A. Roche Diagnostics recognizes that an effective cyber security program must address the entire product lifecycle, including the design, development, production, distribution, deployment, maintenance, and disposal of a product and any associated data.
B. To that end, Roche’s cyber security approach is founded on five core principles:
1. Security is one of our priorities. Roche Diagnostics endeavors to incorporate security principles in its products. As we develop new products, we will continue to evaluate security by design in our product development. In doing so, Roche takes a risk-based approach that recognizes that the intended use, user environment, and other important factors impact the type and level of cyber security required.
2. Life-cycle approach. Roche Diagnostics monitors information about vulnerabilities, incidents and other cyber security threats to identify and mitigate security risks throughout the product lifecycle. In doing so, we endeavor to implement timely security updates to our products in a manner that reduces any impact to the intended use, safety, and effectiveness of our products, or availability and integrity of the associated data.
3. Shared responsibility. Roche recognizes that cyber security is a shared responsibility among all members of the healthcare ecosystem. With that in mind, we work closely with industry and standards organizations, customers, institutions, academicians, security researchers, vendors, regulators, and other stakeholders to stay informed about the latest standards, trends, risks, and technologies.
4. Partner controls. Roche holds its partners and vendors to the same standards to which we hold ourselves.
5. Open communications and disclosure. We encourage security researchers and others who become aware of potential vulnerabilities or incidents associated with any of our products to contact us as described in our Vulnerability and Incident Handling Disclosure statement. Where applicable, we inform customers and other impacted stakeholders of Vulnerabilities and Incidents that could impact the safety and security of our products.