• No results found

Mobilizing Change: The Development of Medtronic s Global Security Program

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Mobilizing Change: The Development of Medtronic s Global Security Program"

Copied!
23
0
0

Loading.... (view fulltext now)

Download now ( 23 Page )

Full text

(1)

Mobilizing Change: The Development of

Medtronic’s Global Security Program

December 2013

Michael McNeil

(2)

Global Leader in Medical Technology

9,000+

scientists and engineers around the world

$16.2B

FY12 global sales from continuing operations which generate $3.9B in free cash flow*

45,000+

employees, making us the largest global medical technology company

2,050+

FY11 patents awarded, bringing our total worldwide to more than 23,000

(3)

Serving the World’s Major Geographies

Latin America Middle East/Africa Central/Eastern Europe Greater China South Asia United States Asia Pacific Western Europe/ Canada

Countries 120+ Locations 300+

(4)

Consistent Sales Growth Worldwide

$1 B $2 B $6 B $12 B $16 B 1992 1997 2002 2007 2012

(5)

Patient care and safety always come first.

Our ongoing risk assessment

and management

determines the

security controls.

(6)

Charter & Vision

Security Charter:

The Medtronic Security Governance Committee has been empowered by the Executive Committee to identify, mitigate and respond to risks associated with overall security, protect patient safety, company assets and reputation, and generally govern the overall security program. The security program includes people, privacy, data, product and physical security. This committee’s governance responsibilities include security-related:

– Risk assessment and management – Regulations compliance

– Resource allocation and prioritization

– Strategy, roadmap and execution oversight – Policy assessment and management

– Incident response management – Internal and external communication

Security Vision:

To be recognized as the global leader in security within the medical device industry for protecting our patients, our people, our products and our

(7)

Ubiquity of Mobile Devices & Initiatives

Medtronic has been effective reacting to demand and providing solutions Demand will continue to grow

(8)

Program

Governance • Polices • Standards • Requirements Controls • Mobile Device Management • Security Requirements • Encryption Environment • Application Development • Corporate Devices • BYOD • SSO Evaluation • Verification • Validation • Testing Maintenance • Monitoring • Metrics • Audit

(9)

Governance/Advisory Groups

Medtronic Committees/Councils

• Security Steering Committee

• Global Privacy & Security Council • Global Technology Council

• Cloud Computing Governance Council

Medtronic Working Groups

• Product Security Team

• Legal/Regulatory Working Group

Professional Industry Affiliations

• Medical Device Privacy Consortium (MDPC)

• Medical Device Innovation, Safety & Security Consortium (MDISS) • Association for the Advancement of Medical Instrumentation (AAMI)

(10)

Security Platform – Data Protection Controls

Medtronic Directory •User must be enrolled in the directory •User must authenticate Mobile Device Management •User mobile device must be enrolled and managed by MDT Mobile Device Management’s policies. Medtronic App Market •User may download and install Apps •Market Apps based on Group Profile Mobile Content Management •User receives Content only after first three steps •User access can be revoked via directory •Device can be remotely managed and erased if required.

(11)

• Covers collection, use, access, disclosure, storage, retention • Make it readable

• Provide opportunity for questions

Privacy Statement

Provides notice to users

• Type/volume of data can define spectrum, from notifying user to obtaining affirmative consent

Terms of Use

Secure agreement from user, as needed

• Put privacy Statement and Terms of Use on website, rather than relying on mobile phone screen

• Consider special notices for sensitive information

Transparency

Make it available – we want users to know our privacy practices

(12)

Security Standards – Building in Security

Understand your Data

• Know your data & obligations

• Different requirements and enforcement for different data classifications • Know your data lifecycle

• Creation, Read, Update and Deletion (CRUD) • Know your data flows

• Where it goes, where it rests, where it can leak

Identify threats to the data (Top Four)

• Insecure Storage

• Insecure Network Communication • Improper Session Handling

• Weak Server Side Controls

Recommended Links

• Build Security in Maturity Model – BSIMM 4

(13)

Security & Compliance

• Leverage single sign-on • Session management • Device certificates

Authentication

• Existing Lightweight Directory Access Protocol (LDAP) system queried by active directory groups

Authorization

• SSL for data transmission

• iOS native encryption for data at rest

• Application/Database encryption for highly sensitive data (e.g. mSTAR)

Encryption

• Metadata, API & Xcode control document access on the iPad

• Includes options such as: Internal & external, online only or downloadable, expired or revoked

App Security

Controls

• Use of content in-app via Omniture API & WebCenter version control tracking • Urban Airship used to track app install retention and length of time an app is open

(14)

App Type Corp CRDM CV Diabetes Neuro Spinal ST Total iPad Apps 6 25 32 24 45 18 19 168 iPhone Apps 0 3 1 2 0 0 0 6 Webclips 6 3 3 7 4 3 5 31 iTunes Market Links 5 0 0 4 1 1 1 12 Total 16 31 36 37 50 22 25 217

Medtronic App Market, iTunes & Google Play

Externally Facing Apps

38 apps in iTunes globally

2 apps in the Google Play globally (Android)

Medtronic App Market (Internal):

(15)

iTunes App Statistics

0 10 20 30 40 2011 2012 2013 Th ou sa nd s

Downloads

0 10 20 30 40 2011 2012 2013

Externally Facing

Applications

January & February = 9,564

(16)

mCMS (mobile Content Management System)

Overview

• Provide the most current electronic marketing, sales materials, training materials, graphic elements to Medtronic personnel globally via the iPad platform.

Benefits

• Innovate interaction with physicians & patients • Improve impact of content presentation / delivery

• Understand use of content (who, how, when where, sharing) • Offline access to content via engaging mobile device

• Eliminate laptop boot times / bland file system storage

• Remove cost of developing multiple solutions across BUs / regions • Reduce spend on content print, delivery and administration

(17)

Conten t 21, September 2012 Diabetes Education Continuum mCMS Content DB Catalyst (In Progress) AF Solutions Cryo CRDM LaunchPad Coronary 3.0 Endo Global RDN INT SH LaunchPad ITB Therapy PainStim InterStim TIPS Content App Market Endo Newsletter iTunes

(18)
(19)

Focus Today -- App Developers

Starting Point: Same questions as for any other system

What Data?

– Medtronic Personal Confidential? Sensitive data?

Minimum Necessary – Do we need the data? Does the user need

the data?

Data Access/Use/Sharing?

– MDT?

– Third parties?

Where will the data reside?

How long will we need the data?

(20)
(21)
(22)

Challenges

• Technology

– Complexity of Environment

– How we secure information on our devices

– Ability to identify and wipe only Business Data

• Policy & User Agreement

– Laws differ State-to-State

– Varying position by country

– Affirmative “consent” must be revalidated at least

annually

(23)

Challenges

• FDA Mobile Medical Application (MMA) Guidelines:

– Dedicated to publish around September 2013

– Guidance will explain FDA’s intentions to apply its

regulatory requirements to a subset of mobile

applications

– Enterprise Mobility is working defining the process to

validate these Mobile Medical Applications

• Keeping up with business demand (sales/marketing)

– Changing requirements

References

Download now ( PDF - 23 Page - 1.57 MB )

Related documents

Euchlorocystis gen. nov and Densicystis gen. nov., Two New Genera of Oocystaceae Algae from High-altitude Semi-saline Habitat (Trebouxiophyceae, Chlorophyta)

The Oocystaceae family, with the type genus Oocystis, is generally considered to be a kind of common freshwa- ter coccal microalgae with the distinctive morphology of oval or

Agenda. The Mobile Tornado The Birth of Mobile IT MobileIron Company and Vision The MobileIron Solution Partnering for Success

Multi-OS Management Security Compliance Consumer Speed User Driven Device Choice User Experience Micro-Mobile AppsA. Secure and manage mobile apps, documents,

Configuring Active Directory Binding for OS X (10.4.x) within Miami Dade Schools

You can start or stop using mobile Active Directory user accounts on a computer that is configured to use Directory Access's Active Directory plug-in. Users with mobile ac- counts

PRACTICES OF PUBLIC ADMINISTRATION IN MALAYSIA

Yemo Zhang is on the staff of the Equitable Society Research Cluster UMRG Programme on public administration and governance (2016-2018), Malaysian Ministry of

Community Chat. MDM Meets Endpoint Mgmt. Justin Strong Sr. Product Marketing Manager

Device & User Retirement User Device Environment OS Migrations & Upgrades Remote Management Security Policy Deployment Data Security Device Security Location

Arc Premium LDAP Synchronization

If in the Rules tab the user has created rules to import contacts into the Internal directory and the BLF, then in the Rules Directory Group tab the user must also add

Securing the Mobile Enterprise Strategies for Minimizing Security Vulnerabilities and Risks

The strategies include user training, endpoint protection, strong cryptography, multi-factor authentication, datacenter security, coding practices and mobile device

Perceptive Experience Single Sign-On Solutions

• The SSO provider must detect any unauthorized request to Perceptive Experience’s sso directory and Integration Server, and authenticate the user to the user store before