true

Product Security and Privacy Statement

1268717577
A Note from the CISO

Cybersecurity is one of the most critical issues impacting the healthcare industry. At BD, we maintain an unwavering commitment to security by design, in use and through partnership. We strive to ensure our products, systems and customer environments maintain high security standards so our customers can focus on what matters most: caring for patients.

While we maintain robust security protocols, we also recognize that new security threats emerge daily, from attempts to compromise healthcare data to coordinated efforts to disrupt clinical workflows or manufacturing. We recognize that our customers cannot protect what they don’t know. That’s why we believe transparency and collaboration are essential. As we build a strong community of practice, working closely with our customers, industry regulators, and security researchers, we’re improving cybersecurity and resilience across the industry.

– Rob Suárez, Vice President and Chief Information Security Officer

Our Priorities
Security by design
BD products and systems are designed to be secure and are developed using industry-leading cybersecurity standards, including those from ISO and NIST.
Security in use
BD products and systems are secured and maintained throughout their intended life cycle, across all technologies and sites.
Security through partnership
BD maintains a culture of transparency and collaboration with customers and industry stakeholders to establish industry best practices.
Our Framework

BD Cybersecurity Framework

BD utilizes a framework to incorporate cybersecurity into our processes for product design, manufacturing, customer support and enterprise systems. Our framework has been aligned to various industry work products including the HSCC Joint Security Plan, NIST Cybersecurity Framework, ISO 27001, UL 2900 and ISA 62443.

cybersecurity-risk-assessment-framework_v2.png
× cybersecurity-risk-assessment-framework_v2.png
Cybersecurity Maturity
Pagination-left-arrow-icon.svg
Pagination-right-icon.svg
2017

BD established a Product Security Partnership program.

2016

The FDA published Postmarket Management of Cybersecurity in Medical Devices.

2014

The FDA published Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.

2021

BD became the first medical technology company authorized as a Common Vulnerability and Exposures (CVE®) Numbering Authority.

2020

The IMDRF published Principles and Practices for Medical Device Cybersecurity.
BD received UL CAP certification for BD Synapsys™ Microbiology Informatics.

2019

The HSCC published the Medical Device and Health IT Joint Security Plan (JSP).

BD CISO Rob Suárez co-chaired the HSCC Med Tech Cybersecurity Risk Management Task Group.

2018

BD made product security templates available via the BD Cybersecurity Trust Center.

BD received UL CAP certification for the BD FACSLyric™ flow cytometer.

2017

BD established a Product Security Partnership program.

2016

The FDA published Postmarket Management of Cybersecurity in Medical Devices.

2014

The FDA published Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.

2021

BD became the first medical technology company authorized as a Common Vulnerability and Exposures (CVE®) Numbering Authority.

2020

The IMDRF published Principles and Practices for Medical Device Cybersecurity.
BD received UL CAP certification for BD Synapsys™ Microbiology Informatics.

2019

The HSCC published the Medical Device and Health IT Joint Security Plan (JSP).

BD CISO Rob Suárez co-chaired the HSCC Med Tech Cybersecurity Risk Management Task Group.

Partners and Initiatives
Pagination-left-icon.svg
Pagination-right-icon.svg
imdrf_logo-200x200.png

IMDRF

BD participates in the International Medical Device Regulators Forum with the shared goal of harmonizing medical device cybersecurity around the world.
MDIC_logo_200x200.png

MDIC

The Medical Device Innovation Consortium works with government and industry stakeholders to advance solutions that promote patient access to innovative medical technologies.
MedTechEurope_logo_200x200.png

MedTech Europe

BD participates in the MedTech Europe Cybersecurity Working Group, which brings cybersecurity experts together to engage with European institutions, including the European Union...
200x200_0002_200x200 infragard.jpg

U.S. FBI InfraGard

BD participates in the Health Care Working Group, a voluntary network of FBI-vetted professionals sharing security best practices.
AdvaMed_logo_200x200.png

AdvaMed

The Advanced Medical Technology Association advocates globally for the highest ethical standards and patient access to safe, effective and innovative medical technologies.
AISP_logo_200x200.jpg

AiSP

The Association of Information Security Professionals, based in Singapore, is committed to promoting the development, increase and spread of cybersecurity knowledge.
ccapac_logo_175x175_25pad.png

CCAPAC

The Cybersecurity Coalition for Asia Pacific is dedicated to improving the policy landscape for cybersecurity in Asia.
cve_logo_200x200.png

CVE® Program

BD is authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority by the CVE Program.
200x200_0003_FBI-200x200.jpg

DSAC

The Domestic Security Alliance Council is a strategic alliance that includes the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), and private industry
200x200_0000_200x200 H-Isac.jpg

H-ISAC

For maximum reach, BD shares coordinated vulnerability disclosures with the Health Information Sharing and Analysis Center.
HSCC_logo_200x200.png

HSCC International Task Group

BD is part of the Healthcare and Public Health Sector Joint Cybersecurity Working Group and co-leads the Task Group for International Engagement.
imdrf_logo-200x200.png

IMDRF

BD participates in the International Medical Device Regulators Forum with the shared goal of harmonizing medical device cybersecurity around the world.
MDIC_logo_200x200.png

MDIC

The Medical Device Innovation Consortium works with government and industry stakeholders to advance solutions that promote patient access to innovative medical technologies.
MedTechEurope_logo_200x200.png

MedTech Europe

BD participates in the MedTech Europe Cybersecurity Working Group, which brings cybersecurity experts together to engage with European institutions, including the European Union...
200x200_0002_200x200 infragard.jpg

U.S. FBI InfraGard

BD participates in the Health Care Working Group, a voluntary network of FBI-vetted professionals sharing security best practices.
AdvaMed_logo_200x200.png

AdvaMed

The Advanced Medical Technology Association advocates globally for the highest ethical standards and patient access to safe, effective and innovative medical technologies.
AISP_logo_200x200.jpg

AiSP

The Association of Information Security Professionals, based in Singapore, is committed to promoting the development, increase and spread of cybersecurity knowledge.
ccapac_logo_175x175_25pad.png

CCAPAC

The Cybersecurity Coalition for Asia Pacific is dedicated to improving the policy landscape for cybersecurity in Asia.
cve_logo_200x200.png

CVE® Program

BD is authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority by the CVE Program.
Certifications and Attestations

Access BD cybersecurity resources

BD recognizes the value to our customers of independent cybersecurity attestation. Each year a range of third-party audits are performed on BD products and internal cybersecurity controls. To demonstrate our commitment to product security and the protection of customer data, BD makes these industry recognized certifications and attestation reports available to customers.

BD maintains a SOC2+ program for multiple BD products that collect and process patient health information in accordance with the HIPAA security rule. These annual audits address the Trust Principles for Security and, for our cloud-based products, Availability. These reports are prepared by an independent third party and provide assurance regarding the operational effectiveness of BD internal controls and the security of BD products.

UL CAP, which stands for Underwriters Laboratories Cybersecurity Assurance Program, is an independently audited certification that demonstrates the cybersecurity of medical device products through a rigorous program of analysis. UL CAP cybersecurity testing is extensive and challenges BD products against known cybersecurity vulnerabilities, malware, malformed input (fuzz testing), structured penetration, static source code analysis, static binary and bytecode analysis, and verification of security controls (access control, user authentication and authorization, remote communication, cryptography and software updates).

BD maintains Product Security White Papers for its software-enabled products. The purpose of these documents is to provide details on how BD security and privacy practices have been applied and what our customers should know about maintaining security throughout the entire product lifecycle. Each white paper includes a Manufacturer Disclosure Statement for Medical Device Security (MDS2 attestation).

Download and Request Information

SOC2+ reports and Product Security White Papers are restricted to existing BD customers and can be requested below. UL CAP certificates display the scope (product and version), validity period, and certifying UL Manager and can be downloaded below. Prospective customers that wish to obtain copies of SOC2+ reports or Product Security White Papers can request these from their sales representative following approval of a Confidential Disclosure Agreement (CDA). Select the documents you would like to access and use the icons at the bottom of the page to trigger the download or request.

Process Overview

Coordinated Vulnerability Disclosure

BD has established a routine practice of seeking, communicating, and addressing cybersecurity issues in a timely fashion. Vulnerability disclosure is an essential component to our approach to transparency by enabling customers to manage risk properly through awareness and guidance.


            

              
              

              
            

          

          

          

            

            

              Report
              Report
            

            
Report

            

            

              Analyze
              Analyze
            

            
Analyze

            

            

              Coordinate
              Coordinate
            

            
Coordinate

            

            

              Disclose
              Disclose
            

            
Disclose

            

          
            
          
            
          
            
          

          

            

              
                  

                      
                      
BD welcomes vulnerability reports from security researchers, customers, third-party component vendors and other external groups that wish to report a vulnerability in a BD software-enabled device.  



                  

              
              
              
            

          
            
          
            
          
            
          

        

      

  



    



    



    

  



  



    



    

  



  



    



    

  



  



    



    


    







    
    

        




    
    

  
  
  

  

    

      




    
    

  
  
  

  

    

      




    
    




  
Cybersecurity Annual Report

  
  
  





    




    



    

  



  




  
  
  

  

    

      




    
    


  

  
Find out how BD is advancing the world of health™ by driving collaboration across the industry, supporting our customers, and addressing the most pervasive cybersecurity challenges impacting the infrastructure of healthcare around the world.

 
    



    






    




    






    



    

  



  



    



    

  



  




  
  
  

  

    
  



  




  
  
  

  

    

      




    
    

  
  
  

  

    

      




    
    




  
News and Media

  
  
  





    




    



    

  



  




  
  
  

  

    

      




    
    


    




    






    



    

  



  



    



    

  



  



    



    


    





  








  
Report a potential product-related security issue, such as an incident..

  
  

    
    

      

        

          

          
 
          

        

        

          
          

          

        

      

    

  

  
  



    





  

    

      

        

          Icon to close the modal
        

        
We appreciate your interest.


Your request has been successfully submitted.


A solution expert will contact you shortly.


 



        

          For the latest in medication management, be sure to bookmark bd.com/medmanagement
        

        
        
        
      

    

  





    



    



    


    






    
    

    





true