Carestream Product Security Policy
Carestream Health is committed to providing secure products and services to our customers and patients. We strive to maintain and improve the security of our medical devices and systems throughout the product lifecycle, including the use of the following practices as applicable:
Carestream Health recognizes the need to share security-relevant information to better understand threats and protect our customers, patients and the overall healthcare infrastructure. We also are dedicated to ensuring our customers receive information related to vulnerabilities and any appropriate actions that need to be taken to assure the confidentiality, integrity and availability of our products and services. In order to fulfill these commitments, Carestream Health is engaged in efforts to foster global programs for communication, event handling and information sharing.
Coordinated Vulnerability Disclosure
Independent cybersecurity researchers are a valuable source of information on the security posture of many manufactured products. It is Carestream’s goal to cooperate and coordinate with these researchers regarding vulnerabilities they discover within our products. The information below describes the Coordinated Vulnerability Disclosure process by which independent cybersecurity researches may collaborate with us on reporting of medical device vulnerabilities.
Scope
The scope of Carestream’s Coordinated Vulnerability Disclosure process includes the following product families:
We ask that all security researchers submit vulnerability reports only for all Carestream products.
This reporting process is not to be used to report Product Quality Complaints or to request Technical Support. Please visit the following site for those types of engagements: https://www.carestream.com/en/us/services-and-support. Please also visit this site for security questions or comments about other Carestream products.
Important Legal Information
Carestream Health will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting Form and abide by the agreements outlined as part of this form submission process. We openly accept reports for all Carestream products. We agree not to pursue legal action against individuals who:
Procedure to Submit a Vulnerability
Preference, Prioritization and Acceptance Criteria
Carestream will use the following criteria to prioritize and triage submissions.
What we would like to see from you:
What you can expect from us:
If we are unable to resolve communication issues or other problems, we may bring in a neutral third party (such as CERT/CC, ICS-CERT, or the relevant regulator) to assist in determining how best to handle the vulnerability.
This webpage was reviewed and/or updated on 1/18/2019.