Cybersecurity

Wassenburg Medical customers expect that our products will be secured against vulnerabilities that could affect the performance of the product and the security, integrity and privacy of the electronic information and data used by the product.  Note:  Wassenburg Medical products do not currently connect to a network, directly (cable) or indirectly (WIFI, Bluetooth, other). 

Wassenburg Medical encourages and supports security researchers and customers to responsibly report to Wassenburg Medical any potential security and privacy vulnerabilities identified in Wassenburg Medical products.

Wassenburg Medical maintains this product Cybersecurity page in order to provide contact details and information concerning the procedures to follow report vulnerabilities.  If you encounter any issues with a Wassenburg Medical products which implicate security or privacy vulnerabilities, or if you encounter any other issue which might affect patient, user, or operator safety, please contact Wassenburg Medical.

Scope

Wassenburg Medical cybersecurity Coordinated Vulnerability Disclosure program includes medical devices that employ software to control in whole or in part the functioning of Wassenburg Medical device.

Note:    Product and quality submissions for complaint / adverse events are not in scope and should be reported by contacting Wassenburg Medical directly at (215) 364-1477.

Reporting Cyber Vulnerability Issues

When reporting cyber vulnerability issues, please provide:

  • Contact Information: (Note:  Wassenburg Medical will never share contact information with third parties without explicit consent.)
    • Name
    • Email Address
    • Phone Number
    • Device Information:
      • Product
      • Model
      • Software Version
    • Technical description of the security vulnerability, including:
      • What is the vulnerability?  
      • How and when was it discovered?
      • Steps to reproduce the condition?
      • Additional information that may aid in the investigation (e.g., Screenshots, Logs, Proof-of-concept code).
    • Please notify Wassenburg Medical, if you have publicly disclosed the vulnerability or intend to do so before Wassenburg Medical has an opportunity to investigate and provide a response.
    • Please do not provide any personally identifiable information or sensitive information (e.g., patient information, protected health information, etc.) to Wassenburg Medical.

How to report a potential security vulnerability

  • If you have identified a potential security vulnerability with a Wassenburg Medical device, please contact complete below form:

Submit Report  (See 8.P1-W01-F02 – Incident Report Form – Web based form)

Wassenburg Medical

Upon submission of a vulnerability, Wassenburg Medical will:

  • Assign a unique reference number for the report.
  • Acknowledge receiving the incident report as soon as possible (typically within five (5) business days).
  • Direct the report to the product security team to evaluate and confirm the vulnerability.
    • Wassenburg Medical may contact the Cyber Vulnerability Submitter at this stage if additional information is needed to fully understand the issue.
  • Notify the Cyber Vulnerability Submitter about verification results.
  • If vulnerability is confirmed:
    • Evaluate the potential impact.
    • Identify and take appropriate action.
    • Assess whether the vulnerability is related to a third-party software component and if so, Wassenburg Medical may provide to the third-party manufacturer.
    • If the issue is specific to Wassenburg Medical, the Wassenburg Medical product security team will work on a resolution/mitigation.
    • Perform validation testing of the resolution.
    • Wassenburg Medical will use the customer notification process to manage safety/security communication, release of patches, vulnerability fixes or instructions for compensating controls.  This may include direct customer notification or public release of an advisory notification.

Important Notes

  • It is recommended that submitter:
    • Comply with all applicable federal, state, and local laws and regulations while conducting security research.
    • Avoid any actions that could harm patients, users, or products, such as exploiting a vulnerability in a product actively in use.
    • Avoid conducting security research activities without obtaining permission/consent from the Wassenburg Medical customer prior to taking any action.
  • By submitting this information to Wassenburg Medical through this process, the submitter is agreeing that submission of the information does not create any rights for the submitter, that such information will be non-confidential and non-proprietary to the submitter, and that Wassenburg Medical will be entitled to such information in whole or in part for any use or purpose whatsoever, without restriction and without compensating the submitter or in any other way obligating Wassenburg Medical.
  • As part of the coordinated vulnerability disclosure, Wassenburg Medical requests all security researchers to inform Wassenburg Medical of planned public release dates of potential vulnerabilities prior to release dates.
  • Wassenburg Medical will not knowingly collect Personally Identifiable Information (PII) when receiving potential vulnerability reports without explicit consent.
  • Wassenburg Medical does not provide financial compensation for disclosing vulnerabilities nor engage in a bug bounty program.
  • Wassenburg Medical reserves the right, in its sole discretion, to determine whether to acknowledge security researchers and reporters.
  • Wassenburg Medical reserves the right to make exceptions to this policy on a case-by-case basis.

Wassenburg Medical greatly appreciates the efforts of security researchers and discoverers who share information on security issues with Wassenburg Medical, giving Wassenburg Medical a chance to improve our products, and better protect our customers.  Thank you for working with Wassenburg Medical through the above process.  

Safe Harbor

Wassenburg Medical consider activities conducted consistent with the Coordinator Vulnerability Disclosure Program to constitute authorized access under applicable anti-hacking laws.  To the extent the cyber vulnerabilities disclosure activities, as specified herein, are inconsistent with certain restrictions in Wassenburg Medical’s Terms Of Use, Wassenburg Medical waives those restrictions for the limited purpose of permitting security research as specified in the Coordinator Vulnerability Disclosure Program.  Wassenburg Medical supports security research into Wassenburg Medical products and wants to encourage this type of research.  Provided cyber vulnerability submitter actions are consistent with the provisions herein, Wassenburg Medical will not bring a claim against the cyber vulnerability submitter for circumventing the technological measures Wassenburg Medical has used to protect the applications in scope.  If legal action is initiated by a third party against the cyber vulnerability submitter in connection with the security vulnerability research, as described herein, and the cyber vulnerability submitter has complied with the terms of this program, Wassenburg Medical will take commercially reasonable steps to make it known to such third party that the cyber vulnerability submitter actions were conducted in compliance with this program.  Wassenburg Medical will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of the terms of this Coordinator Vulnerability Disclosure Program that are otherwise in compliance with all applicable Federal, State, and local laws.

Manufacturer Disclosure Statement for Medical Device Security

The Manufacturer Disclosure Statement for Medical Device Security has been completed for the System 83 Revolve containing important security related information.  This document is a voluntary standard used by medical device manufacturers to communicate crucial security-related information to healthcare delivery organizations.  The document can be obtain by contacting Wassenburg Medical at (215) 364-1477 or by contacting us at ProductSecurityTeam@wassenburgmedical.com.

Product Security Advisories

Wassenburg Medical will investigate reports of security vulnerabilities affecting Wassenburg Medical products and releases these documents as part of the ongoing effort to help Wassenburg Medical customers manage security risks.  To access the most recent product security updates from Wassenburg Medical, select: www.wasseburgmedicalinc.com/Cybersecurity/product-security-advisories)