Product Privacy and Cybersecurity
Partnering with our customers to deliver secure products and services
At Werfen, we take product privacy and cybersecurity challenges very seriously and are committed to continuously transform our organization to address these. We strive to protect our clients against threats that could compromise our systems or patient data, and ultimately patient care.
Product Privacy and Security is a company-wide responsibility embedded within Werfen’s organization and processes. At Werfen, we have developed a Product Privacy and Cybersecurity Action Program based on four fundamental pillars.
Our commitment to continuous adherence to this Action Program enables us to deliver products that support client efforts to protect patient data and hospitals from cyberthreats, to ensure that patient care is never interrupted or compromised — now and in the future.
Werfen’s Approach to Cybersecurity
Werfen’s Product Privacy and Security Program defines and enables the appropriate cybersecurity and privacy-by-design requirements and supports intended use throughout a product’s life cycle. The program’s objective is to enable the continued secure, safe and effective use of Werfen products.
The NIST Cybersecurity Framework is a guidance to help organizations understand and reduce their cybersecurity risks. By integrating industry standards and best practices, it supports internal and external stakeholders of an organization in cybersecurity management.
Formally recognized by the FDA, the AAMI TIR57 “Principles as a cybersecurity standard for medical devices,” provides methods to perform information security risk management for a medical device in the context of the Safety Risk Management process required by ISO 14971.
Through the Intelligent Threat Response approach, we track newly discovered vulnerabilities and address threats, as they emerge, with security updates. In the event of a security breach, we work with our customers to reduce further damage and restore secure system operation.
To better mitigate patient harm as a result of cybersecurity, in addition to post-market actives, we proactively address cybersecurity risks in the design stage.
User needs research
Privacy and security requirements are included in the user needs document.
Phase 1: Design inputs
Privacy and security design inputs are incorporated.
Phase 2: Design outputs
- Design output is inclusive of privacy and security requirements.
- Security testing starts as an ongoing activity in this phase.
Phase 3: Design verification
Security testing (including penetration and vulnerability testing) continues in this phase.
Phase 4: Design transfer
- SW Anti-Malware scanning is performed at this stage.
- Security Testing continues.
Phase 5: Design validation
- Privacy and Security Risk Assessment is conducted with Beta Customers.
- Privacy and Security Beta Labeling.
- Security Testing within the product design life-cycle ends at this phase.
Phase 6: Product launch
Final Privacy and Security Labeling (Whitepaper, SBOM, Cybersecurity Guide, MSD2).
Post launch
* Product Lifecycle supported by continuous Medical Device Cybersecurity Risk Assessment and Threat Modeling.