Product Privacy and Cybersecurity

Partnering with our customers to deliver secure products and services

At Werfen, we take product privacy and cybersecurity challenges very seriously and are committed to continuously transform our organization to address these. We strive to protect our clients against threats that could compromise our systems or patient data, and ultimately patient care.

Product Security Bulletins and Patches

Product Privacy and Security is a company-wide responsibility embedded within Werfen’s organization and processes. At Werfen, we have developed a Product Privacy and Cybersecurity Action Program based on four fundamental pillars.

ORGANIZATION

+

ORGANIZATION

We institutionalize the functions and culture related to privacy and cybersecurity.

+

POLICY & PROCESS

+

POLICY & PROCESS

We establish the standard policies and processes required in each functional area.

+

PRODUCT DESIGN

+

PRODUCT DESIGN

We implement  privacy and security by design and by default and deploy mitigations for on-market products adapting to changing landscapes.

+

CUSTOMER COMMUNICATION

+

CUSTOMER COMMUNICATION

We communicate our approach to privacy and security and share critical vulnerabilities and mitigation actions.

+

Our commitment to continuous adherence to this Action Program enables us to deliver products that support client efforts to protect patient data and hospitals from cyberthreats, to ensure that patient care is never interrupted or compromised — now and in the future.

Werfen’s Approach to Cybersecurity

Werfen’s Product Privacy and Security Program defines and enables the appropriate cybersecurity and privacy-by-design requirements and supports intended use throughout a product’s life cycle. The program’s objective is to enable the continued secure, safe and effective use of Werfen products.

The NIST Cybersecurity Framework is a guidance to help organizations understand and reduce their cybersecurity risks. By integrating industry standards and best practices, it supports internal and external stakeholders of an organization in cybersecurity management.

Formally recognized by the FDA, the AAMI TIR57 “Principles as a cybersecurity standard for medical devices,” provides methods to perform information security risk management for a medical device in the context of the Safety Risk Management process required by ISO 14971.

Through the Intelligent Threat Response approach, we track newly discovered vulnerabilities and address threats, as they emerge, with security updates. In the event of a security breach, we  work with our customers to reduce further damage and restore secure system operation.

To better mitigate patient harm as a result of cybersecurity, in addition to post-market actives, we proactively address cybersecurity risks in the design stage.

User needs research

Privacy and security requirements are included in the user needs document.

Phase 1: Design inputs

Privacy and security design inputs are incorporated.

Phase 2: Design outputs

  • Design output is inclusive of privacy and security requirements.
  • Security testing starts as an ongoing activity in this phase.

Phase 3: Design verification

Security testing (including penetration and vulnerability testing) continues in this phase.

Phase 4: Design transfer

  • SW Anti-Malware scanning is performed at this stage.
  • Security Testing continues.

Phase 5: Design validation

  • Privacy and Security Risk Assessment is conducted with Beta Customers.
  • Privacy and Security Beta Labeling.
  • Security Testing within the product design life-cycle ends at this phase.

Phase 6: Product launch

Final Privacy and Security Labeling (Whitepaper, SBOM, Cybersecurity Guide, MSD2).

Post launch

* Product Lifecycle supported by continuous Medical Device Cybersecurity Risk Assessment and Threat Modeling.