CardioVis

Our Approach to Security

CardioVis takes the cybersecurity of our products and services seriously. We recognize that our AI-powered surgical support technology operates in safety-critical healthcare environments, and we are committed to building, maintaining, and improving security throughout the product lifecycle.

Our approach is guided by industry standards and best practices for medical device cybersecurity, including frameworks outlined by the U.S. Food and Drug Administration (FDA), the National Institute of Standards and Technology (NIST), and applicable international standards such as IEC 62443 and ISO 27001.

Security by Design

Security is integrated into every stage of our product development and deployment process:

Threat modeling: We identify and assess potential security threats during the design phase to proactively address risks before they reach production.
Secure development practices: Our engineering teams follow secure coding standards, conduct code reviews, and employ static and dynamic analysis tools.
Data protection: Patient and clinical data processed by our systems is encrypted in transit and at rest using industry-standard cryptographic protocols.
Access controls: Our products implement role-based access controls and authentication mechanisms appropriate for clinical environments.
Supply chain security: We evaluate and monitor the security posture of third-party components, libraries, and services integrated into our products.

Vulnerability Management

We maintain an active vulnerability management program that includes:

Continuous monitoring of known vulnerability databases (e.g., CVE, NVD) for issues affecting our products and their components.
Regular security assessments, including penetration testing, of our systems and infrastructure.
A structured process for evaluating, prioritizing, and remediating identified vulnerabilities based on clinical risk and exploitability.
Timely communication of relevant security updates and patches to customers and stakeholders.

Coordinated Vulnerability Disclosure

We support and encourage responsible security research. If you believe you have identified a potential security vulnerability in a CardioVis product, service, or website, we ask that you report it to us through our coordinated disclosure process.

When submitting a report, please include:

A description of the vulnerability and its potential impact.
Steps to reproduce the issue, if possible.
The affected product, service, or system component.
Your contact information (optional, but helpful for follow-up).

Please submit vulnerability reports to: [email protected]

We will acknowledge receipt of your report promptly and work with you to understand and address the issue. We request that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate it.

Incident Response

CardioVis maintains an incident response plan to detect, contain, and remediate cybersecurity events. In the event of a security incident that may affect the safety or privacy of patients or clinical operations, we will:

Promptly investigate the scope and impact of the incident.
Notify affected customers and relevant regulatory authorities as required by applicable law and regulation.
Provide guidance on any recommended mitigation actions.
Conduct a post-incident review to improve our security posture.

Customer Responsibilities

Maintaining the security of medical technology is a shared responsibility. We recommend that our customers and partners:

Apply software updates and security patches in a timely manner.
Follow institutional cybersecurity policies and network segmentation best practices.
Restrict physical and network access to CardioVis products to authorized personnel.
Report any suspected security issues promptly to our security team.

Contact

For security inquiries, vulnerability reports, or general questions about our product security practices:

CardioVis, Inc.
Email: [email protected]