Workshops‎ > ‎cs-ga-2011‎ > ‎

Nicholas J. Mankovich and Leslie Trout

Philips Healthcare

Nick Mankovich leads two world-wide programs for Philips Healthcare: Product Security and Privacy. Each program includes a team of subject matter experts embedded in the businesses and regions. These teams manage product security and privacy compliance programs while addressing policies, requirements and issues in both products and services. Dr. Mankovich directs all elements of privacy compliance within Philips Healthcare. He has been an active participant in the MITA/COCIR/JIRA Security and Privacy Committee, the HIMSS Medical Device Security Workgroup, HIMSS Medical Device Safety and Patient Safety Task Force, Medical Device Privacy Consortium, the USA HHS Healthcare Cyber Security Strategy Working Group and, formerly, the HITRUST Executive Board. Over the past five years he has helped create the ISO/IEC 80001-1 international standard for the Application of Risk Management to IT-Networks Incorporating Medical Devices. His work in privacy and security has led to speaking invitations at international symposia on privacy and security including, most recently, talks in a Stockholm eVirus conference and a Frankfurt risk management Standards symposium. He received Information Security Magazine‘s 2010 Security 7 Award for Healthcare.

Prior to his career at Philips Healthcare, he spent seven years as a research department head with Philips Research, where he led groups working on advanced projects in medical informatics, security/cryptography/privacy, digital video content management, digital rights management and interactive digital television. This corporate work was preceded by 15 years in medical imaging, including hospital management positions in medical informatics and radiological engineering.  Dr. Mankovich has also held academic appointments in Biomedical Engineering at the University of Iowa, in Radiological Sciences at the UCLA School of Medicine and in Computer Science at the University of New South Wales in Sydney, Australia.

Medical Devices and Cybersecurity Protection
The diagnosis and treatment of disease rely on data collected and shared between highly sophisticated IT-based network devices. Medical devices can range from simple sensors to complex networked IT systems, including wireless or wired bedside monitors, laboratory IT systems, imaging systems, pharmacological dispensing systems, and systems to manage medical records, admission, discharge, or transfer of patients. Over the past 15 years an increasing number of medical devices have incorporated commercial components
such as Oracle or SQL databases and have been built upon commercial off-the-shelf operating systems such as Windows or Unix.  The use of these components can make them vulnerable to broad cybersecurity attacks. 
This paper presents a broad overview of the current approaches to cybersecurity in medical devices including 
*	the provision of security controls by manufacturers, 
*	the application of external controls by healthcare organizations, 
*	the Lifecycle Management of commercial off-the-shelf software in response to emerging threats, and 
*	the use of risk management standards to encourage partnership among healthcare delivery organizations, medical device manufacturers, and IT vendors. 
We will present some recent standards and industry groups created to improve the management of cybersecurity in medical devices. Examples of the impact of some widespread cybersecurity exploits on medical devices and healthcare delivery will be given, and discussion will be encouraged on how advances in other cybersecurity sectors can be brought to bear on improving healthcare.