Digital Product Security

Elekta's Commitment to Cybersecurity

In today's interconnected digital healthcare ecosystem, the highest cybersecurity standards are critical for patient safety and data protection. Elekta is committed to advancing cybersecurity in medical devices and maintaining the protection of patient, personal and business data. To support this goal, we have developed Elekta Product Cybersecurity Framework (EPCF) incorporating industry best practices and regulatory guidance to help integrate security into every phase of our products' lifecycle. Elekta is an active member of several medical device cybersecurity and privacy working groups, as well as cybersecurity information sharing organizations. We work with our customers and regulators to monitor the ongoing security of our products and responsibly handle security vulnerabilities.

Before deploying and using our products, customers should review the current security documentation of Elekta's products to ensure appropriate implementation of cybersecurity controls.

Plan and design, release, post market surveillance

A Dedicated Digital Product Security Team

Our team of digital product security professionals is dedicated to ensuring our products are safe and secure for their intended use. We maintain a dual focus on developing safe and secure products while also anticipating and responding to emerging cybersecurity threats. Our team prioritizes transparency and responsiveness with our customers about cybersecurity and provides support and protection throughout the product lifecycle. With deep knowledge and expertise in product security, our team helps you maintain secure operations continuously.

Data Privacy

Elekta is committed to protecting the privacy of customer data. We align our processes with the principle of privacy and security by design to help you comply with HIPAA in the U.S., GDPR in Europe and other privacy laws. As we plan, design and release products, services and solutions that process personal data, we strive to incorporate data protection measures. Our commitment to data privacy extends throughout the lifecycle of our products. This is done by setting internal processes for privacy impact assessments, reviewing the frameworks and policies adhered to by potential suppliers and other third parties as well as by ensuring our employees are regularly trained on data privacy requirements. Data privacy is part of our code of conduct and an important part of our corporate policy framework.

Cloud security

Our cloud-based solutions are hosted on Elekta Axis, a fully managed cloud environment. These cloud based solutions are built on Microsoft Azure, which means your data is protected by robust data security features, including multi-layer threat protection, automated security detection and response. It also means you have the assurance of built-in system compliance features to ensure conformance of data privacy and regulatory requirements. All of your information is encrypted, including data in transit from your site and data at rest in Elekta's cloud infrastructure.

Combined with multiple layers of security within our software solutions, such as password protection and two-factor authentication, you can be sure that safeguarding your clinical data is our highest priority.Together with strong internal controls, governance and oversight, Elekta is continually working to strengthen and improve those security controls and practices. Customers should refer to respective cloud product security documents for product specific security controls used.

Product Security Statements

To support our customers' cybersecurity risk management needs, Elekta provides information to help assess and address the cybersecurity risks associated with our products.

Elekta publishes product security statements as part of each product release. These documents contain information about the security configurations related to the software, hardware and any operating systems part of the product. The security statement also provides guidance on how to securely implement and operate the product.

In addition to the security statement, Elekta uses the Manufacturer Disclosure Statement for Medical Device Security (MDS²) to provide security information about its medical device products. The MDS² is an industry-endorsed reporting form published by the Medical Imaging and Technology Alliance (MITA). The form allows manufacturers to provide product security information to customers in a standardized format. The MDS² form contains product-specific security information related to:

  • Managing personally identifiable information
  • Audit
  • Authorization
  • Data backup
  • Security updates
  • Malware controls
  • Secure connectivity
  • Hardening
  • Data integrity

The form also contains notes from the manufacturer as well as mapping to different security frameworks. Find more details about the MDS² form here. Customers can contact Elekta customer support or sales to receive a copy of the MDS² form for any supported product.

Product Security Advisories

Elekta publishes security advisories and bulletins on an ongoing basis to notify customers about any potential or validated security vulnerabilities pertaining to our products and services with guidance on remediation steps.

These security advisories are available in our customer portal. Please visit Elekta Care™ Community portal for more information or contact customer support.

Cybersecurity Incident Response

Elekta Care Support takes cybersecurity seriously and will provide all reasonable assistance to help customers quickly recover from any incidents affecting supported Elekta products. Following established processes, Elekta Care Support will document and manage the incident with the customer through to a resolution and suggest future protection improvements where appropriate.

Coordinated Vulnerability Disclosure

Elekta is committed to ensuring the safety and security of the products we develop and provide for cancer care. Elekta welcomes the invaluable contributions offered by security researchers and by our customers. The Coordinated Vulnerability Disclosure (CVD) policy is designed to ensure a responsible and streamlined process for reporting and handling product security vulnerabilities.  As part of this program, Elekta openly accepts vulnerability reports for currently supported Elekta products and solutions. Find the program details here.

Partnerships

Elekta believes in strong partnership between different stakeholders in healthcare industry to improve privacy and security of healthcare solutions. Our product security and privacy teams work closely with healthcare industry organizations to ensure patient information is protected and our products are safe and secure. To achieve greater security, we partner with several organizations to gather and share cyber information, including, but limited to:

  • European Coordination Committee of the Radiological Electromedical and Healthcare IT Industry (COCIR)
  • Advanced Medical Technology Association (AdvaMed)
  • Health Information Sharing and Analysis Center (H-ISAC)
  • Health Sector Coordinating Council (HSCC)