Coordinated Vulnerability Disclosure
BD has established a routine practice of seeking, communicating and addressing cybersecurity issues in a timely fashion. Vulnerability disclosure is an essential component to our approach to transparency by enabling customers to manage risk properly through awareness and guidance.
Process
Report
BD welcomes vulnerability reports from security researchers, customers, third-party component vendors and other external groups that wish to report a vulnerability in a BD software-enabled device.
Analyze
BD partners with the issue reporter to investigate the vulnerability. If confirmed, our incident response team collaborates with various functional teams including Research and Development (which includes Product Security), as well as Quality and Privacy to respond to the issue.
Communicate
BD follows FDA guidance to properly communicate confirmed BD product vulnerabilities in coordination with a Computer Emergency Readiness Team (CERT). We work with the Cybersecurity & Infrastructure Security Agency (CISA) to prepare coordinated vulnerability disclosures for our respective websites, and we also voluntarily report vulnerabilities unique to BD products to the FDA.
Disclose
Bulletins are published on the BD Cybersecurity Trust Center and the CISA website in a coordinated fashion. For maximum awareness, we also share BD vulnerability disclosures with Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the Health Information Sharing and Analysis Center (H-ISAC). H-ISAC sends hundreds of targeted alerts to its members each year from their Threat Operations Center. This practice helps healthcare delivery organizations of all sizes stay current with vulnerability disclosures across the industry.
Report a Potential Product-Related Security Issue
Transparency and close coordination with our customers and industry stakeholders is a key element of the BD Cybersecurity program. Please complete the cybersecurity issue report form to report a potential product-related privacy or security issue (incident, data breach or vulnerability).
BD Cybersecurity Requirements for Suppliers
General Security: The Supplier (hereafter, "Provider") shall utilize at least industry standard security efforts to prevent loss, destruction or leakage of BD Data, which may include, but are not limited to ISO/IEC 27001, 27002, 27017 and 27018 certifications, SOC 2 Type II standards, NIST CFS, CIS benchmarks and/or OWASP Top 10. The use of these standards is situational and shall depend on the type of BD Data the Provider utilizes and the nature and purpose of the processing.
Notwithstanding the above, Provider shall maintain the minimum security standards when processing BD Data, at all times, without limitation:
Testing
- Provider shall perform, on an annual basis, vulnerability/penetration testing in line with industry recognized standards, at Provider's sole cost and expense.
- When requested, Provider shall provide reasonably detailed results of the testing relating solely to BD clients and BD Data.
Prevention of Loss or Damage
- Provider shall use any and all commercially reasonable efforts to prevent the unintended or malicious loss, destruction, or alteration of BD Data.
Detection
- Provider shall continuously monitor its system(s) for security breaches and suspicious activity.
- Provider shall review and maintain its internal procedures to reflect best practices to ensure any potential security threats and/or security breaches are minimized.
- Provider shall monitor and report to BD any reasonable threat to the processing, storage, or integrity of BD Data or the timely delivery of contracted goods. This shall include, but not be limited to the actual, attempted, or threat of, unauthorized access, possession, use, transmission, or knowledge of BD Data.
Response
- Provider shall notify BD promptly (but no later than 24 hours thereafter) of any actual or suspected security breaches including, without limitation, service attacks (e.g., denial of service attacks) that cause material performance or manufacturing issues, or unauthorized access to BD data, information or products.
- Notification shall be made through the BD Cybersecurity Trust Center by selecting "Report an Issue."
- Provider shall take all steps necessary to promptly contain and remediate the Security Breach including, without limitation:
- Provider shall determine if BD Data was involved during the security breach or if shipment of goods per contractual terms will be impacted.
- Provider shall ensure the breach response is conducted by a reputable third party.
- Provider shall update BD daily, or as otherwise agreed between the parties, during any investigation or remediation of a cybersecurity incident that may have affected BD's use of the Service, delivery of goods, and/or BD Data.
- Upon request, the Provider will share with BD the scope, methodology, and reasonably detailed results relating to BD Data.
Third Party
- Provider shall ensure its third-party service providers with access to BD Data have processes and procedures in place to protect such BD Data, and those processes and procedures shall be no less stringent than those herein.
- Provider retains responsibility and liability for any Services performed by third-party service providers as though Provider performed them itself.
Servers
- BD Data shall be stored and processed on secure servers only, with access restrictions in line with current industry practices.
Written Information Security Protocol
- Provider shall have a written information security Protocol ("WISP"). The Provider's WISP shall include, but shall not be limited to, the following:
- Name of Provider's information security liaison, who shall be available to BD to discuss any Provider policies, standards, and practices.
- Methods for how Provider identifies and assesses reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of its systems.
- Methods for evaluating and improving the effectiveness of current safeguards, including without limitation, (i) ongoing Provider training of its personnel, and (ii) means for detecting and preventing security system failures.
- Security policies that prevent Provider from storing, accessing, or transporting records containing BD Data outside of business premises.
- A review of the scope of the WISP at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing BD Data.
Passwords
- For Software/Software Services, unless otherwise agreed by BD in writing: all BD logins shall be single sign-on logins, with no transmission of any Personally Identifiable Information.
Access Control
- BD Data access shall be restricted to Provider personnel having a need to process BD Data to perform the Services.
- Provider shall maintain a password protected system that requires a unique identifier, password and multi-factor authentication for each of Provider's personnel who need access.
Encryption
- Provider, to the extent technically feasible, shall encrypt all BD Data while in transit and while being stored or processed. Provider shall alert BD to any technical issues that would prevent this.
