“Seatbelts don’t work unless they’re used.”

At Becton Dickinson, CISO Damian McDonald’s cybersecurity team makes it easy to adopt critical solutions that keep the medical-tech company safe

Advanced cyberthreats are creeping into the world of health care, and industry players face ever-increasing challenges in keeping them at bay. Today’s hackers don’t just cause mischief; they levy targeted thefts against intellectual property or personal information, and health care is a prime target. “There’s a big need for medical technology in many countries, and hackers are also realizing the value of a patient’s health record,” says Damian McDonald of Becton, Dickinson and Company (BD). With just one medical record, thieves can steal an identity, conduct health-care or insurance fraud, or engage in extortion. Health-care organizations lack robust fraud detection capabilities like those built over time by big credit card companies, which is why security executives like McDonald are building security infrastructures for health care from the ground up.

A global Fortune 500 company, BD develops, produces, and sells medical devices, laboratory equipment, and diagnostic products in more than fifty countries worldwide, serving clinics, labs, health-care institutions, and the general public. With trade secrets, intellectual property, and patient privacy on the line, a well-armed tech team must navigate acute security needs and attacks in the complex and nuanced health-care environment.

“Security can’t come at the end. We’re now embedded into the operational processes. Corrections after the fact are expensive and can shatter customer expectations, so security has to be more than an afterthought.”

As BD’s vice president of global information security—the organization’s CISO role—McDonald has readied a team of proactive IT diplomats who stand on the front lines, putting a face to the department and confronting digital threats. After working in infrastructure, networking, and systems engineering, McDonald came to BD in 2004, when the role was still brand new. “The threat landscape was changing, and I saw the potential of taking security to the next level,” he says. “Previous teams had built a foundation focused on policy, and I wanted to move into strategy and technology while educating the organization on IT security and direction.”

Damian McDonald’s Guiding Principles

Ensure everyone understands their role in security.
All members of a team should know that they are responsible for information security. At BD, McDonald created a security awareness program called “I Am Information Security.” It starts with the CEO and applies to all levels. Everybody has a role in protecting information.

Make security personal.
All employees must grasp and internalize the risks. Security needs to become second nature at home and work. BD accomplishes this through constant communication and education that has value in and out of the office.

Understand the customer impact.
It’s easy to put security controls in place and dictate their use, but that will only get you so far; protections must be usable. “I’d rather have a less effective control that’s widely adopted than a complex control that nobody uses,” McDonald says.

Keep people engaged.
Promote continuous learning to keep the conversation going. “We have excellent leadership engagement and are now focusing on stepping up engagement with middle management and people at all levels,” McDonald says. “Advocates at any level can give you an important entry point to get your message across.”

Since both health care and technology move quickly, responsive teams are critical. McDonald has built his team accordingly. “BD is a learning company, and we underscore the importance of leaders as teachers,” he explains. Since his arrival, BD’s tech team has grown in scope and number to go beyond basic policy and compliance and become more active. The team has implemented security awareness, developed training programs, and crafted an overall strategy for the company that emphasizes everyone’s responsibility for information security.

The key, McDonald says, is taking issues out of the theoretical and grounding them in reality. He’s led the unification of widely distributed security management and operational security processes. He’s also built security analytics and security-operations teams from the ground up. The move has shifted security professionals from the sidelines to the playing field. “Security can’t come at the end,” McDonald says. “We’re now embedded into the operational processes. Corrections after the fact are expensive and can shatter customer expectations, so security has to be more than an afterthought.”

As threats increase, hacking is inevitable. “There are just too many ways for hackers to get in,” says McDonald. “We work with a premise that we will be hacked, and focus on how quickly we can detect hacks to prevent the bad guys from achieving their objective.”  Although perimeter security remains important, BD’s tech pros augment those measures with security analytics and threat modeling. Knowing what bad actors might do with medical information—like creating bio-specific drugs or weapons to target specific individuals—changes McDonald’s approach.

In many cases, security is a business enabler, and part of a CISO’s role is to put the protections in place that will limit losses and enable his or her company to operate safely and effectively. A CISO is also responsible for forecasting trends. “We all saw mobility coming but didn’t respond quickly enough,” McDonald says. “As an industry, we saw some wireless networks melt down from the influx of mobile devices.” At BD, McDonald works to stay in front of developments and lead conversations with business leaders, customers, and vendors. When he selects a vendor, he partners with the company, digs deep on security and privacy issues, and returns to educate customers and business leaders. With the stakes higher, security is involved at the RFP level, and each potential vendor receives clear security expectations up front. McDonald has standardized practices and requirements for data encryption and other security controls.

The upshot of neutralizing constant threats is that it keeps McDonald and BD’s associates on their toes. “Walk into a hospital today and see just how connected everything is,” he says. “Our products are a huge part of that. It’s a different world.” The only way a team like his can protect its company and its customers is to start at the very beginning and work fast. “Our security measures have to make sense, and they have to be easy to adopt. We have to partner with IT to put the right technology in place to drive the right behavior,” McDonald says. “Seatbelts don’t work unless they’re used.”