beardsley,Security Research Manager at Rapid7. • More developed and orchestrated vulnerability disclosures • Media campaign, conferences and webinar globally scheduled once report wen live
Major Media Communications Media Outlet Article Reporter The Wall Street Journal Flaws in Baby Monitors Open Door For Hackers Jennifer Valentino-DeVries Forbes It’s Depressingly Easy to Spy on Vulnerable Baby Monitors Using Just a Browser Thomas Fox-Brewster Christian Science Monitor Researcher gives baby monitors an ‘F’ in cybersecurity Joe Uchill Dark Reading Baby Monitors Expose Home – And Business – Networks Kelly Jackson Higgins ZD Net New security flaws found in popular IoT baby monitors Zack Whittaker Fusion Watch out, new parents – internet-connected baby monitors are easy to hack Kashmir Hill The Verge There are lots of ways to spy on baby monitors Ariha Setalvad
Typical Reactions Across the Med Devices Industry: “What are you trying to sell us?” “Who are you and why would you ever want to do this?” “Thank you for your report, we’ll be contacting the Police.” “That’s not possible, we didn’t design our system to allow that.” “Please speak to our lawyers so we can scare you away.” “Thank you for letting us know.” Then, hope you go away. Philips Response: Positive tone, communications, “our policy and process”. Resolution of high/very-high risks within 90 days. Philips Responsible Disclosure – Setting a New Standard […]
Media attention Philips was the only baby monitor manufacturer praised for responding to vulnerability warnings. Another five were said to be selling vulnerable kit, allowing hackers to spy on babies.
Stakeholder Management
Stakeholder Management • External and Internal stakeholder management must be improved • Goals are: • Determine annual plans • Who should participate • Assignment of primary and secondary key resources
Key Stakeholder Key Activities FDA  Finalized 2014 Pre-Market Submission Guidance  Developed a partnership / leveraging MITRE to execute Vulnerability / Information Sharing strategy  Formed an Alliance and signed a MOU with NH-ISAC  Post- Market Surveillances Guidance released Jan. 2016 – Final targeted for December 2016  Collaborative Approaches to Medical Device Cybersecurity Jan. 2016 Workshop MDISS  Recently conducted a Medical Device Security Workshop at NIST & MITRE (11/15)  Working collectively and aggressively with FDA / NH-ISAC collaboration regarding Vulnerability Disclosure & Information Sharing HITRUST  Recently formed a new Cyber Security Working Group with Sara Coulter named in a Press Release as the Philips representative NH-ISAC  Formed an Alliance and signed a MOU with FDA  Formed a Medical Device Security Information Sharing Council (MDSISC) sub-committee group AdvaMed  Formed a Cyber Security Working Group (Philips & Abbotts Co-Chair)  Meeting Scheduled for (11/15) AAMI  Sm-wg05 Device Security Working Group completing Risk Assessment Framework Standard (draft comments 11/15) MITA  Recently formed a Cyber Security Working Group Department of Health & Human Services (HHS)  Health Care Industry Cybersecurity Task Force. formed March 2016 – Task Force Member Department of Homeland Security  Cyber Storm V – National Cybersecurity and Communications Integration Center Digital Millennium Copyright Act (DMCA)  The DMCA Copyright Office recently approved the ability for “Researchers” -Proposed Class 27A, and Class 27B concerning security research on medical devices External Stakeholder Update
Proactive Security Communications Initiative Key Activities Security PR Outreach • Engagement with Philips Healthcare PR agencies for security communications opportunities • FleishmanHilliard and Lois Paul and Partners (LPP) • Security Point-of-View interview with LPP scheduled to help drive identification and securing of editorial opportunities (early June) • News-driven interviews to be a feature of PR outreach Editorial Calendar Opportunities • 12 possible feature article inclusions identified in 10 key publications • Ongoing calendar monitoring and updates Contributed Articles • Inaugural article by Philips Healthcare security leadership published • “Strategies and Practices for Mitigating Data Breaches and Their Impact on Patient Privacy” – by Michael McNeil, February 2014 • 24/7 Magazine 2014 News Article by Michael McNeil • MDDI, Wireless Security, A Work in Progress Article • 2015 mHealth Summit presentations • 2015 November Bloomberg Article
1 November 11, 2015 Workshop 2015 Cyber Security for Healthcare Summit June 29-July 1, 2015, Philadelphia 2015 2015 Summit 2015
Conclusions • Better external communication across the ecosystem is critical for a robust security program • Continuous Threat monitoring of the Healthcare landscape is a critical component in maintaining that vigilance • Transparency, accountability and responsiveness must be ongoing features, as we maintain and evolve programs • Wider dialogue between medical device makers, hospitals, regulators and security professionals – particularly around interoperability – will advance innovations in security and the Healthcare industry
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips Healthcare

Recommended

Presentation Isabel Martinho Sustainability Ii Debate Lisbon 2008
Presentation Isabel Martinho Sustainability Ii Debate Lisbon 2008Presentation Isabel Martinho Sustainability Ii Debate Lisbon 2008
Presentation Isabel Martinho Sustainability Ii Debate Lisbon 2008
Dianova
 
AIDA Technology Open Innovation Platform
AIDA Technology Open Innovation PlatformAIDA Technology Open Innovation Platform
AIDA Technology Open Innovation Platform
Angel Salazar
 
"Where Agri Meets Tech, Driving Research to Market" Ultan O’Raghallaigh
"Where Agri Meets Tech, Driving Research to Market" Ultan O’Raghallaigh "Where Agri Meets Tech, Driving Research to Market" Ultan O’Raghallaigh
"Where Agri Meets Tech, Driving Research to Market" Ultan O’Raghallaigh
Asia Matters
 
Philips business case review
Philips business case reviewPhilips business case review
Philips business case review
Omkar Nawlakhe
 
Philips
PhilipsPhilips
Philips
Mohammed Junaid Iqbal
 
Presentation 2 - FHIR Overview
Presentation 2 - FHIR OverviewPresentation 2 - FHIR Overview
Presentation 2 - FHIR OverviewTom Wilson
 
The Rise of the Health Hackathon: 6 Insights from Hackathons Around the World
The Rise of the Health Hackathon: 6 Insights from Hackathons Around the WorldThe Rise of the Health Hackathon: 6 Insights from Hackathons Around the World
The Rise of the Health Hackathon: 6 Insights from Hackathons Around the World
Aman Bhandari
 
MIT Hacking Medicine Business Models
MIT Hacking Medicine Business Models MIT Hacking Medicine Business Models
MIT Hacking Medicine Business Models Hacking Medicine, Massachusetts Institute of Technology
 

Recommended

Presentation Isabel Martinho Sustainability Ii Debate Lisbon 2008
Presentation Isabel Martinho Sustainability Ii Debate Lisbon 2008Presentation Isabel Martinho Sustainability Ii Debate Lisbon 2008
Presentation Isabel Martinho Sustainability Ii Debate Lisbon 2008
Dianova
 
AIDA Technology Open Innovation Platform
AIDA Technology Open Innovation PlatformAIDA Technology Open Innovation Platform
AIDA Technology Open Innovation Platform
Angel Salazar
 
"Where Agri Meets Tech, Driving Research to Market" Ultan O’Raghallaigh
"Where Agri Meets Tech, Driving Research to Market" Ultan O’Raghallaigh "Where Agri Meets Tech, Driving Research to Market" Ultan O’Raghallaigh
"Where Agri Meets Tech, Driving Research to Market" Ultan O’Raghallaigh
Asia Matters
 
Philips business case review
Philips business case reviewPhilips business case review
Philips business case review
Omkar Nawlakhe
 
Philips
PhilipsPhilips
Philips
Mohammed Junaid Iqbal
 
Presentation 2 - FHIR Overview
Presentation 2 - FHIR OverviewPresentation 2 - FHIR Overview
Presentation 2 - FHIR OverviewTom Wilson
 
The Rise of the Health Hackathon: 6 Insights from Hackathons Around the World
The Rise of the Health Hackathon: 6 Insights from Hackathons Around the WorldThe Rise of the Health Hackathon: 6 Insights from Hackathons Around the World
The Rise of the Health Hackathon: 6 Insights from Hackathons Around the World
Aman Bhandari
 
MIT Hacking Medicine Business Models
MIT Hacking Medicine Business Models MIT Hacking Medicine Business Models
MIT Hacking Medicine Business Models Hacking Medicine, Massachusetts Institute of Technology
 
7 - ENISA Smart Hospitals Study.pptx
7 - ENISA Smart Hospitals Study.pptx7 - ENISA Smart Hospitals Study.pptx
7 - ENISA Smart Hospitals Study.pptx
nichal3
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
SecurityMetrics
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability Scanning
Black Duck by Synopsys
 
Healthcare_Security_White_Paper
Healthcare_Security_White_PaperHealthcare_Security_White_Paper
Healthcare_Security_White_PaperJames Maudlin
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case Study
SophiaPalmira
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical Devices
Healthegy
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
Doug Copley
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
Ernest Staats
 
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
ClearDATACloud
 
Webinar: Overcoming it challenges
Webinar: Overcoming it challengesWebinar: Overcoming it challenges
Webinar: Overcoming it challenges
Modern Healthcare
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical Devices
Suresh Mandava
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
SafisSolutions
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
SafisSolutions
 
Cybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdfCybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdf
LarisaAlbanians
 
Achieving Cloud-based Healthcare without Jeopardizing Data.pdf
Achieving Cloud-based Healthcare without Jeopardizing Data.pdfAchieving Cloud-based Healthcare without Jeopardizing Data.pdf
Achieving Cloud-based Healthcare without Jeopardizing Data.pdf
Triyam Inc
 
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementThe Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
KeySys Health
 
Use of mobile device in health care setting
Use of mobile device in health care settingUse of mobile device in health care setting
Use of mobile device in health care setting
Dr. Samir Sawli
 
2015 Global Threat Intelligence Report - an analysis of global security trends
2015 Global Threat Intelligence Report - an analysis of global security trends2015 Global Threat Intelligence Report - an analysis of global security trends
2015 Global Threat Intelligence Report - an analysis of global security trends
DImension Data
 
Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...
Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...
Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...
Health IT Conference – iHT2
 
How CIOs Can Bridge the Gap Between Executive Leadership and IT Teams - Greg ...
How CIOs Can Bridge the Gap Between Executive Leadership and IT Teams - Greg ...How CIOs Can Bridge the Gap Between Executive Leadership and IT Teams - Greg ...
How CIOs Can Bridge the Gap Between Executive Leadership and IT Teams - Greg ...
IT Network marcus evans
 
How the IT Function Can Enable the Organisation to Achieve its Goals - Anupam...
How the IT Function Can Enable the Organisation to Achieve its Goals - Anupam...How the IT Function Can Enable the Organisation to Achieve its Goals - Anupam...
How the IT Function Can Enable the Organisation to Achieve its Goals - Anupam...
IT Network marcus evans
 

More Related Content

Similar to Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips Healthcare

7 - ENISA Smart Hospitals Study.pptx
7 - ENISA Smart Hospitals Study.pptx7 - ENISA Smart Hospitals Study.pptx
7 - ENISA Smart Hospitals Study.pptx
nichal3
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
SecurityMetrics
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability Scanning
Black Duck by Synopsys
 
Healthcare_Security_White_Paper
Healthcare_Security_White_PaperHealthcare_Security_White_Paper
Healthcare_Security_White_PaperJames Maudlin
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case Study
SophiaPalmira
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical Devices
Healthegy
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
Doug Copley
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
Ernest Staats
 
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
ClearDATACloud
 
Webinar: Overcoming it challenges
Webinar: Overcoming it challengesWebinar: Overcoming it challenges
Webinar: Overcoming it challenges
Modern Healthcare
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical Devices
Suresh Mandava
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
SafisSolutions
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
SafisSolutions
 
Cybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdfCybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdf
LarisaAlbanians
 
Achieving Cloud-based Healthcare without Jeopardizing Data.pdf
Achieving Cloud-based Healthcare without Jeopardizing Data.pdfAchieving Cloud-based Healthcare without Jeopardizing Data.pdf
Achieving Cloud-based Healthcare without Jeopardizing Data.pdf
Triyam Inc
 
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementThe Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
KeySys Health
 
Use of mobile device in health care setting
Use of mobile device in health care settingUse of mobile device in health care setting
Use of mobile device in health care setting
Dr. Samir Sawli
 
2015 Global Threat Intelligence Report - an analysis of global security trends
2015 Global Threat Intelligence Report - an analysis of global security trends2015 Global Threat Intelligence Report - an analysis of global security trends
2015 Global Threat Intelligence Report - an analysis of global security trends
DImension Data
 
Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...
Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...
Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...
Health IT Conference – iHT2
 

Similar to Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips Healthcare (20)

7 - ENISA Smart Hospitals Study.pptx
7 - ENISA Smart Hospitals Study.pptx7 - ENISA Smart Hospitals Study.pptx
7 - ENISA Smart Hospitals Study.pptx
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability Scanning
 
Healthcare_Security_White_Paper
Healthcare_Security_White_PaperHealthcare_Security_White_Paper
Healthcare_Security_White_Paper
 
Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case Study
 
Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical Devices
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
 
Webinar: Overcoming it challenges
Webinar: Overcoming it challengesWebinar: Overcoming it challenges
Webinar: Overcoming it challenges
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
 
CyberSecurity Medical Devices
CyberSecurity Medical DevicesCyberSecurity Medical Devices
CyberSecurity Medical Devices
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
 
Cybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdfCybersecurity Measures and Privacy Protection.pdf
Cybersecurity Measures and Privacy Protection.pdf
 
Achieving Cloud-based Healthcare without Jeopardizing Data.pdf
Achieving Cloud-based Healthcare without Jeopardizing Data.pdfAchieving Cloud-based Healthcare without Jeopardizing Data.pdf
Achieving Cloud-based Healthcare without Jeopardizing Data.pdf
 
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk ManagementThe Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
 
Use of mobile device in health care setting
Use of mobile device in health care settingUse of mobile device in health care setting
Use of mobile device in health care setting
 
2015 Global Threat Intelligence Report - an analysis of global security trends
2015 Global Threat Intelligence Report - an analysis of global security trends2015 Global Threat Intelligence Report - an analysis of global security trends
2015 Global Threat Intelligence Report - an analysis of global security trends
 
Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...
Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...
Health IT Summit Beverly Hills 2014 – “A Use Case…Thoughts on How to Leverage...
 

More from IT Network marcus evans

How CIOs Can Bridge the Gap Between Executive Leadership and IT Teams - Greg ...
How CIOs Can Bridge the Gap Between Executive Leadership and IT Teams - Greg ...How CIOs Can Bridge the Gap Between Executive Leadership and IT Teams - Greg ...
How CIOs Can Bridge the Gap Between Executive Leadership and IT Teams - Greg ...
IT Network marcus evans
 
How the IT Function Can Enable the Organisation to Achieve its Goals - Anupam...
How the IT Function Can Enable the Organisation to Achieve its Goals - Anupam...How the IT Function Can Enable the Organisation to Achieve its Goals - Anupam...
How the IT Function Can Enable the Organisation to Achieve its Goals - Anupam...
IT Network marcus evans
 
What CIOs Need to Know about the Future of Technology - Steve Sammartino, Fu...
What CIOs Need to Know about the Future of Technology - Steve Sammartino, Fu...What CIOs Need to Know about the Future of Technology - Steve Sammartino, Fu...
What CIOs Need to Know about the Future of Technology - Steve Sammartino, Fu...
IT Network marcus evans
 
The Low Risk Way to Expanding a Business into South East Asia Joe Fussell & D...
The Low Risk Way to Expanding a Business into South East Asia Joe Fussell & D...The Low Risk Way to Expanding a Business into South East Asia Joe Fussell & D...
The Low Risk Way to Expanding a Business into South East Asia Joe Fussell & D...
IT Network marcus evans
 
Why IT Systems Need to Conduct IT System Penetration Tests - Chris Gatford, N...
Why IT Systems Need to Conduct IT System Penetration Tests - Chris Gatford, N...Why IT Systems Need to Conduct IT System Penetration Tests - Chris Gatford, N...
Why IT Systems Need to Conduct IT System Penetration Tests - Chris Gatford, N...
IT Network marcus evans
 
Gestión, Ejecución, y Eficiencia a Escala Panregional. Desafíos a Superar-Ant...
Gestión, Ejecución, y Eficiencia a Escala Panregional. Desafíos a Superar-Ant...Gestión, Ejecución, y Eficiencia a Escala Panregional. Desafíos a Superar-Ant...
Gestión, Ejecución, y Eficiencia a Escala Panregional. Desafíos a Superar-Ant...
IT Network marcus evans
 
Time Machines: The Evolution and Application of Predictive Analytics-Dr Steve...
Time Machines: The Evolution and Application of Predictive Analytics-Dr Steve...Time Machines: The Evolution and Application of Predictive Analytics-Dr Steve...
Time Machines: The Evolution and Application of Predictive Analytics-Dr Steve...
IT Network marcus evans
 
How CIOs Can Execute Change Programmes Successfully - Melissa Bell news release
How CIOs Can Execute Change Programmes Successfully - Melissa Bell news releaseHow CIOs Can Execute Change Programmes Successfully - Melissa Bell news release
How CIOs Can Execute Change Programmes Successfully - Melissa Bell news release
IT Network marcus evans
 
Transitioning to a Digital Enterprise - Dan Hushon News Release
Transitioning to a Digital Enterprise - Dan Hushon News ReleaseTransitioning to a Digital Enterprise - Dan Hushon News Release
Transitioning to a Digital Enterprise - Dan Hushon News Release
IT Network marcus evans
 
Grow Your Business
Grow Your Business Grow Your Business
Grow Your Business
IT Network marcus evans
 
The one-on-one meetings with potential customers is what matters most
The one-on-one meetings with potential customers is what matters mostThe one-on-one meetings with potential customers is what matters most
The one-on-one meetings with potential customers is what matters most
IT Network marcus evans
 
Where marcus evans fits in our business development mix
Where marcus evans fits in our business development mixWhere marcus evans fits in our business development mix
Where marcus evans fits in our business development mix
IT Network marcus evans
 
Crafting the Right Mobile Device Management Framework to Mitigate Risks and M...
Crafting the Right Mobile Device Management Framework to Mitigate Risks and M...Crafting the Right Mobile Device Management Framework to Mitigate Risks and M...
Crafting the Right Mobile Device Management Framework to Mitigate Risks and M...
IT Network marcus evans
 
Adaptive Transformation: Transitioning from Resource to Flow Efficiency
Adaptive Transformation: Transitioning from Resource to Flow Efficiency Adaptive Transformation: Transitioning from Resource to Flow Efficiency
Adaptive Transformation: Transitioning from Resource to Flow Efficiency
IT Network marcus evans
 
Home Hunter
Home Hunter Home Hunter
Home Hunter
IT Network marcus evans
 
A New Approach to the CIO role by Redefining the IT Department’s Contribution...
A New Approach to the CIO role by Redefining the IT Department’s Contribution...A New Approach to the CIO role by Redefining the IT Department’s Contribution...
A New Approach to the CIO role by Redefining the IT Department’s Contribution...
IT Network marcus evans
 
Bigger and Better: Employing a Holistic Strategy for Big Data toward a Strong...
Bigger and Better: Employing a Holistic Strategy for Big Data toward a Strong...Bigger and Better: Employing a Holistic Strategy for Big Data toward a Strong...
Bigger and Better: Employing a Holistic Strategy for Big Data toward a Strong...
IT Network marcus evans
 
The Shifting Role of the CIO as a Strategic Innovator
The Shifting Role of the CIO as a Strategic InnovatorThe Shifting Role of the CIO as a Strategic Innovator
The Shifting Role of the CIO as a Strategic Innovator
IT Network marcus evans
 
Active Defence: Safeguarding Crucial Capability while Boosting Functionality ...
Active Defence: Safeguarding Crucial Capability while Boosting Functionality ...Active Defence: Safeguarding Crucial Capability while Boosting Functionality ...
Active Defence: Safeguarding Crucial Capability while Boosting Functionality ...
IT Network marcus evans
 
Outsourcing to Save IT Costs: Interview with: George Bower, President and Chi...
Outsourcing to Save IT Costs: Interview with: George Bower, President and Chi...Outsourcing to Save IT Costs: Interview with: George Bower, President and Chi...
Outsourcing to Save IT Costs: Interview with: George Bower, President and Chi...
IT Network marcus evans
 

More from IT Network marcus evans (20)

How CIOs Can Bridge the Gap Between Executive Leadership and IT Teams - Greg ...
How CIOs Can Bridge the Gap Between Executive Leadership and IT Teams - Greg ...How CIOs Can Bridge the Gap Between Executive Leadership and IT Teams - Greg ...
How CIOs Can Bridge the Gap Between Executive Leadership and IT Teams - Greg ...
 
How the IT Function Can Enable the Organisation to Achieve its Goals - Anupam...
How the IT Function Can Enable the Organisation to Achieve its Goals - Anupam...How the IT Function Can Enable the Organisation to Achieve its Goals - Anupam...
How the IT Function Can Enable the Organisation to Achieve its Goals - Anupam...
 
What CIOs Need to Know about the Future of Technology - Steve Sammartino, Fu...
What CIOs Need to Know about the Future of Technology - Steve Sammartino, Fu...What CIOs Need to Know about the Future of Technology - Steve Sammartino, Fu...
What CIOs Need to Know about the Future of Technology - Steve Sammartino, Fu...
 
The Low Risk Way to Expanding a Business into South East Asia Joe Fussell & D...
The Low Risk Way to Expanding a Business into South East Asia Joe Fussell & D...The Low Risk Way to Expanding a Business into South East Asia Joe Fussell & D...
The Low Risk Way to Expanding a Business into South East Asia Joe Fussell & D...
 
Why IT Systems Need to Conduct IT System Penetration Tests - Chris Gatford, N...
Why IT Systems Need to Conduct IT System Penetration Tests - Chris Gatford, N...Why IT Systems Need to Conduct IT System Penetration Tests - Chris Gatford, N...
Why IT Systems Need to Conduct IT System Penetration Tests - Chris Gatford, N...
 
Gestión, Ejecución, y Eficiencia a Escala Panregional. Desafíos a Superar-Ant...
Gestión, Ejecución, y Eficiencia a Escala Panregional. Desafíos a Superar-Ant...Gestión, Ejecución, y Eficiencia a Escala Panregional. Desafíos a Superar-Ant...
Gestión, Ejecución, y Eficiencia a Escala Panregional. Desafíos a Superar-Ant...
 
Time Machines: The Evolution and Application of Predictive Analytics-Dr Steve...
Time Machines: The Evolution and Application of Predictive Analytics-Dr Steve...Time Machines: The Evolution and Application of Predictive Analytics-Dr Steve...
Time Machines: The Evolution and Application of Predictive Analytics-Dr Steve...
 
How CIOs Can Execute Change Programmes Successfully - Melissa Bell news release
How CIOs Can Execute Change Programmes Successfully - Melissa Bell news releaseHow CIOs Can Execute Change Programmes Successfully - Melissa Bell news release
How CIOs Can Execute Change Programmes Successfully - Melissa Bell news release
 
Transitioning to a Digital Enterprise - Dan Hushon News Release
Transitioning to a Digital Enterprise - Dan Hushon News ReleaseTransitioning to a Digital Enterprise - Dan Hushon News Release
Transitioning to a Digital Enterprise - Dan Hushon News Release
 
Grow Your Business
Grow Your Business Grow Your Business
Grow Your Business
 
The one-on-one meetings with potential customers is what matters most
The one-on-one meetings with potential customers is what matters mostThe one-on-one meetings with potential customers is what matters most
The one-on-one meetings with potential customers is what matters most
 
Where marcus evans fits in our business development mix
Where marcus evans fits in our business development mixWhere marcus evans fits in our business development mix
Where marcus evans fits in our business development mix
 
Crafting the Right Mobile Device Management Framework to Mitigate Risks and M...
Crafting the Right Mobile Device Management Framework to Mitigate Risks and M...Crafting the Right Mobile Device Management Framework to Mitigate Risks and M...
Crafting the Right Mobile Device Management Framework to Mitigate Risks and M...
 
Adaptive Transformation: Transitioning from Resource to Flow Efficiency
Adaptive Transformation: Transitioning from Resource to Flow Efficiency Adaptive Transformation: Transitioning from Resource to Flow Efficiency
Adaptive Transformation: Transitioning from Resource to Flow Efficiency
 
Home Hunter
Home Hunter Home Hunter
Home Hunter
 
A New Approach to the CIO role by Redefining the IT Department’s Contribution...
A New Approach to the CIO role by Redefining the IT Department’s Contribution...A New Approach to the CIO role by Redefining the IT Department’s Contribution...
A New Approach to the CIO role by Redefining the IT Department’s Contribution...
 
Bigger and Better: Employing a Holistic Strategy for Big Data toward a Strong...
Bigger and Better: Employing a Holistic Strategy for Big Data toward a Strong...Bigger and Better: Employing a Holistic Strategy for Big Data toward a Strong...
Bigger and Better: Employing a Holistic Strategy for Big Data toward a Strong...
 
The Shifting Role of the CIO as a Strategic Innovator
The Shifting Role of the CIO as a Strategic InnovatorThe Shifting Role of the CIO as a Strategic Innovator
The Shifting Role of the CIO as a Strategic Innovator
 
Active Defence: Safeguarding Crucial Capability while Boosting Functionality ...
Active Defence: Safeguarding Crucial Capability while Boosting Functionality ...Active Defence: Safeguarding Crucial Capability while Boosting Functionality ...
Active Defence: Safeguarding Crucial Capability while Boosting Functionality ...
 
Outsourcing to Save IT Costs: Interview with: George Bower, President and Chi...
Outsourcing to Save IT Costs: Interview with: George Bower, President and Chi...Outsourcing to Save IT Costs: Interview with: George Bower, President and Chi...
Outsourcing to Save IT Costs: Interview with: George Bower, President and Chi...
 

Recently uploaded

Affordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n PrintAffordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Navpack & Print
 
CADAVER AS OUR FIRST TEACHER anatomt in your.pptx
CADAVER AS OUR FIRST TEACHER anatomt in your.pptxCADAVER AS OUR FIRST TEACHER anatomt in your.pptx
CADAVER AS OUR FIRST TEACHER anatomt in your.pptx
fakeloginn69
 
Cracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptxCracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptx
Workforce Group
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
dylandmeas
 
5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
ofm712785
 
Unveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdfUnveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdf
Sam H
 
Set off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptxSet off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptx
HARSHITHV26
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
sarahvanessa51503
 
chapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxationchapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxation
AUDIJEAngelo
 
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
Kumar Satyam
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
seri bangash
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
SynapseIndia
 
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptxTaurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
my Pandit
 
Role of Remote Sensing and Monitoring in Mining
Role of Remote Sensing and Monitoring in MiningRole of Remote Sensing and Monitoring in Mining
Role of Remote Sensing and Monitoring in Mining
Naaraayani Minerals Pvt.Ltd
 
What are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdfWhat are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdf
HumanResourceDimensi1
 
Exploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social DreamingExploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social Dreaming
Nicola Wreford-Howard
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
KaiNexus
 
Buy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star ReviewsBuy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star Reviews
usawebmarket
 
20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf
tjcomstrang
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
Cynthia Clay
 

Recently uploaded (20)

Affordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n PrintAffordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n Print
 
CADAVER AS OUR FIRST TEACHER anatomt in your.pptx
CADAVER AS OUR FIRST TEACHER anatomt in your.pptxCADAVER AS OUR FIRST TEACHER anatomt in your.pptx
CADAVER AS OUR FIRST TEACHER anatomt in your.pptx
 
Cracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptxCracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptx
 
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdfMeas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
Meas_Dylan_DMBS_PB1_2024-05XX_Revised.pdf
 
5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
 
Unveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdfUnveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdf
 
Set off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptxSet off and carry forward of losses and assessment of individuals.pptx
Set off and carry forward of losses and assessment of individuals.pptx
 
Brand Analysis for an artist named Struan
Brand Analysis for an artist named StruanBrand Analysis for an artist named Struan
Brand Analysis for an artist named Struan
 
chapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxationchapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxation
 
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
 
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptxTaurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
 
Role of Remote Sensing and Monitoring in Mining
Role of Remote Sensing and Monitoring in MiningRole of Remote Sensing and Monitoring in Mining
Role of Remote Sensing and Monitoring in Mining
 
What are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdfWhat are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdf
 
Exploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social DreamingExploring Patterns of Connection with Social Dreaming
Exploring Patterns of Connection with Social Dreaming
 
Enterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdfEnterprise Excellence is Inclusive Excellence.pdf
Enterprise Excellence is Inclusive Excellence.pdf
 
Buy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star ReviewsBuy Verified PayPal Account | Buy Google 5 Star Reviews
Buy Verified PayPal Account | Buy Google 5 Star Reviews
 
20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 

Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips Healthcare

  • 1. Royal Philips Michael C. McNeil Global Product Security & Services Officer June, 2016 Data Breaches and Security: Ditching Data Disasters
  • 2. Objectives • Review emerging and established drivers for increased focus and resources on medical device security and safety • Review the evolution of Philips Product Security Program and key priorities • Understand how manufacturers and healthcare delivery organizations are responding to the emergence of cybersecurity risk • Introduce how Philip manages Responsible Disclosure and Incident Response Management in the Healthcare industry
  • 3. Product Security Increasing complexity And now we use personal health apps on mobile devices, connect more health systems, sometimes using cloud based solutions, while also moving more healthcare functions to the patient home. Furthermore we develop and open up standardized medical device platforms for shared rapid application development and access to health data. Security
  • 4. Philips Unites Medical Devices, Apps and Data in The Cloud
  • 5. Product Security Program Evolution Governance •Organizational Alignment •Executive Leadership visibility (Board, Audit) •Stakeholder Thought Leadership Strategy (Internal & External) – “Walk the Talk” (Risk Assessment, Information Sharing, 3-Deadly Sins, etc) Testing •“Security Ninjas” – dedicated team and Center of Excellence •Leveraged across the enterprise •Standardized Use Cases for common and comparable results Responsible Disclosure •Enhancements and ability to leverage existing Incident Response Management Programs •Integrated into Customer Complaint Handling processes Build of Material •Continuously monitor software BOM for new vulnerabilities and security SW updates ???? •Continuous Assessment and Monitoring of existing modules of the program and seek improvements where appropriate Fast response
  • 6. Industry Challenges Patient Safety • Potential threats demonstrated from ethical hackers Data Integrity • Demands from customers and patients for accurate and available data Legal/Regulatory Obligations • Meeting the privacy and security needs of our customers in the healthcare delivery industry • Stringent laws around securing data and the transfer of data throughout the world Protecting Intellectual Property • Nation State attacks to gain network access and critical assets • Ensuring security during expansion in emerging markets
  • 8. Changing attack landscape Security Malicious attackers are targeting Healthcare facilities: • Hospital infrastructures are often very complex, contain legacy equipment and sometimes organizations lag behind in implementing industry best security practices, making it easier to: • 2016 “Year of the Ransomware” on an all time growing high • Penetrate and take over systems • Hide to maintain a presence in the network The value of Electronic Health Records on the black markets is increasing, making it more interesting for hackers to specifically target hospital infrastructure.
  • 9. Concerns about anti-virus definition updates on medical devices? Can your network and device user be fully trusted to never make an unauthorized connection to the outside world? Does your device store or display ePHI and could non-authorized users potentially access this? Is the device only used by clinical users on a daily basis, without a need to access outside of the application? Could someone walk out with the device? Could the device be found in an openly accessible area in your facility? Medical Device Challenges Control
  • 10. Regulators increasingly address ‘the lack off’ security/privacy • 2013-02-22: HTC (mobile phones) settles with FTC by issuing software security patches, and creating a security program to be monitored 20 years. • 2013-06-13: FDA and DHS/ICS-CERT require risk information of 40 Medical Device Manufacturers regarding the use of fixed passwords in over 300 medical devices. • 2014-03-07: The British Pregnancy Advice Service (BPAS) has been fined £200,000 after a serious breach revealed thousands of records to a malicious hacker. • 2014-05-07: The Office for Civil Rights (OCR) settles with the New York Presbyterian Hospital and Columbia University for 4.8 million US$ after failing security controls leaked 6800 patient records onto the internet. • 2014-08-20: FBI warned US healthcare industry companies that they are targeted by hackers after the new threat where a group of Chinese hackers stole personal information from 4.5 million patients after targeting the computer network of Community Health Systems Inc. • 2014-11-06: Dutch DPA publishes a report about the Groene Hart Hospital for failing to protect patient information due to the lack of proper network security controls and the ongoing use of end of life software such as Windows 2000 and Windows XP. Security
  • 11. Regulators increasingly address the lack off’ security/privacy Fast response
  • 12.
  • 13. ICS-CERT Vulnerability Disclosure Policy • ICS-CERT will attempt to coordinate all reported vulnerabilities with the affected vendor. • An appropriate timeframe for mitigation development and the type and schedule of disclosure will be determined based on the factors involved. Extenuating circumstances, such as active exploitation, threats of an especially serious nature, or situations that require changes to an established standard may result in earlier or later disclosure. • Other factors include: • whether the vulnerability has already been publicly disclosed • the severity of the vulnerability • potential impact to critical infrastructure • possible threat to public health and safety • immediate mitigations available • vendor responsiveness and feasibility for creating an upgrade or patch • vendor estimate of time required for customers to obtain, test and apply the patch
  • 14. ICS-CERT Vulnerability Disclosure Policy The ICS-CERT vulnerability remediation process involves five basic steps: 1. Detection/Collection—ICS-CERT collects vulnerability reports in three ways: ICS-CERT vulnerability analysis, monitoring public sources of vulnerability information, and direct notification of vulnerabilities to ICS-CERT. After receiving a report, ICS-CERT does an initial surface analysis to eliminate duplicates and false alarms. ICS-CERT then catalogs the vulnerabilities, including all of the information (public and private) that is known at that point. 2. Analysis—Once the vulnerabilities are catalogued, vendor and ICS-CERT analysts work to understand the vulnerabilities by examining and identifying the issues, as well as the potential threat. 3. Mitigation Coordination—After analyzing a vulnerability, ICS-CERT will continue to work with the vendor for mitigation and patch issuance. ICS-CERT has established secure and trusted partnerships with control systems vendors for vulnerability disclosure and overall technology assessment and testing functions. ICS-CERT will work with the vendors to allow sufficient time to effectively resolve and perform patch regression testing against any given vulnerability. Additionally ICS-CERT has experience successfully coordinating response to vulnerabilities that affects multi-vendor products. 4. Application of Mitigation—ICS-CERT will work with the vendor to allow sufficient time for affected end users to obtain, test, and apply mitigation strategies prior to disclosure. 5. Disclosure—After coordinating with vendors and gathering technical and threat information, ICS-CERT will take appropriate steps to notify end users about the vulnerability. ICS-CERT strives to disclose accurate, neutral, objective information focused on technical remediation and mitigation for asset owners and operators. ICS-CERT will reference other available information and correct misinformation when possible.
  • 15. Philips Response - Responsible Disclosure Fast response
  • 16. Philips Responsible Disclosure Positioning • Royal Philips recognizes the need for a clear Responsible Disclosure Policy and protocols as part of its Product Security function. • One of the 1st Medical Device company’s to implement a Responsible Disclosure Policy according to current industry best practices. • Our policy is publicly accessible, with clear communications channels for customers, researchers and other security community stakeholders. • The policy is based on principles of transparency, accountability and responsiveness. • The policy outlines defined protocols for reporting and response, managed by the Philips Product Security Team.  The policy protocols encompasses: • Monitoring and response of inbound communications • Managing confirmation receipt and follow-up communication with senders • Evaluation of vulnerability notifications and status tracking • Alignment with incident response, stakeholder notification, remediation and prevention protocols as required • Philips continues to actively seek out researcher and analyst in assistance and guidance towards policy design changes and updates. • The company has increasingly engaged with the security research community over the past few years. • Philips is committed to ongoing dialogue with the security community and to productive partnerships.
  • 17. 2015-10-05 Product and Services Security Office Confidential Responsible Disclosure Process ISO/IEC 29147 and 30111 called out by FDA Responsible Disclosure UX00461 Complaint handling / CAPA process should already be in the BU QMS. For most Healthcare BU’s this is defined by the overarching PHQD in policies such as PHPR0264 Shared responsibilities of the PSSO and the Responsible Organization
  • 18. 34 2015-05-21 Product and Services Security Office Confidential Responsible Disclosure Process Summary Vulnerability Report Received • Email Monitoring Team receives email, acknowledges receipt and passes the information to the Event Handler and Responsible Organization Verification • The Responsible Organization initiates the complaint/CAPA process as defined in their local Quality System and verifies the vulnerability Resolution Development • The Responsible Organization executes its standard complaint/CAPA process to determine prioritization and to develop a solution and/or workaround Release • The Responsible Organization releases the solution and/or workaround Post Release • Post mortem analysis by the Responsible Organization shared with the teams
  • 19. 14 2015-05-21 Product and Services Security Office Confidential Why is Responsible Disclosure different? • For non-customers it is often unclear how or whom to contact within Philips. • The motivation of the person is often unknown, so the Product Security & Services Office (PSSO) will be the single point of contact. The motivation might be: • White Hat: An ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of systems (who might be part of a customer organization). Willing to cooperate, no hidden agenda. • Gray Hat: As above but also personally motivated for compensation either from the organization or by establishing name and fame in the security community (conferences). • Black Hat: Only out for financial gain. Might be using this process when motivated to damage Philips reputation.
  • 20. How many believe that Responsible “Coordinated” Disclosure is a Contact Sport? Mfg. versus Researcher
  • 21. __________________________________________________ 10 Philips Products: - 3 Healthcare products - 4 Personal Health products - 3 TVs and Smartphones 25 Philips IT Infrastructure: mainly websites Since the start of the program in Nov. 2014,we received 35 reports on vulnerabilities via responsible disclosure. Philips Responsible Disclosure – Program Execution […]
  • 22. First Contact: 4th of July, 2015 (email) • PGP encrypted email to Philips Product Security • List of exploitable vulnerabilities • Deadlines until disclosures to CERT and public • Contact information Vulnerabilities Reported: • Unencrypted hard-coded passwords in firmware. • Unencrypted, unauthenticated access to backend web application over the public Internet. • Locating and accessing the device over the Internet to monitor video, enable remote access (via Telnet), and change settings. • Other vulnerabilities to access & control the device. __________________________________________________Philips Responsible Disclosure – Experience of a Major Event […]
  • 23. Philips experiences of vulnerabilities In.Sight wireless HD Baby Monitor 2 Confidential • Report madebyTod Beardsley,Security Research Manager at Rapid7. • More developed and orchestrated vulnerability disclosures • Media campaign, conferences and webinar globally scheduled once report wen live
  • 24. Major Media Communications Media Outlet Article Reporter The Wall Street Journal Flaws in Baby Monitors Open Door For Hackers Jennifer Valentino-DeVries Forbes It’s Depressingly Easy to Spy on Vulnerable Baby Monitors Using Just a Browser Thomas Fox-Brewster Christian Science Monitor Researcher gives baby monitors an ‘F’ in cybersecurity Joe Uchill Dark Reading Baby Monitors Expose Home – And Business – Networks Kelly Jackson Higgins ZD Net New security flaws found in popular IoT baby monitors Zack Whittaker Fusion Watch out, new parents – internet-connected baby monitors are easy to hack Kashmir Hill The Verge There are lots of ways to spy on baby monitors Ariha Setalvad
  • 25. Typical Reactions Across the Med Devices Industry: “What are you trying to sell us?” “Who are you and why would you ever want to do this?” “Thank you for your report, we’ll be contacting the Police.” “That’s not possible, we didn’t design our system to allow that.” “Please speak to our lawyers so we can scare you away.” “Thank you for letting us know.” Then, hope you go away. Philips Response: Positive tone, communications, “our policy and process”. Resolution of high/very-high risks within 90 days. Philips Responsible Disclosure – Setting a New Standard […]
  • 26. Media attention Philips was the only baby monitor manufacturer praised for responding to vulnerability warnings. Another five were said to be selling vulnerable kit, allowing hackers to spy on babies.
  • 28. Stakeholder Management • External and Internal stakeholder management must be improved • Goals are: • Determine annual plans • Who should participate • Assignment of primary and secondary key resources
  • 29. Key Stakeholder Key Activities FDA  Finalized 2014 Pre-Market Submission Guidance  Developed a partnership / leveraging MITRE to execute Vulnerability / Information Sharing strategy  Formed an Alliance and signed a MOU with NH-ISAC  Post- Market Surveillances Guidance released Jan. 2016 – Final targeted for December 2016  Collaborative Approaches to Medical Device Cybersecurity Jan. 2016 Workshop MDISS  Recently conducted a Medical Device Security Workshop at NIST & MITRE (11/15)  Working collectively and aggressively with FDA / NH-ISAC collaboration regarding Vulnerability Disclosure & Information Sharing HITRUST  Recently formed a new Cyber Security Working Group with Sara Coulter named in a Press Release as the Philips representative NH-ISAC  Formed an Alliance and signed a MOU with FDA  Formed a Medical Device Security Information Sharing Council (MDSISC) sub-committee group AdvaMed  Formed a Cyber Security Working Group (Philips & Abbotts Co-Chair)  Meeting Scheduled for (11/15) AAMI  Sm-wg05 Device Security Working Group completing Risk Assessment Framework Standard (draft comments 11/15) MITA  Recently formed a Cyber Security Working Group Department of Health & Human Services (HHS)  Health Care Industry Cybersecurity Task Force. formed March 2016 – Task Force Member Department of Homeland Security  Cyber Storm V – National Cybersecurity and Communications Integration Center Digital Millennium Copyright Act (DMCA)  The DMCA Copyright Office recently approved the ability for “Researchers” -Proposed Class 27A, and Class 27B concerning security research on medical devices External Stakeholder Update
  • 30. Proactive Security Communications Initiative Key Activities Security PR Outreach • Engagement with Philips Healthcare PR agencies for security communications opportunities • FleishmanHilliard and Lois Paul and Partners (LPP) • Security Point-of-View interview with LPP scheduled to help drive identification and securing of editorial opportunities (early June) • News-driven interviews to be a feature of PR outreach Editorial Calendar Opportunities • 12 possible feature article inclusions identified in 10 key publications • Ongoing calendar monitoring and updates Contributed Articles • Inaugural article by Philips Healthcare security leadership published • “Strategies and Practices for Mitigating Data Breaches and Their Impact on Patient Privacy” – by Michael McNeil, February 2014 • 24/7 Magazine 2014 News Article by Michael McNeil • MDDI, Wireless Security, A Work in Progress Article • 2015 mHealth Summit presentations • 2015 November Bloomberg Article
  • 31. 1 November 11, 2015 Workshop 2015 Cyber Security for Healthcare Summit June 29-July 1, 2015, Philadelphia 2015 2015 Summit 2015
  • 32. Conclusions • Better external communication across the ecosystem is critical for a robust security program • Continuous Threat monitoring of the Healthcare landscape is a critical component in maintaining that vigilance • Transparency, accountability and responsiveness must be ongoing features, as we maintain and evolve programs • Wider dialogue between medical device makers, hospitals, regulators and security professionals – particularly around interoperability – will advance innovations in security and the Healthcare industry