Security Incident Handling Policy
Canon Medical Systems Corporation (hereinafter referred to as "our company") provides medical devices and medical systems, including medical applications, and in order to ensure the security of these products and protect customers from cyber-attacks, we will disclose information on how to handle security incidents through the following process.
- Contact of security incidents
- Responding to security incident contacts
- Cooperative vulnerability disclosure
1. Contact of security incidents
Security incidents include malfunctions and outages due to malware infection, unauthorized access, and denial of service attacks. In addition, not only when a medical device is infected with malware, but also when there is a suspicion that the device has been infected, it may be necessary to report it to the Pharmaceuticals and Medical Devices Agency (PMDA). Therefore, we also assume that there is a possibility of a security incident.
We have launched a website for reporting security incidents related to our products. For information on receiving product security incidents, please contact us using the Product Security Information Incident Report (form) on our website. The report form is encrypted using SSL/TLS. After contacting us using the report form, all communication with the reporter will be via email. If an e-mail or attached file contains undisclosed sensitive information, please cooperate by encrypting the e-mail to prevent unintentional disclosure of the information to third parties.
For our products that have a maintenance contract for product security, please contact our branch, branch office, or service center in accordance with the maintenance contract.
2. Responding to security incident contacts
If we receive a report of a security incident, we will process it as a complaint within our company. Complaint risk assessment is performed based on events that actually occur. During the risk assessment, we investigate the cause, evaluate the effects on product effectiveness and safety, and decide what to do with manufactured products and already delivered products (Provision of information to medical institutions, collection/repair, etc., revision of package inserts, instruction manuals, etc.).
If a health hazard occurs or there is a risk of a health hazard, or if a malfunction occurs in a medical device due to malware infection, we will report the malfunction to PMDA.
3. Cooperative vulnerability disclosure
As soon as countermeasures or risk reduction measures for the product are ready, we will provide information to our customers on our website, and also provide information to the Information-technology Promotion Agency (IPA) or the Japan Computer Emergency Response Team Coordination Center (JPCERT). /CC). If it becomes necessary to issue a CVE/CWE number, we will issue a CVE/CWE number via JPCERT/CC, and after coordinating the publication date with the reporter and other related parties, we will publish the security advisory on our website.
Once a CVE number/CWE number is issued, the information will be provided to CERTs in each country outside of Japan via JPCERT.
In addition, if it is confirmed that personal data held in our products has been lost or tampered with, we will report it to the authorities concerned for personal information protection in each country.
If a customer requests a policy, we will provide this policy as a policy document.
Due to medical device regulatory reasons, not all products/service displayed on this Canon Medical Systems global webpage are available in all countries, regions or markets. Future availability of the products/service cannot also be guaranteed. Please contact your local Canon Medical Systems representative for further details.
