Our Commitment to Cybersecurity
Today, vast amounts of sensitive patient information and data are kept within the modern healthcare provider network. For Varian and its customers, cybersecurity is a top priority. Together, we have a shared responsibility to maintain robust end-to-end defenses that keep systems secure.
Our products and services are developed with a focus on quality and patient safety. We continue to improve and extend the security measures for our current products. As threats and associated risks are evolving, not all statements on this page apply to all products and services. Contact your local Varian representative for further details.
We collaborate with vendors and healthcare providers to promote true end-to-end cybersecurity, helping to ensure that our products are safe and secure, with access restricted to authorized users. We take cybersecurity extremely seriously, and collaborate with others in the healthcare and technology industries to minimize data security breaches and protect patients.
Trust and Certification
Siemens Healthineers has received independent certification according to ISO/IEC 27001:2022 extended by ISO/IEC 27701:2019 which showcases our commitment to safeguarding data privacy and cybersecurity for our sustainable business and all key stakeholders of the company, particularly customers.
As a partner in your operations and on the treatment journeys of our customers’ patients we want to provide a valid reason to put your trust in Siemens Healthineers.
The Siemens Healthineers global Cybersecurity Management System includes the Information Security and the Privacy Information Management for the company including Varian. It covers Governance and Assurance by the central groups for Cybersecurity and Data Protection from its Erlangen headquarter locations.
Product Security
Our information security office is staffed by employees with broad cybersecurity backgrounds, and we partner with our engineering and IT departments to build security into our systems from inception and by design, through operation, and ultimately to product retirement. The teams also collaborate with cybersecurity experts and IT stakeholders from customer sites to identify risks and plan security enhancements.
Secure Development Lifecycle
Thanks to the Secure Development Lifecycle (SDL), at the heart of the Varian approach to cybersecurity, our products are ready for today’s operational requirements:
- New hardware and software development follow defined state-of-the-art processes
- Product development adheres to Varian’s standardized requirements and industry best practices
- Processes and requirements are aligned across the Varian product portfolio
Built-in security controls
Products currently under development as well as a range of existing offerings have built-in security controls that are essential for modern IT environments:
- Secure configuration and hardening
- Authentication and authorization
- Whitelisting
- Data encryption
- Trusted machine certificates
- Auditing and logging
Data encryption
Secure data in transit using state-of-the-art encryption features.
Logging and auditing
Automatically log user actions using audit trails and store this information securely.
Authentication and authorization
Customer configurable roles, computer profiles, and passwords.
Transparency
We provide the information you need in advance, so there will be no surprises following deployment. Contact your local Sales representative or go to MyVarian for the following documents:
- Product release notes, manual, or white paper describing all available product security features
- SBOM (Software Bill of Materials)
- General cybersecurity guidance and consultation
- Secure environment configuration recommendation
- Manufacturers Disclosure Statement for Medical Device Security (MDS2)
Coordinated Vulnerability Disclosure
Varian encourages everyone to report vulnerabilities, regardless of service contracts or product lifecycle status. We welcome vulnerability reports from researchers, industry groups, CERTs, partners, and any other source. Varian respects the interest of the reporting party (also anonymous reports if requested) and agrees to handle any vulnerability that is reasonably believed to be related to Varian products or components. Varian urges reporting parties to perform a coordinated disclosure, as immediate public disclosure causes a ‘0-day situation’ which puts our customer systems and client hospitals at unnecessary risk.
Reporting Process
Varian currently follows the Siemens AG process for Coordinated Vulnerability Disclosure. For a more detailed description of the process please visit the Siemens Vulnerability Handling and Disclosure Process website.
PGP Public Key and Fingerprint: 1F2C 7F9B 23F0 8C7F 6307 DB43 966E E04C 49B2 BA34
Email productcert@siemens.com.
State-of-the-art system software
Rapid advances in healthcare technology can make your medical equipment become outdated prior to useful life of the product. With our Varian Service PremierAssurance service agreements, we can help you keep your Varian equipment updated and cybersecure throughout its product lifespan. Choose from a range of service levels and entitlements to cover your regulatory and financial needs. For products that are not eligible for our PremierAssurance program, we offer other service contracts. For more information, please visit our Services page.
Data Privacy
Protecting the privacy of your data is very important to us. We follow privacy principles and practices as part of “privacy by design” as we develop and release products and solutions. That means we implement various administrative, physical and technical measures in our products and solutions with the goal of enabling customers to comply with privacy laws (in particular HIPAA Privacy and Security rules in the United States and GDPR in the European Union and the European Economic Area) when customers process protected health information and other personal data while using our products and solutions.
Safeguarding Patient Information
Data analytics and cloud-based, mobile solutions offer huge promise for human-centered cancer care, unlocking useful tools for both physicians and patients. For example, our noona® app allows patients to actively engage with their cancer care team and report outcomes, providing oncologists with the potential to analyze data and change research and treatment protocols in real-time. noona is certified to ISO/IEC 27001:2013, the internationally recognized security certification, indicating the paramount importance we place on maintaining the integrity of information in our care.
Publications
We publish security advisories and bulletins on an ongoing basis to notify you about any validated security vulnerabilities pertaining to Varian products. Mitigation may involve applying an update, performing an upgrade, or other actions on your part. Please visit MyVarian for more information.
Microsoft services outage
Siemens Healthineers has resolved all the issues relating to our internal systems and customers. After a careful monitoring period, we have determined that system stability has been completely restored. If necessary, updates will continue to be posted in the Publications section of the Siemens Healthineers cybersecurity website.
LockBit Ransomware
Data allegedly related to the Varian business segment of Siemens Healthineers was published on ransomware group LockBit’s website on August 15, 17, and 19 and was available for a short period. We have no evidence that Varian corporate systems and processes have been compromised or that data was extracted from them. Our investigations determined that the published data was related to a single customer site. We have officially closed our investigation into this incident.
The security and privacy of our customers and their patients is of utmost importance to us, and we continually strive to improve cybersecurity and data privacy. Additional information can be found through Knowledge Article 000043464 posted on the MyVarian customer portal.
PTC Vulnerabilities
Varian Medical Systems, Inc. is aware of the PTC vulnerabilities identified as CVE-2022-25246, CVE-2022-25247, CVE-2022-25248, CVE-2022-25249, CVE-2022-25250, CVE-2022-25251, and CVE-2022-25252 publicly announced on March 7, 2022. Varian uses PTC, a 3rd party solution to support our SmartConnect® tool for remote support, installations, and other services.
Our cybersecurity experts continue to analyze and address potential impact to our products. When appropriate, Varian provides updates to fix the vulnerability, or specific countermeasures for products where fixes are not yet available. The details can be found through Knowledge Articles: 000039516 – SmartConnect Vulnerability Disclosure, and 000039517 - Customer alert regarding the SmartConnect vulnerability [PTC vulnerability] posted on the MyVarian customer portal.
Java library Log4j vulnerability (CVE-2021-44228)
Varian Medical Systems, Inc. is aware of the zero-day remote code execution (RCE) vulnerability in the Java library Log4j, identified as CVE-2021-44228. Our cybersecurity experts are analyzing and addressing any potential impact to our products, infrastructure and services. View the Log4J vulnerabilities update and the impact on Varian Products and Services.
Cybersecurity Checklist
Cyberattacks can enter the network and invade treatment delivery systems, resulting in compromised system performance, data loss, interruption to treatment, and misadministration problems.