Product security Product security

Product security

Edwards Lifesciences Support of Vulnerability Disclosure

As software and technology continue to become more integrated in products, Edwards recognizes cybersecurity to be a critical element in reducing risk across the total product lifecycle. Cybersecurity threats are evolving, and they have the potential to not only impact the confidentiality, integrity, and availability of a product, but also its clinical effectiveness.

Edwards maintains a dedicated Product Security team to help evaluate and implement security controls, manage cybersecurity risk across our various product lines, and execute our cybersecurity post-market product surveillance and support program.

We recognize the value provided by patients, customers, and security researchers in helping manage cybersecurity risk and are willing to collaborate with those who work in good faith with Edwards.

Scope of Disclosure Program

The scope of the Edwards Coordinated Vulnerability Disclosure Program includes on-market Medical Device and Software as a Medical Device categories (including mobile and web medical applications).  Non-medical devices including websites, mobile apps, infrastructure components, etc., are not in scope.  Additionally, the submission of adverse events or product quality complaints is not in scope.  Please follow the appropriate processes laid out by the individual product lines for reporting these.

As a part of our vulnerability disclosure program, Edwards will be using this page to post cybersecurity bulletins related to vulnerabilities and their impact to Edwards products. For any additional questions or comments related to product security at Edwards, please contact your service representative and/or the product security team directly.

How to Contact Edwards Product Security

Upon identifying a potential vulnerability in an Edwards product, please contact us via email as soon as possible utilizing PGP as outlined below:

In the email, please provide all relevant technical information regarding the vulnerability, including, but not limited to, steps which would need to be taken to replicate the potential issue, plans on public disclosure, and any awareness of active exploitation.  Do not include any personally identifiable information (PII) or individually identifiable health information (IIHI) in the message.

Expectations of Researchers

For any research being conducted on Edwards products, we ask researchers to:

  • Perform testing in a safe environment and manner
  • Not test or alter a production device in any way
  • Not use devices in production that have been altered
  • Not weaponize the research, nor create an active exploit
  • Not publicly disclose without prior engagement with Edwards

Expectations of Edwards

After submission of a potential vulnerability, Edwards will:

  • Review all submitted information and acknowledge receipt within 10 business days
  • Request additional information, if required, in order to enable a full review of the submission
  • Initiate our internal Vulnerability Management & Incident Response processes, which may include:
    • Internal replication of potential vulnerabilities
    • Risk evaluation activities
    • Mitigation/remediation planning and execution
    • External communications efforts
  • Work diligently in providing updates to the submitter, as necessary

Notice

In the case you decide to share any information with Edwards, you agree that the information you submit will be considered as non-proprietary and non-confidential, and that Edwards is allowed to use such information in any manner, in whole or in part, without any restriction.

Bulletins

4/7/2020

Windows CryptoAPI Cybersecurity Bulletin

A spoofing vulnerability has been discovered and disclosed by the National Security Agency (NSA) in versions of the Windows 10 and Windows Server 2016/2019 operating systems.  This vulnerability resides in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates, and it can allow an attacker to appear as a legitimately trusted entity and can enable remote code execution.  A Common Vulnerability Scoring System (CVSS) v3 score of 8.1 out of 10 has been assigned to this vulnerability.

At this time, Edwards' devices on market are not impacted by the Windows CryptoAPI vulnerability.  Edwards will continue to monitor the situation and provide customers with updates, as appropriate.  Additional details on the vulnerability can be found on the Microsoft security advisory page for this vulnerability – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601.

For additional clarification and concerns, please contact a service representative and/or product security team directly at product_security@edwards.com, utilizing PGP to encrypt your message.



3/9/2020

“SweynTooth” Cybersecurity Bulletin

Multiple security vulnerabilities in Bluetooth Low Energy (BLE) discovered across software development kits (SDK) of seven major system-on-chip (SoC) vendors were recently disclosed by a research group from Singapore University of Technology and Design (Matheus E. Garbelini, Sudipta Chattopadhyay, Chundong Wang). These vulnerabilities, referred to as SweynTooth, expose flaws in specific BLE SoC implementations that allow an attacker in radio range to trigger deadlocks, crashes, buffer overflows, or the complete bypass of security.  Common Vulnerability Scoring System (CVSS) v3 scores ranging from 5.7 to 8.8 out of 10 were assigned to the SweynTooth family of vulnerabilities.

At this time, Edwards' devices on market are not impacted by the SweynTooth family of vulnerabilities.  Edwards will continue to monitor the situation and provide customers with updates, as appropriate.  Additional details on the vulnerability can be found on the US Department of Homeland Security Cyber Infrastructure website – https://www.us-cert.gov/ics/alerts/ics-alert-20-063-01.

For additional clarification and concerns, please contact a service representative and/or product security team directly at product_security@edwards.com, utilizing PGP to encrypt your message.



9/18/2019

“Urgent/11” Cybersecurity Bulletin

Multiple security vulnerabilities in the IPnet TCP/IP Stack, implemented across various operating systems were recently disclosed publicly by security researchers at Armis. These vulnerabilities, referred to as “Urgent/11”, can be utilized for remote code execution and allow an attacker to potentially compromise an entire system without user interaction.  A Common Vulnerability Scoring System (CVSS) v3 score of 9.8 out of 10 has been assigned to Urgent/11.

At this time, Edwards' devices on market are not impacted by the Urgent/11 vulnerabilities. Edwards will continue to monitor the situation and provide customers with updates, as appropriate. Additional details on the vulnerability can be found on the US Department of Homeland Security Cyber Infrastructure website – https://www.us-cert.gov/ics/advisories/icsma-19-274-01.

For additional clarification and concerns, please contact a service representative and/or product security team directly at product_security@edwards.com, utilizing PGP to encrypt your message.

Please update your browserClose this window

Please update to a current version of your preferred browser, this site will perform effectively on the following:

Internet Explorer Google Chrome Safari Firefox
Unable to update your browser?

If you are on a computer, that is maintained by an admin and you cannot install a new browser, ask your admin about it. If you can't change your browser because of compatibility issues, think about installing a second browser for browsing and keep this old one for compatibility