Protecting Philips Healthcare From Cyber Threats
January 15, 2018 • Amanda McKeon
Philips is a company with a long, storied history, going back over 120 years, and many technological achievements to brag about. From light bulbs to radios, consumer devices like electric shavers, the compact cassette, and the co-invention of the compact disc along with Sony, they’ve been an innovative, influential company for generations.
These days, Philips primarily focuses on healthcare, and they employ over 100,000 people in 60 countries.
Praveen Sharma is one of those employees, and our guest today. She’s the director of the cyber research and development center at Philips Healthcare, where she leads a team responsible for developing in-house tools and concepts that help Philips rapidly detect and respond to existing and emerging threats. She is also responsible for looking at the cyber technologies that are on the horizon and the risks of these technologies to Philips.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and thanks for joining us. I’m Dave Bittner from the CyberWire, and this is episode 39 of the Recorded Future podcast.
Philips is a company with a long-storied history, going back over 120 years, and many technological achievements to brag about. From light bulbs to radios, consumer devices like electric shavers, the compact cassette, and the co-invention of the compact disc along with Sony. They’ve been an innovative, influential company for generations. These days, Philips’ primary focus is healthcare, and they employ over 100,000 people in 60 countries.
Praveen Sharma is one of those employees, and our guest today. She’s the director of the cyber research and development center at Philips Healthcare, where she leads a team responsible for developing in-house tools and concepts that can help Philips rapidly detect and respond to the existing and emerging threats. She’s also responsible for looking at the cyber technologies that are on the horizon and the risks of those technologies to Philips. Stay with us.
I have a degree in computer science from Iowa State University. From there, I spent some time — almost eight years — at BBN Technologies, where most of my work was related to the government contract. So, cutting-edge, innovation-related work for the Department of Defense, and specifically, DARPA. From thereon, I moved to the MIT Lincoln Laboratory. That’s where I got into cybersecurity. So, I worked, again, for the Department of Defense in different roles and increasingly took more leadership positions.
I primarily worked for the Department of Homeland Security where I was one of the panelists in evaluating their cybersecurity programs, as well as different cybersecurity programs for Department of … It’s called DISA, Defense Information Systems Agency, which is equivalent to ISP for DoD. From thereon, I got an opportunity to create and lead this group at Philips Healthcare.
Take us through that. What prompted Philips to decide that this was something that they needed to spin up, and then, how did you become a part of it?
Philips was getting aware of cybersecurity, and cyber preparedness became one of their 10 or so good priorities. Philips has two different parts of cybersecurity. One is the part that’s taking care of their IT cybersecurity, and one that is taking care of product cybersecurity.
As a part of this whole cohesive vision that Philips wanted to move ahead, they wanted to do in-house research and development, and they wanted to set up the entire team, again, in-house, to protect their assets.
Describe for us your team, the types of things that you handle, and the scope of the job that you all have been tasked with performing.
What I do and what my team does is we try to look at emerging threats and try to develop in-house technologies to rapidly detect and respond to those threats. Examples of those would be some of the threats that takes place via social media, for which you either do not have a vendor that can provide a solution, or a vendor that can rapidly provide a solution. Or if it were to provide a solution, it would need Philips’ data and it would take a long time. That was one of the several mandates that I had.
Other responsibilities that my group was tasked with — which were not directly related to innovation or research and development per se, but fed into that — included conducting red team exercises and penetration testing on our IT systems, IT networks, and Philips products so that we are better prepared before and figure out vulnerabilities, and try to fix those vulnerabilities before an adversary can even find those.
Another responsibility — a big responsibility — is to scan for the technologies on the horizon and what risks those technologies present to Philips, and how we can mitigate those risks. And yet another responsibility includes working closely and coordinating and collaborating with my peer groups, which is the security operations center, which is the risk and compliance group, which is the threat intelligence group.
I also develop a lot of technologies to assist our threat intelligence group, which also includes our equivalent part of product security. And there’s one more group, legal and compliance. So, we work together, these different groups work together to hopefully protect Philips.
It’s a big job. Philips is a big company, over 100,000 employees, a global company with a long history. The company’s over 100 years old. How do you break that large mandate into small, manageable pieces? With the many different departments that you have to interact with, with the many different technologies that Philips uses and manufactures, how do you manage breaking it up into pieces that are manageable?
We have clearly defined our roles and responsibilities of each group, and then we coordinate. The security operations center is my peer organization, and the risk and compliance group is my peer organization, so we have defined clear roles and responsibilities in terms of what each of our groups will do, and then we collaborate with each other.
As an example, we monitor all of Philips — their system logs, their endpoint device logs, and any event that takes place is already available to our security operations center. That I have visibility to. And if there is something that they’re struggling with, then I jump in in terms of providing them in-house solutions quickly.
We have a system and process set up that we work with each other, figure out what’s going on, on a weekly and monthly basis.
What is the rationale for developing in-house tools versus bringing in tools that are more off-the-shelf?
Philips has been asking that question themselves, too. Rapid development, prototyping a development is one reason. Quickly addressing the problem as it arises, that’s another one, and then the third one I have mentioned — cost is definitely another — but the last one is that there are emerging threats.
As an example, as I mentioned earlier, some threats take place via social media. Again, for this example, I don’t want to go on record, but there are threats that take place that you do not really have solutions for, or they’re not available right away and you really have to act quickly. In addition, like I said, we, as Philips, wanted an in-house group that’s going to look at different Philips technologies across the board and figure out what technologies present cyber risks to Philips, per se.
I see. Of course, healthcare is a major focus of Philips. So are the products that you manufacture and the services you provide. How do you balance security along with privacy?
That is a difficult and interesting question. Yes. Philips is a European company based in Amsterdam, so they have been following strict rules for data protection and data privacy, and those rules are getting even more stringent with GDPR.
Yes, we have very stringent, well-defined protocols and procedures to access data. Even if there’s an incident, we have to define exactly what that use case is going to do, and then how and what kind of data will be needed to address that use case, and then, of course, how I’m going to clean up the data and how I’m going to make sure that I have only the parts of the data that’s needed to develop the capability and curate the data, if you will. So, this is on the IT side. Likewise, on the product side, we also have, again, different standards and protocols that we really closely adhere to.
Now, when something bad happens … When a vulnerability is discovered in one of your systems or a breach occurs, what’s the process? What are the protocols for determining what to do next when something like that happens?
This is part of our security operations group. Depending on if that vulnerability or that incident or that breach took place on the IT side or on the product side … But nonetheless, what’s common between the two groups here … We have a crisis management team. The first thing is that our operation team gets on board. They quickly try to figure out what’s happening, and then our crisis management team and our legal and operations also support them.
As an example, there are things that you’ve already heard about — several vulnerabilities. And seeing these vulnerabilities that have been found, for example, on Philips products, we also have a responsible disclosure process in place, so we follow that and make sure that those, for example, vulnerabilities, in this case, is reported to ICS-CERT.
We follow up with the third-party vendor who has reported these vulnerabilities, and then we follow up and mitigate those. There are two different protocols: how we address the product side of breaches or vulnerabilities, and the IT side of breaches and vulnerabilities.
I see. It sounds to me like the planning that you do ahead of time, the proactive work that you do, keeps you from being in sort of a crisis situation when things do happen.
It does help us handle crises gracefully, most of the time.
What part does threat intelligence play in the work that you do?
Before I can answer that, let me give you some idea about what Philips’ landscape is like and what assets we are trying to protect, and then I’ll answer that question. Philips has several products and services. We have products in connected care and health informatics. We have products in diagnostics and treatment, like big MRA images, ultrasound images, and X-ray machines that you see in the hospitals. Then, we have personal healthcare products that we are trying to protect, like baby monitors, air purifiers, sleep and respiratory care products.
On the IT side, we have our assets, like our devices, networks, all across the world. We have Philips products and IT assets across 100 countries, and then we have these third-party vendors like systems and support, sales, distribution, mails, HR, finance, and so on. And then we regularly have these assets that we acquire, both on the product side, IT side, as well as services side, through mergers and acquisitions.
We also have different patents — almost 58,000 patents — and Philips spent almost two billion dollars on R&D of its total, close to four billion of revenue. And then we have people. From the threat intel perspective, we are trying to protect our products. We are trying to protect our IT assets, our suppliers’ information, mergers and acquisition assets, our IP, and our people.
What do we do? We have divided our threat intel into three categories. On the technical side, we work very closely with our security operations center and work proactively, as well as respond to any event.
In proactive cases, we regularly scan the dark web. We regularly scan the internet, social media, the chatter that we can find, and see if any of those media mention Philips products or IT assets that can lead to Philips products, IT assets, and our patents. Or people, in this case. People that are either executives or people who are in the position, who have money, and would be a potential target. In the case of responding, we figure out if an incident has taken place. We go and try to resolve those incidents.
On the strategic side, we, again, proactively look around for events in the world and any political upheaval or incident that can potentially harm any of Philips’ assets. Then, we take a note of that, and yeah, so, we do rely on different tools and we do provide in-house technologies.
That’s essentially how we address threat intelligence.
Now, as a manufacturer, how do you handle the potential vulnerabilities that could come through your supply chain?
Like any other medical device manufacturer, we have found our own vulnerabilities. As an example, we did find vulnerabilities in insulin pumps, pacemakers, and PACS systems that store X-rays and MRI images and baby monitors. Of course, that was reported by Rapid7.
What we do is we work very closely with the vendor. We follow a process — what we call a “responsible disclosure.” We report these vulnerabilities to ICS-CERT, and we very aggressively try to fix these vulnerabilities. And since these medical devices are used in the operations most of the time, we have to validate and verify before these vulnerabilities can be … After fixes can be actually made to this device operation in the hospital.
Now, when you’re looking ahead at the horizon, at the future, the products that you’re developing, what do you see as being some of the primary concerns in terms of threats that you might have to deal with?
Some of my concerns are quite fundamental, actually, unlike what most people are worried about, like emerging technologies like IoT. They’re definitely a concern, but some of the things that I need to take care of includes technologies that perhaps have multiple users.
The technologies, as an example: If a technology is used in space and is also used in the Marines, if those technologies are used in any of the Philips products, then I need to make sure that I am aware of those to really get a grasp of where Philips is heading, and to align my work with Philips’ research and development work.
My other concerns are some of the leaks that happen. These are inadvertent attacks, but leaks, for example, the attacks that we saw from ransomware. They are particularly disastrous, or harmful, or pernicious for Philips, especially because we do run all of our operating systems.
In fact, one of the articles in Unix 2016, Kevin, who had these statistics about the number of operating systems, all the operating systems in the hospital … His statistics mentioned that in one of the hospitals, there were 600 Windows XP with no security patches. So, these ransomware are definitely going to hit the medical device industry harder, so we really have to figure out how we can take care of — if there’s a ransomware attack — how we can protect ourselves from that.
Another concern that I have is the user, simple user configuration matters, and we have seen these repeatedly, specifically, in the cases of cloud security. Just like any other enterprise, Philips is gradually migrating towards clouds. All of our data centers are migrating towards clouds, and with that, our devices are not just controlled by the privileged users, but also by regular users, so the chances of misconfigurations are really, really higher.
In fact, in December 2017, I remember seeing a major breach in the healthcare industry because one of the Amazon components called an S3 bucket was left open. So, as simple as that. That does keep me awake at night.
The other thing that concerns me is these medical device vulnerabilities, and I know we talked about this before. We’re seeing an increasing number of vulnerabilities in medical devices for several reasons. Of course, with any systems, there are going to be holes, and medical devices are no exceptions. But medical devices also have a longer lifecycle, and so some of the medical devices that we are seeing today were designed 10 years back.
In addition, that security was not necessarily the prime objective. Safety and perhaps availability and integrity was the main objective, so they are always going to have vulnerabilities. Unlike other sectors, we cannot just go and fix these vulnerabilities. We cannot just apply patches. We have to go through the process of validation and verification before we apply these patches, especially because these devices do sustain life and support life.
When you look at the landscape, the way things are right now in terms of the risks and the vulnerabilities and our ability to protect ourselves against them, do you feel as though we’re gaining on the problem? Do you feel as though we’re losing ground on the problem, or we’re just holding our own? Where do you think we stand?
As long as we have some information, the adversary will always come after us. In the case of Philips, we do have patient data, which is really considered valuable in the marketplace. We also have an IP that if a nation state gets access to, will have economic advantage. So no, this is not going to get over. It’s just that we are getting a better handle on things. We are in continuous monitoring and diagnostics, and we are proactively monitoring, using threat intelligence for things that might come our way, so we can really respond and recover more quickly than we were able to in the past.
I think one of the things that is helping us — helping all of us, in fact — and helping all the sectors move forward and make better progress in the cyber domain, is that we have started to share information with each other. There’s an increasing awareness, collaboration, between government and academic communities. That’s a good one. That’s going to help us.
The thing that’s both going to help us and will also will be an obstacle in our path would be these regulations and policies in different countries. On one side, it’s supposed to protect data, and so they’re trying to help people. But on the other side, they’re making it relatively difficult, at least in my case, to develop in-house technologies.
When I came to Philips, what was so different from what I saw at Lincoln Laboratory, for example, was the suppliers. We had so many suppliers, and I think, to some extent, you had to refer to them by supply chain, because there are some people who are performing the part of the activity that we do not have control on. Not control, but at least … We do have to rely on and depend on them, so yes, our security totally relying on how secure our third-party suppliers are definitely was very unique to me.
Another thing that was unique was that there are different policies and regulations. Unlike the Department of Defense or the academic world, which I was used to, I could not just get access to anything at any time I wanted. We have to go through certain protocols and procedures and laws, and what has to be done, where that was unique … That is what distinguished what I have been doing, and what we’re doing now at Philips.
Our thanks to Praveen Sharma for joining us.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online.
The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. This show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.