Product IT security
In vitro diagnostics devices have become more connected and reliant on information technology than ever before, improving measurement, response and treatment times. However, this also makes medical devices more vulnerable to emerging cybersecurity vulnerabilities and malicious hackers, which can jeopardise the security and safety of patients and operators or lead to the loss or disclosure of sensitive health data.
As a partner in your operation, we are committed to providing you optimal support for safeguards across your facilities. We endorse manufacturer disclosure statements for medical device security (MDS²) to provide our customers with the information they need.
At Sysmex Europe, we value the confidentiality, integrity and accessibility of all protected health and personally identifiable information (e.g., PHI, PII). With the established Sysmex Global Information Security Regulation, we ensure all information we handle, including customer information, is protected from cybersecurity threats, disasters, and accidents. The Sysmex Organisation is also compliant with all applicable federal and state privacy and security laws, including the GDPR.
Cybersecurity readiness is important in Sysmex company culture. We actively participate and supports national and international initiatives and associations to improve the security of medical devices and create new standards. We also implement administrative, technical, and physical safeguards at an early stage, i.e., during the design process, to further improve our medical device resiliency and prevent possible security incidents or privacy breaches.
With a Digital Transformation Strategy in mind, Sysmex established a global Product Security Policy in 2019 and created a dedicated security management framework under the supervision and management of a Senior Executive Officer and Senior Managing Director acting as Information Security Officer. Our global and regional Product Security Incident Response (PSIR) team supports product design and manufacturing, post-marketing vulnerability identification, analysis, and local incident response activities.
Coordinated Vulnerability Disclosure
Sysmex is alert to the evolving threat of cyberattacks on medical devices. We strive to incorporate security in our products as early as possible and continuously evaluate security and safety during all phases of the product lifecycle. Your collaboration and partnership are crucial for identifying new vulnerabilities that may be present in our products through the coordinated vulnerability disclosure (CVD) program. This allows us to continually improve our product security and help you maintain secure operations.
Sysmex Europe encourages everyone to report security vulnerabilities in our products or services. Regardless of whether you have a business relationship with us, you can contact us using this form. If desired, this can also be done anonymously.
We urge you to address the vulnerability through CVD process to avoid a zero-day situation caused by immediate disclosure that puts our customer systems, hospitals and patients at unnecessary risk.
Sysmex does not intend to engage in legal action against individuals who:
- test or research our products without causing harm or damage
- obtain customer consent before conducting vulnerability tests on their equipment/software, etc.
- adhere to CVD and do not disclose vulnerability details before the end of a mutually agreed timeframe
- avoid compromising the security or privacy of individuals or, in particular, patients
For additional communication via email, please use our public PGP key for encryption. You can also contact us at psirt@sysmex-europe.com and our public PGP key (Fingerprint: DADD76C08E4D5A88896A0CF13DEE9B98827A0846) for encryption. Provide us with the same information as requested in the form.
Spring Framework vulnerabilities
Sysmex is aware of the critical vulnerabilities that have been discovered in the Spring Framework. Our investigations have not identified any affected product so far. We will keep you informed if the situation changes.
Apache Log4j vulnerability (CVE-2021-44228)
Sysmex Europe is aware of Apache Log4j vulnerability (CVE-2021-44228). We are currently investigating and taking action for Sysmex products and services that may be potentially impacted.
Update on 19 January 2022:
The following products and services are confirmed that they are not affected:
Haematology: | XN-Series, XN-L Series, pocH-100i/80i, XS-Series, XP-300, RU-20, KX-21N |
Urinalysis: | UF-Series, UN-Series, U-WAM, UX-2000, UC-3500, UC-1000, UD-10, TH-11 |
Haemostasis: | CA-Series, CS-Series, CN-Series |
Flow cytometry: | CyFlow, CyFlow Space, CyFlow Cube 6, CyFlow Cube 8, CyFox, CyScope, PS-10 |
Life Science: | RD-100i OSNA, RD-210 OSNA |
Automation: | CT-90, TS-10, TS-500, TS-2000, SP-10, SP-50, CF-60 |
Software products: | Extended IPU, Support Manager, Routing Engine |
CellaVision: | According to the manufacturer no action is needed for these systems or software products: CellaVision DM1200, CellaVision DM9600, CellaVision DC-1, Automated Digital Cell Morphology Analyzer DI-60, CellaVision Remote Review Software, DI Remote Review Software, CellaVision Server Software, CellaVision DM96 |
Tosoh: | All instruments are not affected according to the manufacturer. |
RR Mechatronics: | All instruments are not affected according to the manufacturer. |
Sentinel Diagnostics: | SENTiFOB Analyser and SENTiFIT 270 Analyser are not affected according to the manufacturer. |
3DHISTECH: | All applications are not affected according to the manufacturer. |
We will continually publish information to help our customers identify, investigate and, if necessary, mitigate security vulnerabilities to their Sysmex products and services.