Global
/content/dam/corporate/newscenter/global/standard/resources/healthcPhilips integration of AI applications within point of care Ultrasound

Nov 30, 2021

Philips and cybersecurity - going above and beyond to identify, assess and remediate risk

Estimated reading time: 2-4 minutes

Philips’ Coordinated Vulnerability Disclosure (CVD) program ensures the highest levels of transparency in dealing with potential security vulnerabilities in the company’s products and services

For Philips, a global leader in health technology with a purpose to improve the lives of 2.5 billion people a year by 2030 through innovation, transparency is fundamental to everything it does. It is why it publishes Environmental, Social and Corporate Governance (ESG) targets on issues such as sustainability, taxation, and access to care, together with transparent plans and metrics to gage success, and why it is equally transparent in the way it deals with any potential security vulnerabilities in its products and services.

 

Philips’ Coordinated Vulnerability Disclosure (CVD) program is the company’s formal process to pro-actively assess, mitigate, and remediate such vulnerabilities. It is a voluntary and publicly accessible program for collaborating with customers, security researchers, regulators and government agencies to help identify, address, and disclose potential security vulnerabilities in a safe and effective manner. The program is fully aligned with the U.S. Food and Drug Administration (FDA) Post-Market Guidance requirements for the awareness and remediation of potential system security vulnerabilities, and is widely recognized as best-practice by industry associations, regulatory and other government agencies, the security research community, and Philips customers.

Defined vulnerability disclosure processes and commitments

Philips’ Coordinated Vulnerability Disclosure (CVD) program includes defined procedures, including encryption capabilities, for the safe and efficient submission of vulnerability reports by external parties and their on-going support. In response to product security vulnerability reports, the company commits to taking the following actions:

 

Transparency

  • Acknowledge receipt of a report within two business days
  • Provide the submitter with a unique tracking number for their report
  • Assign a Philips contact person to the case
  • Notify the appropriate Philips product/service teams
  • Keep report submitters informed on the status of their report
  • If the vulnerability is in a third-party component that forms part of a Philips product/service, refer the report to the relevant third-party and advise of that notification


Remediation

  • Verify the reported vulnerability
  • Work on a resolution
  • Perform QA/validation testing on the resolution
  • Release the resolution*
  • Share lessons learned with relevant development teams

After analyzing a potential vulnerability, Philips publishes its Coordinated Vulnerability Disclosure findings on the Philips Product Security web page, also sharing them with the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA), which posts product security disclosures on its own website. In every country it operates in, Philips meets or exceeds all regulatory requirements on disclosure, as well as actively contributing to the development of international standards for healthcare data security. For example, it is a charter member of the U.S. Department of Health and Human Services (HHS) Cybersecurity Taskforce and is actively involved in standards-setting organizations such as the ISO and IEC. Philips also openly encourages vulnerability testing by security researchers and customers, building an environment of reciprocal trust through responsible reporting mechanisms.  

 

There is a widespread consensus in the healthcare industry that the digitalization of health is key to delivering the quadruple aim of improved patient outcomes, enhanced patient and staff experiences, and lower cost of care. In the pursuit of those recognized benefits, Philips is committed to maintaining the highest standards of safety, security, quality and performance in its products and services.    

For more information about Philips’ cybersecurity efforts, visit the Philips Product Security web page and read our Product Security Statement and Philips Cybersecurity White Papers.

 

* Philips will use existing customer notification processes to manage the release of patches or security fixes, which may include direct customer notification or public release of an advisory notification on the Philips website.

Share on social media

  • https://www.philips.com/a-w/about/news/archive/standard/news/articles/2021/20211130-philips-and-cybersecurity-going-above-and-beyond-to-identify-assess-and-remediate-risk.html Link copied

Topics

Contact

Mario Fante

Mario Fante

Philips Global Press Office

Tel: +1 603 560 9226

You are about to visit a Philips global content page

Continue
Martijn van der Starre

Martijn van der Starre

Philips Global Press Office

Tel: +31 6 2847 4617

You are about to visit a Philips global content page

Continue

Related news

You are about to visit a Philips global content page

Continue

Our site can best be viewed with the latest version of Microsoft Edge, Google Chrome or Firefox.