Michael McNeil
The price of peace of mind and patient safety
October 02, 2018
by Sean Ruck, Contributing Editor
There’s been a constant hum of news about cybersecurity in recent years. That hum became more of a roar around late 2016, when hacks of campaign emails became front page news during the presidential election. But in healthcare, the constant balancing act of keeping legacy systems safe and fending off attacks that continue to increase in sophistication keeps professionals like Michael McNeil busy.
McNeil was a member of the Healthcare Industry Cybersecurity Task Force, a government-sponsored group that was instrumental in the creation of the Cybersecurity Act of 2015. He is also the global product security and services officer for Royal Philips, and has held the position for almost five years. He and his team are responsible for deploying and installing security by design for any customer-facing offerings the company has in the marketplace. Philips operates under a global product security policy which directs its design methodology and its risk assessment and incident response activities. “As we identify threats and vulnerabilities, we put the process into place to make sure they’re managed appropriately. So I have a team that has that responsibility globally across Philips,” he said.
Using that information, McNeil’s team works to tweak configurations and re-engineering efforts in order to improve the ability to withstand outside threats. The information also shapes the security design requirements for products in the pipeline to ensure they’re integrated into a flow of secure suite of products and services.
While there have been a number of high-profile attacks on the healthcare sector recently – like the WannaCry ransomware attack last year that hit hospitals in the U.K. particularly hard – McNeil said that in order to understand events like that, it’s important to take a step back to look at the landscape of the healthcare industry and marketplace. “That particular landscape allows us to know where we stand in regard to other industries. So for example, the healthcare industry, with how it’s designed to maintain solutions in the marketplace, has clearly been a laggard compared to the financial services industry, even though healthcare is considered by most countries to be a critical infrastructure,” he explained.
McNeil said healthcare has the tendency to maintain and elongate the life cycle of the technology the sector uses. That wasn’t necessarily a problem for some solutions when the technology was introduced 15 or 20 years ago because they may have been operating in a contained environment. It wasn’t until connectivity and the need for connectivity increased that the vulnerabilities in those systems became obvious. “What a number of organizations from manufacturers to health delivery organizations have tried to do is to bolt on protocols and abilities to make that communication and connectivity of solutions much more ubiquitous,” McNeil said.
But the problem was that they put a bandage on something that potentially had a deeper wound. As those protocols were added, the possibility that they could hide but not necessarily fix other flaws increased. That means the industry had to continue playing catch-up to keep legacy devices safe and adhere to the appropriate level of performance to head off vulnerabilities, even as the revenue stream for those devices slowed.
That information lead to the question that probably causes sleepless nights for hospital administrators – at what point does it become more financially responsible to buy new technology instead of patching legacy equipment?
It could be argued that the WannaCry attack that wreaked havoc in U.K. hospitals last year had the potential to physically harm patients due to it blocking access to medical records and causing the rescheduling of non-critical medical operations, the harm wasn’t direct. While some experts have warned that it’s possible we could see hacks to pacemakers or other devices that would cause direct harm to people, so far it’s been ransomware attacks and theft of patient information, which all seems targeted at a direct for-profit focus. Regardless of the rationale behind the attacks, the potential financial impact for a compromised hospital or healthcare system is enormous. Consider the cost of a few days’ downtime on one of your heavily-used pieces of imaging equipment. Now multiply that by however many different modalities you have in use every day and consider that financial impact. That’s not even taking into account the hit to your organization’s reputation. So that’s why McNeil urges people to understand where their vulnerabilities are. “So the very first task is that you take an inventory of the equipment and see where you have systems that are still being supported, because you need to know where your exposure is in that particular environment,” he said.
By support, McNeil means you need to know which devices are still being monitored by the OEM or software provider, how often patches are introduced, and what kind of access you have to customer support in case something seems strange. After you’ve done your assessment, he advises you weigh your financial decisions and focus on the higher-risk areas to replace equipment if possible. “Now, for those that can’t be replaced, we need to understand what other isolations and hardening of the systems can be done,” he said.
Still, his main advice when using connected technology is to go with what is supported. “The notion of patches will always be attractive because malware will continue to evolve,” he said.
McNeil was a member of the Healthcare Industry Cybersecurity Task Force, a government-sponsored group that was instrumental in the creation of the Cybersecurity Act of 2015. He is also the global product security and services officer for Royal Philips, and has held the position for almost five years. He and his team are responsible for deploying and installing security by design for any customer-facing offerings the company has in the marketplace. Philips operates under a global product security policy which directs its design methodology and its risk assessment and incident response activities. “As we identify threats and vulnerabilities, we put the process into place to make sure they’re managed appropriately. So I have a team that has that responsibility globally across Philips,” he said.
Using that information, McNeil’s team works to tweak configurations and re-engineering efforts in order to improve the ability to withstand outside threats. The information also shapes the security design requirements for products in the pipeline to ensure they’re integrated into a flow of secure suite of products and services.
While there have been a number of high-profile attacks on the healthcare sector recently – like the WannaCry ransomware attack last year that hit hospitals in the U.K. particularly hard – McNeil said that in order to understand events like that, it’s important to take a step back to look at the landscape of the healthcare industry and marketplace. “That particular landscape allows us to know where we stand in regard to other industries. So for example, the healthcare industry, with how it’s designed to maintain solutions in the marketplace, has clearly been a laggard compared to the financial services industry, even though healthcare is considered by most countries to be a critical infrastructure,” he explained.
McNeil said healthcare has the tendency to maintain and elongate the life cycle of the technology the sector uses. That wasn’t necessarily a problem for some solutions when the technology was introduced 15 or 20 years ago because they may have been operating in a contained environment. It wasn’t until connectivity and the need for connectivity increased that the vulnerabilities in those systems became obvious. “What a number of organizations from manufacturers to health delivery organizations have tried to do is to bolt on protocols and abilities to make that communication and connectivity of solutions much more ubiquitous,” McNeil said.
But the problem was that they put a bandage on something that potentially had a deeper wound. As those protocols were added, the possibility that they could hide but not necessarily fix other flaws increased. That means the industry had to continue playing catch-up to keep legacy devices safe and adhere to the appropriate level of performance to head off vulnerabilities, even as the revenue stream for those devices slowed.
That information lead to the question that probably causes sleepless nights for hospital administrators – at what point does it become more financially responsible to buy new technology instead of patching legacy equipment?
It could be argued that the WannaCry attack that wreaked havoc in U.K. hospitals last year had the potential to physically harm patients due to it blocking access to medical records and causing the rescheduling of non-critical medical operations, the harm wasn’t direct. While some experts have warned that it’s possible we could see hacks to pacemakers or other devices that would cause direct harm to people, so far it’s been ransomware attacks and theft of patient information, which all seems targeted at a direct for-profit focus. Regardless of the rationale behind the attacks, the potential financial impact for a compromised hospital or healthcare system is enormous. Consider the cost of a few days’ downtime on one of your heavily-used pieces of imaging equipment. Now multiply that by however many different modalities you have in use every day and consider that financial impact. That’s not even taking into account the hit to your organization’s reputation. So that’s why McNeil urges people to understand where their vulnerabilities are. “So the very first task is that you take an inventory of the equipment and see where you have systems that are still being supported, because you need to know where your exposure is in that particular environment,” he said.
By support, McNeil means you need to know which devices are still being monitored by the OEM or software provider, how often patches are introduced, and what kind of access you have to customer support in case something seems strange. After you’ve done your assessment, he advises you weigh your financial decisions and focus on the higher-risk areas to replace equipment if possible. “Now, for those that can’t be replaced, we need to understand what other isolations and hardening of the systems can be done,” he said.
Still, his main advice when using connected technology is to go with what is supported. “The notion of patches will always be attractive because malware will continue to evolve,” he said.