Coordinated Vulnerability Reporting Process
Canon Medical Informatics, Inc. (“CMI”) is committed to protecting its products, customers, and their patients against potential vulnerabilities that could affect the integrity and security of our products and systems or the privacy of our patients and customers.
We recognize the importance of incorporating cybersecurity considerations throughout our product and corporate development cycles, and as our products and tools are deployed at in the cloud and at customer sites to deliver the unmatched results our customers expect. We strive to maintain and improve the security of our medical devices and supporting systems throughout the product lifecycle, including by following industry best practices.
The threat of cyberattacks to medical devices and other systems is constantly evolving and it is particularly relevant in the medical-device-as-software space. In response, CMI has proactively established a coordinated vulnerability reporting process that is focused on reducing and mitigating the cybersecurity risks from new and emerging threats, enabling us to continuously improve and evolve the security of our products, website, and communication tools.
Important Legal Information
- Engage in testing of systems/research without harming CMI or its customers or who accidentally discover a potential vulnerability and choose to report it to CMI.
- Perform tests on products, our company website, and tools without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
- Adhere to the laws of their location and the jurisdictions in which CMI operates.
- Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
What We Ask of You
Please conduct testing in safe environments, adhering to the following guidelines.
- Never perform security testing on devices actively in use or on those systems that will be utilized for patient care delivery after your investigation.
- Never perform security testing on a device that is actively being utilized for patient care delivery, diagnostics or monitoring.
- Be aware that security testing may have side effects on the product that are not immediately apparent. When in doubt, decommission the device and contact CMI.
- Do not:
- Use denial-of-service, social engineering or any other interruption of our services;
- Copy, change or delete our data;
- Make changes to a system;
- Install or transmit malware;
- Use “brute force” techniques.
- If you have identified a vulnerability, use it only as needed to demonstrate the vulnerability.
What You Can Expect From Us
- A timely response to your email (typically within five business days, or sooner depending on the severity of the issue)
- We will triage, evaluate, and validate the reported findings, working with the appropriate product teams for review and verification. At this stage, CMI may contact you to provide additional information.
- If the vulnerability is in an underlying 3rd party component which is part of our product or tools, we will refer the report to that 3rd party and advise you of that notification.
- If the vulnerability is confirmed, CMI will evaluate the potential impact. We will identify and take appropriate action, and keep you informed.
- CMI will use existing customer notification processes to manage the release of patches or security fixes, which may include direct customer notification or public release of an advisory notification on our website.
- Credit after the vulnerability has been validated and fixed, if requested.
If you decide to share any information with CMI, CMI will handle your report and any associated personal data confidentially and will not share that information with third parties without your permission, except as required by law or if the disclosure of the information is compelled by a competent authority.
Last updated: February 2023
If you have identified a potential security vulnerability or privacy issue with our products or tools, fill out the reporting form below. Please do not include any personal health information (PHI) or images including PHI. If PHI needs to be transmitted, CMI will work with you to perform this in a secure and compliant manner.