Our product security commitment
We are committed to ensuring the safety, effectiveness and security of our products. Cybersecurity of our products and our customer’s infrastructure is an integral part of our focus.
Latest security advisories
None identified to date.
Affected products information
XX will reach the end of standard support on Month, Date, Year (XXX, XX, XXXX). We are providing you with a XX-month notice, so you have sufficient time to upgrade your operating system.
We recommend that you upgrade your operating system to the latest version of XXX (currently XX X.X) or higher, at your earliest convenience before Month, Date, Year (XXX, XX, XXXX). Upgrades may be performed by simply navigating to settings in your operating system and determining if an upgrade is required or you may need to upgrade your hardware depending on whether the OS (Operating System) continues to support it. The amount of downtime your system will experience depends on the upgrade technique chosen.
We will send you updates and reminders throughout the year prior to the end of the standard support deadline. You can find additional information needed to plan your upgrade in our 'User Guide for Frontier X Plus'.
Should you have any questions or concerns, contact firstname.lastname@example.org.
Product vulnerability disclosure reporting
Security researchers play a role in identifying cybersecurity vulnerabilities and concerns. Our goal is to effectively partner with the research community to understand their findings. We are introducing our initial Coordinated Vulnerability Disclosure Process to promote collaboration and reporting of medical device vulnerabilities as described below.
The scope of our vulnerability reporting program includes Medical Devices and associated accessories. It is not intended to provide technical support information on our products or for reporting Adverse Events or Product Quality Complaints.
To report an adverse event or product quality Complaint, please contact us at email@example.com
How to submit a vulnerability
If you have identified a potential security vulnerability with one of our Medical Devices or associated accessories, please submit a vulnerability report to Fourth Frontier’s Product Security Team by completing the following form and emailing the completed document to firstname.lastname@example.org
We will not engage in legal action against individuals who submit reports through our Vulnerability Reporting process and enter into a legal agreement with us. We agree to work with individuals who:
- Engage in testing of systems/research without harming Fourth Frontier or its customers.
- Perform tests on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
- Engage in vulnerability testing within the scope of our vulnerability disclosure program in accordance with the terms and conditions of any agreements entered into between Fourth Frontier and individuals.
- Adhere to the laws of their location and the location of Fourth Frontier. For example, violating laws that would only result in a claim by Fourth Frontier (and not a criminal claim) may be acceptable as Fourth Frontier is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.
- Refrain from disclosing vulnerability details before any mutually agreed-upon timeframe expires.
Preference, prioritization, and acceptance criteria: We will use the following criteria to prioritize and triage submissions.
What we would like to see from you:
- Reports written in English.
- Reports that include proof‐of‐concept code, which will better equip us to triage.
- How you found the vulnerability, the impact, and any potential remediation.
- Any plans or intentions for public disclosure.
Note: Reports that include only crash dumps or other automated tool output may receive lower priority.
What you can expect from us:
- A timely response to your email (within 7 business days).
- We will direct the potential findings to the appropriate product teams for verification and reproduction. You may be contacted to provide additional information at this stage.
- We will, following investigation of a report, confirm the existence of the vulnerability and the potential impact. If the identified vulnerability is determined to impact patient safety, we will work expeditiously to develop a resolution and take appropriate action. All other vulnerabilities will be evaluated and addressed based upon the associated risk.
- An open dialog to discuss issues.
- Notification when the vulnerability analysis has completed each stage of our review.
- Credit after the vulnerability has been validated and resolved, if desired.
- We are committed to being as transparent as possible about the remediation timeline and issues or challenges that may be involved.
- If we are unable to resolve communication issues or other problems, we may bring in a neutral third party (such as CERT/CC, ICS-CERT, or the relevant regulator) to assist in determining how best to handle the vulnerability.
All aspects of this process are subject to change without notice, as well as for case-by-case exceptions. No particular level of response is guaranteed.
In the event, you decide to share any information with Fourth Frontier, you agree that the information you submit will be considered as non-proprietary and non-confidential and that Fourth Frontier is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Fourth Frontier.
Manufacturer Disclosure Statement for Medical Device Security
As part of our commitment to product security and customer service, we supply our customers with information to help them assess and address the vulnerabilities and risks.
Specifically, we use the Manufacturer Disclosure Statement for Medical Device Security (MDS²) to provide security information about our products.
The MDS² contains product specific security information related to the capabilities of the devices such as:
- Maintaining, storing, and transmitting ePHI
- Data back-up and removable media capabilities
- Installing security patches and anti-virus software
- Remote service access
- Audit logs of ePHI access including: viewing; creating, modifying, and deleting records; importing/exporting
The MDS², a universal reporting form which allows us to supply our customers with model-specific information, is endorsed by the American College of Clinical Engineering (ACCE), ECRI (formerly the Emergency Care Research Institute), the National Electrical Manufacturers Association (NEMA), and the Healthcare Information and Management Systems Society (HIMSS).
The form also contains security practice recommendations and explanatory notes from the manufacturer.