Elekta’s Commitment to Cybersecurity

overviewIn today’s interconnected digital healthcare ecosystem, the highest cybersecurity standards are critical for patient safety and data protection. Elekta is committed to advancing cybersecurity in medical devices and maintaining the protection of patient, personal and business data. To support this goal, we have developed Elekta Product Cybersecurity Framework (EPCF) incorporating industry best practices and regulatory guidance to help integrate security into every phase of our product’s lifecycle. Elekta is an active member of several medical device cybersecurity and privacy working groups, as well as cybersecurity information sharing organizations. We work with our peers and regulators to monitor the ongoing security of our products and responsibly handle security vulnerabilities.

Before deploying and using our products, customers should review the security documentation of Elekta’s products to ensure appropriate implementation of cybersecurity controls.

A Dedicated Digital Product Security Team

Our team of digital product security professionals is dedicated to ensuring our products are safe and secure for their intended use. We maintain a dual focus on developing safe and secure products while also anticipating and responding to emerging cybersecurity threats. Our team prioritizes transparency and responsiveness with our customers about cybersecurity and provides support and protection throughout the product lifecycle. With deep knowledge and expertise in digital product security, our team helps you maintain secure operations continuously.

Data Privacy

Elekta is committed to protecting the privacy of customer data. We align our processes with the principle of privacy and security by design to help you comply with HIPAA in the U.S., GDPR in the Europe and other privacy laws. As we plan, design and release products, services and solutions that process personal data, we strive to incorporate data protection measures. Our commitment to data privacy extends throughout the lifecycle of our products. This is done by setting internal processes for privacy impact assessments, reviewing the frameworks and policies adhered to by potential suppliers and other third parties as well as by ensuring our employees are regularly trained on data privacy requirements. Data privacy is part of our code of conduct and an important part of our corporate policy framework.

Cloud security

Our cloud-based solutions are hosted on Elekta Axis, a fully managed services cloud environment. These cloud-based solutions are protected by Microsoft Azure security controls to give you comprehensive protection against breaches and cyberattacks. All of your information is encrypted, including data in transit from your site and data at rest in Elekta’s cloud infrastructure.

Rather than focusing on individual components, Elekta Axis takes a holistic approach to information security, implementing a multilayered defense following network, operating system, database and software security best practices. Together with strong internal controls, governance and oversight, Elekta is continually working to strengthen and improve those security controls and practices.

Product Security Statements

To support our customer’s cybersecurity risk management needs, Elekta provides information to help assess and address the cybersecurity risks associated with medical devices.

Elekta publishes product security statements as part of each product release. These documents contain information about the security configuration related to the software, hardware and any operating systems of the product. The security statement also provides guidance on how to securely implement and operate the product.

In addition to the security statement, Elekta uses the Manufacturer Disclosure Statement for Medical Device Security (MDS²) to provide security information about its products. The MDS² is an industry-endorsed reporting form published by the Medical Imaging and Technology Alliance (MITA). The form allows manufacturers to provide product security information to customers in a standardized format. The MDS² form contains product-specific security information related to:

  • Managing personally identifiable information
  • Audit
  • Authorization
  • Data backup
  • Security updates
  • Malware controls
  • Secure connectivity
  • Hardening
  • Data integrity

The form also contains notes from the manufacturer as well as mapping to different security frameworks. Find more details about the MDS² form here. Customers can contact Elekta customer support or sales to receive a copy of the MDS² form for any supported product.

Product Security Advisories

Elekta publishes security advisories and bulletins on an ongoing basis to notify customers about any potential or validated security vulnerabilities pertaining to our products and services with guidance on remediation steps.

These security advisories are available in our customer portal. Please visit Elekta Care™ Community portal for more information or contact customer support.

Cybersecurity Incident Response

Elekta Care Support takes cybersecurity seriously and will provide all reasonable assistance to help customers quickly recover from any incidents affecting supported Elekta products. Following established processes, Elekta Care Support will document and manage the incident with the customer through to a resolution and suggest future protection improvements where appropriate.

Coordinated Vulnerability Disclosure

Elekta is committed to ensuring the safety and security of the products we develop and provide for cancer care. Elekta welcomes the invaluable contributions offered by security researchers and by our customers. The Coordinated Vulnerability Disclosure (CVD) policy is designed to ensure a responsible and streamlined process for reporting and handling product security vulnerabilities.  As part of this program, Elekta openly accepts vulnerability reports for currently supported Elekta products and solutions. Find the program details here.

Partnerships

Elekta believes in strong partnership between different stakeholders in healthcare industry to improve privacy and security of healthcare solutions. Our product security and privacy teams work closely with healthcare industry organizations to ensure patient information is protected and our products are safe and secure. To achieve greater security, we partner with several organizations to gather and share cyber information, including:

  • European Coordination Committee of the Radiological Electromedical and Healthcare IT Industry (COCIR)
  • Advanced Medical Technology Association (AdvaMed)
  • Health Information Sharing and Analysis Center (H-ISAC)
  • Health Sector Coordinating Council (HSCC)
Note: We continue to enhance the security posture for our current products. Cybersecurity threats are evolving and not all statements on this page apply to all products and services. Contact your customer support or sales team for product specific details.