Diagnostics Product Cyber Security Statement

for products and services in the UK and Ireland

Statement Principles

 

We strongly agree with the International Medical Device Regulators Forum (IMDRF) that information security in the use of In Vitro Diagnostic (IVD) products and services is a shared responsibility between all members of the digital healthcare ecosystem.

With that in mind, we partner with you (our customers) together with

●     Industry bodies (including NHS Digital, National Cyber Security Centre NCSC and the Health and Safety Executive HSE, eHealth, NWIS, etc.)

●     Regulators (MHRA, HPRA)

●     Standards organizations (BSI)

●     Vendors

●     Institutions, academicians, security researchers and other stakeholders

to stay ahead of information security threats and risks, and to implement appropriate mitigations.

We incorporate industry-standard security principles in the design and development of our products and services from day 1 (Privacy by Design). In doing so, we take a risk-based approach that recognizes the intended use, user environment, and other important factors which impact the type and level of security controls required.

After a product launch, we continuously monitor trusted sources of information about security threats, vulnerabilities and security incidents to identify security risks throughout the product lifecycle. Then by the timely development of security updates or compensating controls we work with you to reduce any impact to the intended use, safety, and effectiveness of our products and services, or the confidentiality, availability or integrity of the associated data.

It is our policy to hold our partners and suppliers to the same standards to which we hold ourselves.

We encourage you, as our partners, together with security researchers and others who become aware of potential vulnerabilities or incidents associated with any of our products to contact us at RCSC telephone 0808-100-1920 (option 1 (Technical Services), option 4 (Workflow & IT), option 1 (IT) or email to burgesshill.ict@roche.com so that we can register your concern, analyse the risk and advise mitigation actions.

The security of your information is one of our top priorities and we work to provide you with independent assurance of that via the NHS Digital Data Security and Protection Toolkit together with our certifications to ISO 27001:2013 and Cyber Essentials Plus.

Further details are available in our Product Cyber Security and Information Security brochures.