For Philips, a global leader in health technology with a purpose to improve the lives of 2.5 billion people a year by 2030 through innovation, transparency is fundamental to everything it does. It is why it publishes Environmental, Social and Corporate Governance (ESG) targets on issues such as sustainability, taxation, and access to care, together with transparent plans and metrics to gage success, and why it is equally transparent in the way it deals with any potential security vulnerabilities in its products and services. Philips’ Coordinated Vulnerability Disclosure (CVD) program is the company’s formal process to pro-actively assess, mitigate, and remediate such vulnerabilities. It is a voluntary and publicly accessible program for collaborating with customers, security researchers, regulators and government agencies to help identify, address, and disclose potential security vulnerabilities in a safe and effective manner. The program is fully aligned with the U.S. Food and Drug Administration (FDA) Post-Market Guidance requirements for the awareness and remediation of potential system security vulnerabilities, and is widely recognized as best-practice by industry associations, regulatory and other government agencies, the security research community, and Philips customers.
Philips’ Coordinated Vulnerability Disclosure (CVD) program includes defined procedures, including encryption capabilities, for the safe and efficient submission of vulnerability reports by external parties and their on-going support. In response to product security vulnerability reports, the company commits to taking the following actions: Transparency
Remediation
After analyzing a potential vulnerability, Philips publishes its Coordinated Vulnerability Disclosure findings on the Philips Product Security web page, also sharing them with the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA), which posts product security disclosures on its own website. In every country it operates in, Philips meets or exceeds all regulatory requirements on disclosure, as well as actively contributing to the development of international standards for healthcare data security. For example, it is a charter member of the U.S. Department of Health and Human Services (HHS) Cybersecurity Taskforce and is actively involved in standards-setting organizations such as the ISO and IEC. Philips also openly encourages vulnerability testing by security researchers and customers, building an environment of reciprocal trust through responsible reporting mechanisms. There is a widespread consensus in the healthcare industry that the digitalization of health is key to delivering the quadruple aim of improved patient outcomes, enhanced patient and staff experiences, and lower cost of care. In the pursuit of those recognized benefits, Philips is committed to maintaining the highest standards of safety, security, quality and performance in its products and services. For more information about Philips’ cybersecurity efforts, visit the Philips Product Security web page and read our Product Security Statement and Philips Cybersecurity White Papers. * Philips will use existing customer notification processes to manage the release of patches or security fixes, which may include direct customer notification or public release of an advisory notification on the Philips website.