Michael McNeil is not interested in playing nice when it comes to cybersecurity. As the head of global product security and services with Royal Philips, it’s his job to ensure that their devices are protected against cyber-intrusions. Despite his title, he’s the first to admit the industry is ten to fifteen years behind when it comes to cybersecurity.
“I will be candid because by being candid, it allows us to help accelerate and move the industry in the right direction,” McNeil said of his observations about healthcare’s cybersecurity lag behind other sectors.
According to the Department of Homeland Security, they have issued more medical device vulnerability warnings in the past fiscal year – 29 advisories, in total – than in the last five years combined (23 advisories). In a February 2019 report, Moody’s Investor Service ranked hospitals as one of the sectors at highest risk for cyberattacks.
After a big push to be more wireless and interconnected, hospitals are now realizing that their new technology may be the moving target that cyber-attackers are seeking out. Many providers are now balking at the same devices they actively sought out months before and have put the onus back on manufacturers to provide more information about how they are hack-proofing their products.
McNeil has long advocated for more partnerships between private and public organizations and the importance of information-sharing within the industry. He states that cybersecurity can’t just be a problem for makers of medical devices. Collaboration with hospitals, manufacturers, regulatory agencies and other key stakeholders is critical, McNeil believes, for complete end-to-end protection for patients and their healthcare providers.
“In a connected, interoperable healthcare system, the potential for exposure to vulnerabilities and attacks is significant,” McNeil wrote in an article. “Integrating product security into new product development and consistently deploying product security processes across the portfolio sets the stage for a manageable future.”
McNeil holds a bachelor’s degree in marketing from University of Illinois at Urbana-Champaign and an MBA from Northwestern University. He started out his career with leadership positions in product development and management but in 1997, that shifted after he took a position with Reynolds & Reynolds. Part of his responsibilities included creating the company’s privacy position in regards to how customer’s data was accessed, managed and stored both off and online.
“I started out in telecommunications, which dealt with a lot of data solutions and product offerings,” McNeil said in an interview. “I then moved into the healthcare space, developing medical and surgical products and devices. I previously worked as the global chief product and privacy security program officer for Medtronic. I’ve also had security roles and responsibilities at Liberty Mutual and Pitney Bowes.”
When McNeil considers what the most important issue would be on any day, he believes patient safety should be at the top of the list. “We need to understand how security threats could impact the solutions we offer to the patient, because the integrity of the data and the information could have implications around the accuracy of the diagnosis and the treatment that they’re getting.”
Philips’ implantable medical devices such as defibrillators, pacemakers, and insulin pumps have become high profile security concerns due to their new capabilities to transmit and receive information and instructions. But it’s also large health organizations and institutions running on legacy software that remain tempting targets for cyber-attackers looking to disrupt systems on a bigger scale.
“Hospitals are really trying to clean up their environment,” McNeil said of his clients’ efforts. “They’re trying to work with the manufacturers to identify legacy solutions out there…[and] bring them up to a higher standard. We’re seeing a lot more specialization around information security systems within the hospital network than what we might have had before.”