Product Security
Quick Access
- Product Security Bulletins
- Coordinated Vulnerability Disclosure Process
- Information for Security Researchers
- Cybersecurity Design
- Responsive and Transparent Partnerships
Product Security Bulletins
- There are currently no Product Security Bulletins.
Request a Document
To request Outset’s document(s) listed below, reach out to 844-MYTABLO (844-698-2256), option 5, along with your business contact information (i.e., your name, role, company, e-mail address, and phone number) or contact your Outset sales or service representative.
Product Security Questions
Customers with specific questions about any Outset product can reach out to 844-MYTABLO (844-698-2256), option 5 or contact their Outset sales or service representative.
Global Privacy Policy
Outset has established a Privacy Policy to reflect the foregoing principles which are a key part of Outset company culture and operations.
For further information visit https://www.outsetmedical.com/privacy-policy/
Coordinated Vulnerability Disclosure Process
We are committed to designing, manufacturing, and maintaining safe and secure medical devices and understand that cybersecurity threats and vulnerabilities change rapidly. Therefore, we are committed to working with the security researcher community to verify and respond to legitimate vulnerabilities and ask researchers to participate in our responsible reporting process outlined below.
Scope
Outset created this coordinated disclosure process for security researchers to report potential vulnerabilities related to Outset’s commercially available products.
How to Submit
If you have discovered a potential vulnerability related to an Outset product, we ask you to submit your report through the following link:
MedISAO | MedISAO – Vulnerability Disclosure Form
Please include the following information:
- Contact information so we can get in touch with you (contact email address).
- Vulnerability CVE ID or CVSSv3 score
- When and where the vulnerability was discovered.
- Technical description of the vulnerability and environment in which it was discovered.
- Details of the affected product (including serial number, lot number, software version).
- Specific impact and how you envision this vulnerability could be used in an attack.
- Information about the tools and techniques you used to discover this vulnerability.
- Any proof of concept or exploit code.
- Prior or intended disclosure of vulnerability information to other parties (e.g. regulators, vulnerability coordinators, vendors).
Please do not include any personal information, such as sensitive/health information.
What Outset Will Do
- We will acknowledge receipt of the report within 5 business days.
- We will escalate the report to the appropriate team to verify the reported event. You may be contacted during this time to support our investigation efforts.
- We will evaluate the reported event and conduct a risk analysis to determine appropriate action to take.
- If Outset determines the issue warrants disclosure, we will publish notification on this page, and/ or we will report it to the appropriate external parties such as Information Sharing and Analysis Organizations (ISAOs) as applicable per Outset’s disclosure procedures.
Additional Information for Security Researchers
Please only conduct testing in secure environments, which comply with the following:
- Complying with all laws and regulations.
- Avoiding any testing that could hurt patients, cause a privacy issue, or damage equipment.
- Avoiding testing on devices in use or software that is in a production environment.
- Avoiding actions taken to exploit any vulnerability.
- Avoiding action that could make changes to a product or system after the test is completed.
Notice
By submitting information through this process, you agree that it will be considered non-proprietary and non-confidential, and that Outset is permitted to use the information in any manner, in whole or in part, without any restriction. You also agree that submitting such information does not create any rights for you or any obligations for Outset.
Cybersecurity Design
We have developed a cybersecurity framework to provide a consistent cybersecurity approach that addresses security concerns for medical device design and engineering, that is based on industry standards and best practices, and that addresses the demands of a rapidly evolving cybersecurity landscape.
Our framework helps us track, prioritize, and manage identified cybersecurity risks through a detailed definition, categorization, and a risk assignment based on potential safety impact and exploitability, which informs acceptance, mitigation, or remediation actions that should be undertaken.
We have operationalized processes to help us identify, assess, manage, and mitigate reasonably foreseeable risks from potential cybersecurity threats in areas including:
- Privacy and security by design
- Product and supplier risk assessment
- Vulnerability and patch management
- Secure coding practices and analysis
- Information sharing through public and private organizations
- Vulnerability scanning
- Access controls
- Incident response management
- Clear paths for two-way communication between customers and Outset Medical
It is critical to ensure that any medical devices impacting patient health and safety are operated, deployed and managed in a safe, secure, and reliable manner. This framework ensures that our products are developed consistently with cybersecurity capabilities built into the medical device to meet our requirements.
Responsive & Transparent
We are committed to providing transparent information to our customers about product security. In an effort to share information, we provide a Manufacturer Disclosure Statement for Medical Device Security (MDS2) which contains important cybersecurity design features such as:
- Audit Controls
- Authorization
- Data Backup and Disaster Recovery
- Malware Detection/ Protection
- System and Application Hardening
- Transmission Confidentiality and Integrity
In addition to the information provided in the MDS2, we provide cybersecurity information in our cybersecurity white paper, user manuals, and customer communications.
Partnerships
The healthcare ecosystem is complex. Ensuring patient safety and product security needs industry-wide collaboration. Strong partnerships are essential for better security and there are several organizations that we work with to gather and share cyber information, such as:
- MedISAO
- Cybersecurity and Infrastructure Security Agency (CISA)