The importance of cybersecurity in healthcare

Philips is committed to seamlessly and securely connecting the world of professional and personal health, and with it, the need to continuously assess the security of medial technologies. They must remain safe for patients with cybersecurity threats appropriately and safely managed.

Michael McNeil, the Global Products and Services Security Officer at Philips, and co-chair of industry group AdvaMed, testified to the House Energy and Commerce Subcommittee on Oversight and Investigations. The topic was “Cybersecurity in the Health Care Sector: Strengthening Public-Private Partnerships." Michael, in partnership with his colleagues at AdvaMed, developed five foundational principles for the management of medical device cybersecurity, which he emphasized during his testimony:

Medical device development and security risk management

As a medical device manufacturer, we must address cybersecurity throughout the product lifecycle. This includes design, development, production, distribution, deployment, maintenance and disposal of the device and associated data.

System-level security

AdvaMed member companies have developed foundational principles for the management of medical device cybersecurity and believe that medical technology cybersecurity is a shared responsibility among all stakeholders within the healthcare community including manufacturers, hospitals, physicians, and patients. 

Coordinated disclosure

Medical device manufacturers should deploy a coordinated disclosure process that provides a pathway for researchers and others to submit information, including potential vulnerabilities. Coordinated disclosure processes should define the responsibilities of both the manufacturer and researcher. Whenever potential vulnerabilities involving a medical device are discovered, findings should first be brought to the attention of the manufacturer or FDA for review, analysis, and possible remediation.

Information sharing

The industry should share threat and vulnerability information to assist manufacturers in continuously managing their device’s cybersecurity throughout the product’s lifecycle.

Consensus standards, regulatory requirements and education:

The development of cybersecurity-related consensus standards and regulations should be accomplished collaboratively among regulators, medical device manufacturers, independent security experts, academia and health care delivery organizations. 

We must continue to be a proactive leader in cybersecurity. And we know we can’t do it alone, which is why Michael’s leadership in this area is critical as Philips and industry organizations like AdvaMed, work with Congress and the Administration to ensure that the medical technology industry maintains a forward-leaning approach to cybersecurity and device safety.