CarreirasRelações com InvestidoresCOVID-19
  1. Home
  2. Support & Documentation
  3. Cybersecurity
Cybersecurity at Siemens Healthineers icon showing cybersecurity processes

CybersecurityProtecting healthcare institutions against cyberthreats


If you suspect or have detected a cybersecurity relevant incident – please reach out to us by clicking the button below!

Overview

Portrait of Elisabeth Staudinger

Cybersecurity at Siemens Healthineers

At Siemens Healthineers, the importance of cybersecurity cannot be overstated. Our customers and patients place their trust in the cybersecurity of our products and our expertise as a company. They put their trust in us to pioneer breakthroughs in healthcare. For everyone. Everywhere. Let us unite in our efforts to maintain the highest standards of cybersecurity and continue to repay their trust.

Elisabeth Staudinger
Member of the Managing Board

A flowchart-style graphic highlighting cybersecurity risks in healthcare.

Global Trends

 

A human hand and a robotic hand reach towards each other, nearly touching, symbolizing the connection between humanity and technology.

Generative AI 

As AI rapidly increases in sophistication, we will see more advanced AI-powered attacks, including deepfake social engineering and adaptive malware. Simultaneously, AI will detect, evade, or neutralize threats through real-time anomaly detection, smart authentication, and automated incident response. In the current cyber-attack and defense landscape, AI is like the queen in chess, offering powerful strategic advantages to those who use it effectively.

A cybersecurity professional monitors multiple screens displaying code and digital maps.

Cybersecurity and 
Cyber Resilience 

Two terms often used interchangeably are Cybersecurity and Cyber Resilience, but their distinction is important. Cybersecurity focuses on preventing attacks, while resilience measures ensure continuity of operations even in the event of a successful breach. Developing the capability to recover quickly while minimizing data loss and downtime will be essential in the future.

A person in a dark room sits at a desk with multiple monitors displaying lines of code.

Shortage of Cybersecurity Professionals

A shortage of professionals with the skills to protect organizations from cyber-attacks remains relevant. The increasing digitization of patient records and medical devices has made the healthcare industry a significant target for cyberattacks. Employing cybersecurity professionals within a healthcare organization offers a substantial advantage by enhancing threat defense capabilities, expediting incident response, and ensuring continuous vulnerability monitoring. 

For our customers

Our commitment


  • The digital transformation is in full swing, and cybersecurity paves the way for your institution to participate. We are committed to helping you stay on track, no matter what challenges and threats you face. We constantly improve our newly developed systems and processes, and train our teams in cybersecurity matters, so that high cyberthreat awareness stays top of mind.
  • Cybersecurity in healthcare is not merely a duty or an obligation; it is an act of responsibility. When patients and families entrust their lives to the health system and its professionals, their complete commitment to excellence in delivery is a basic expectation.
  • The vast amount of critical digital information held by health services (e.g. within patient monitoring systems/electronic health records), coupled with the challenges of facing opportunities for improvement in security, such as enhancing staff awareness, resources and strengthening technical safeguards, makes them a prime target for cyber-criminals.
A collage featuring logos of Biohacking Village, Health-ISAC, and AdvaMed, along with an illustration of professionals discussing cybersecurity in healthcare.

Affiliations

We work hard to contribute to and learn from the medical device, healthcare provider and cybersecurity community. Our collaboration extends to customers, government agencies, cybersecurity working groups, security researchers and fellow medical device manufacturers to advance and innovate in cybersecurity for healthcare with the goal of increasing patient safety.

Affiliation Logo Biohacking Village

Biohacking Village at DEF CON

The Biohacking Village (BHV) is a 501(c)3 organization that brings medical, laboratory and pharmaceutical device manufacturers, and security researchers together to strengthen medical device security.

Siemens Healthineers facilitates transparency and collaboration by having members of their product and cybersecurity teams engage with the community, answer questions, and provide medical devices for security researchers to perform ethical hacking. This participation enables us to engage with the interested community, collaborate with cyber resources from industry partners, and evaluate our security controls.

Affiliation Logo Health-ISAC

Health-ISAC

Holding prominent positions in the Health-ISAC allows Siemens Healthineers to build key relationships in the industry. 

As a trusted community of critical infrastructure owners and operators within the Healthcare and Public Health sector (HPH). 

The community is primarily focused on sharing timely, actionable, and relevant information with each other, including intelligence on threats; incidents and vulnerabilities that can include data such as indicators of compromise, tactics, techniques, and procedures (TTPs) of threat actors; advice and best practices; mitigation strategies; and other valuable material.

Affiliation Logo AdvaMed

AdvaMed Cybersecurity Working Group

This group advocates for patient access to safe, effective, and innovative medical technologies that save and improve lives.

Siemens Healthineers works within the organizations’ working group structure to help provide input to the FDA on cybersecurity guidance and industry whitepapers.

This includes extensive work on medical the device’s Software Bill of Materials.

Products


To maintain a cybersecure lifecycle Cybersecurity at Siemens Healthineers covers a wide range of products and services. Our products are designed with Cybersecurity in mind: they support safe network integration and secure operations around the clock.

Cybersecurity Management Service

  • CSMS – the product security inventory with an efficient architecture-aware vulnerability evaluation workflow. It connects product security information with threat intelligence information, which allows Siemens Healthineers to react in a timely manner to evaluate the impact of a vulnerability on the medical device.
  • CSMS is connected to the Fleet Management solution (teamplay Fleet), which gives customers direct access to security information of their fleet (Security Whitepapers, Software Bill of Materials (SBOM), and vulnerability assessments). 
  • As of today, the inventory contains over 1,000 product versions and over 21,000 actively monitored software components which represent more than 700,000 installed systems in the field.

Secure Development Lifecycle

  • Leveraging the Secure Development Lifecycle (SDL), which is at the heart of the Siemens Healthineers approach to cybersecurity, our newly developed products are ready for today’s operational requirements. 
  • All products currently under development, as well as a range of existing offerings, have followed the Secure Development Lifecycle - addressing cybersecurity in the pre-market and post-market phases, and have built-in security controls that are essential for modern IT environments. 
  • We provide the necessary cybersecurity information you need to integrate Siemens Healthineers products within your IT environment.

Compliance and Certification 


Siemens Healthineers AG maintains an independent certification certification for its global Cybersecurity Management System according to ISO/IEC 27001:2022, extended by ISO/IEC 27701:2019, which showcases our commitment to safeguarding data privacy and cybersecurity, for our sustainable business and all key stakeholders of the company - particularly customers. As a partner in your operations and in the treatment journeys of our customers’ patients, we aim to provide compelling reasons for you to place your trust in Siemens Healthineers AG.

Cybersecurity Policy

The Siemens Healthineers global Cybersecurity Management System includes the Information Security and the Privacy Information Management System for the company. It covers Governance and Assurance by the central groups for Cybersecurity and Data Protection from its Erlangen locations.

FAQ

Cybersecurity incidents can lead to hospitals operating on emergency services, the theft of sensitive patient data, and vulnerabilities in medical devices, potentially causing severe or fatal consequences. This is why Siemens Healthineers takes Cybersecurity in healthcare very seriously and constantly drives improvement in our processes.

Cybersecurity is critical to ensuring the safe and reliable operation of medical devices. Vulnerabilities in the operating environment can lead to data breaches, device failures, or unauthorized manipulation, directly endangering patient lives. 

We implement a comprehensive range of cybersecurity measures, including stringent policies, firewalls, encryption protocols, regular security audits, and employee training programs. Siemens Healthineers is committed to protecting sensitive data.

All employees must undergo regular Cybersecurity training. This covers topics such as recognizing phishing attacks, using secure passwords, as well as classifying and protecting sensitive data.

Siemens Healthineers' global Cybersecurity Management System is ISO/IEC 27001:2022 and ISO/IEC 27701:2019 certified. We maintain compliance with legal requirements and privacy regulations to be a reliable partner for business partners and patients.

Incident management - Reporting Cybersecurity Incidents

Experiencing a cybersecurity incident with your equipment?


We are committed to offer fast support when our customers are experiencing a cybersecurity incident in their infrastructure. We treat these reported events as potential safety issues. Our response aims to limit any potential damage by:

An orange icon of a computer monitor with a checkmark and a desktop tower on a black background, symbolizing system verification or cybersecurity.
  • We perform technical evaluations and impact of the incident, prioritize the containment, and share relevant information in an effective manner.
  • We offer support with forensic analyses to identify the root cause and help minimize reoccurrence of future incidents.
  • We offer support with restoring equipment to a fully functional state.


You can request support via teamplay Fleet or call your local Customer Care Center.

Reporting a cybersecurity incident in Siemens Healthineers infrastructure?


Please report any cybersecurity events or incidents affecting our infrastructure or digital solutions to our Cybersecurity Incident Response Team (CSIRT) via PGP encrypted email:

An orange network icon on a black background

Notifying Siemens Healthineers as affected party by an incident?

If you are a supplier or business partner of Siemens Healthineers and a cybersecurity incident is affecting us, please notify our Cybersecurity Incident Response Team via PGP encrypted email as detailed above.

Vulnerability management

We take our commitment to competent vulnerability management very seriously. Valuing the trust of our customers and stakeholders, we want to state our readiness to address potential vulnerabilities swiftly and effectively, minimizing any potential impact.

An orange icon of a hand selecting a star from three, symbolizing user reviews, on a black background.

Coordinated Vulernability Disclosure

  • Siemens Healthineers encourages everyone to report vulnerabilities, regardless of service contracts or product lifecycle status.
  • We welcome vulnerability reports from researchers, industry groups, CERTs, partners, and any other source.
  • Siemens Healthineers respects the interests of the reporting party (also anonymous reports if requested) and agrees to address any vulnerability that is reasonably believed to be related to Siemens Healthineers products or components.
  • Siemens Healthineers advises coordinated disclosure to prevent ‘0-day’ events that endanger customer systems and hospitals.
  • Siemens Healthineers urges reporting parties to perform a coordinated disclosure, as immediate public disclosure causes a ‘0-day situation’ which puts our customer systems and client hospitals at unnecessary risk.


The reporting process at Siemens Healthineers currently follows the Siemens AG process for Coordinated Vulnerability Disclosure. This process begins by emailing one of the email addresses below. For a more detailed description of the process please visit the Siemens Vulnerability Handling and Disclosure website.


Cover of our Vulnerability Management Two-Pager

Our Vulnerability Management Two-Pager

Third-party components in our products are monitored for vulnerabilities and evaluated for impact. This process takes into account FDA post-market guidance and industry best practices and consists of several phases. This two-pager describes the process.

Publications

This section provides the company’s sta tements regarding cybersecurity emergency topics. Additionally, we publish security advisories and bulletins on an ongoing basis to notify you about any validated security vulnerabilities pertaining to Siemens Healthineers products. Mitigation may involve applying an update, performing an upgrade, or other actions on your part. Please visit the Siemens Healthineers teamplay Fleet customer online portal for more information.