Product security

Edwards Lifesciences Support of Vulnerability Disclosure

As software and technology continue to become more integrated in products, Edwards recognizes cybersecurity to be a critical element in reducing risk across the total product lifecycle. Cybersecurity threats are evolving, and they have the potential to not only impact the confidentiality, integrity, and availability of a product, but also its clinical effectiveness.

Edwards maintains a dedicated Product Security team to help evaluate and implement security controls, manage cybersecurity risk across our various product lines, and execute our cybersecurity post-market product surveillance and support program.

We recognize the value provided by patients, customers, and security researchers in helping manage cybersecurity risk and are willing to collaborate with those who work in good faith with Edwards.

Scope of Disclosure Program

The scope of the Edwards Coordinated Vulnerability Disclosure Program includes on-market Medical Device and Software as a Medical Device categories (including mobile and web medical applications). Non-medical devices including websites, mobile apps, infrastructure components, etc., are not in scope. Additionally, the submission of adverse events or product quality complaints is not in scope. Please follow the appropriate processes laid out by the individual product lines for reporting these.

As a part of our vulnerability disclosure program, Edwards will be using this page to post cybersecurity bulletins related to vulnerabilities and their impact to Edwards products. For any additional questions or comments related to product security at Edwards, please contact your service representative and/or the product security team directly.

How to Contact Edwards Product Security

Upon identifying a potential vulnerability in an Edwards product, please contact us via email as soon as possible utilizing PGP as outlined below:

Key ID: 0x49F9C9DB
PGP Location: https://keyserver.pgp.com
Email: product_security@edwards.com

In the email, please provide all relevant technical information regarding the vulnerability, including, but not limited to, steps which would need to be taken to replicate the potential issue, plans on public disclosure, and any awareness of active exploitation. Do not include any personally identifiable information (PII) or individually identifiable health information (IIHI) in the message.

Expectations of Researchers

For any research being conducted on Edwards products, we ask researchers to:

Perform testing in a safe environment and manner
Not test or alter a production device in any way
Not use devices in production that have been altered
Not weaponize the research, nor create an active exploit
Not publicly disclose without prior engagement with Edwards

Expectations of Edwards

After submission of a potential vulnerability, Edwards will:

Review all submitted information and acknowledge receipt within 10 business days
Request additional information, if required, in order to enable a full review of the submission
Initiate our internal Vulnerability Management & Incident Response processes, which may include:
- Internal replication of potential vulnerabilities
- Risk evaluation activities
- Mitigation/remediation planning and execution
- External communications efforts
Work diligently in providing updates to the submitter, as necessary

Notice

In the case you decide to share any information with Edwards, you agree that the information you submit will be considered as non-proprietary and non-confidential, and that Edwards is allowed to use such information in any manner, in whole or in part, without any restriction.

Bulletins

4/26/2021

“NAME: WRECK” Cybersecurity Bulletin

Multiple security vulnerabilities found in four common TCP/IP stacks—FreeBSD, IPnet, NetX, and Nucleus NET, implemented across various Operating Systems, were recently disclosed publicly, by security researchers from Forescout and JSOF. These vulnerabilities, referred to as “NAME: WRECK”, can be utilized for causing denial of service or remote code execution and allow an attacker to potentially compromise an entire system without user interaction. A Common Vulnerability Scoring System (CVSS) v3 score has been assigned within range 5.3 - 9.8 to set of nine WRECK vulnerabilities.

At this time, Edwards' devices on market are not impacted by the NAME: WRECK vulnerabilities. Edwards will continue to monitor the situation and provide customers with updates, as appropriate. Additional details on the vulnerability can be found on the US Department of Homeland Security Cyber Infrastructure website – https://us-cert.cisa.gov/ics/advisories/icsa-21-103-04.

For additional clarification and concerns, please contact a service representative and/or product security team directly at product_security@edwards.com, utilizing PGP to encrypt your message..

12/15/2020

“AMNESIA:33” Cybersecurity Bulletin

Multiple security vulnerabilities in several open-source TCP/IP stacks, implemented across various systems, were recently disclosed publicly by security researchers at Forescout Research Labs. These vulnerabilities, referred to as “AMNESIA:33”, can allow an attacker to remotely execute code and take full control of an affected device. Common Vulnerability Scoring System (CVSS) v3 scores ranging from 4.0 to 9.8 out of 10 were assigned to the AMNESIA:33 family of vulnerabilities.

At this time, Edwards' devices on market are not impacted by the AMNESIA:33 vulnerabilities. Edwards will continue to monitor the situation and provide customers with updates, as appropriate. Additional details on the vulnerability can be found on the US Department of Homeland Security Cyber Infrastructure website – https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01.