Philips: Philips among the first health technology companies granted critical vulnerability classification authority by global cybersecurity standards organization
A critical part of health technology cybersecurity is the ability to classify potential vulnerabilities according to specific categories and threat levels according to recognized international standards. As part of Philips’ robust Global Security Policy program’s growth and maturity, the company has achieved the status of Common Vulnerabilities and Exposures (CVE®) Numbering Authority (CNA) by Mitre Corporation’s CVE Program – a global cybersecurity standards organization. The CVE Program is sponsored by the Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security (DHS).
Philips joins a worldwide network of companies authorized to publish vulnerability records to provide industry-recognized vulnerability descriptions. As noted by the CVE Program, “Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.”
As a CNA, Philips is authorized to:
Assign CVE ID numbers to all Philips solutions
Categorize vulnerabilities under current Common Weakness Enumeration (CWE) identifiers
Assign a Common Vulnerability Scoring System scale number (CVSS3) to indicate vulnerability severity
According to the CVE Program, the organization’s mission is “to identify, define and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.”
As a health technology company, we recognize that the security of our solutions and services are business critical for our customers. We are dedicated to helping our customers maintain the confidentiality, integrity, and availability of personal data, business data and the Philips products and solutions that create and manage this data.
Philips operates under a Global Security policy governing design-for-security in product and services creation, as well as risk assessment and incident response activities for vulnerabilities identified in existing products.
In a medical devices industry first, Philips has established a Security Center of Excellence (SCoE) to develop products which are cyber-resilient. In 2014, Philips was among the first medical device companies to launch a robust Coordinated Vulnerability Disclosure (CVD) program, which has been singled out for recognition by industry associations, regulatory and other government agencies, the security research community, and customers.