Global Product Security Policy
Olympus Product Security Policy
Stakeholders within the healthcare industry have a shared responsibility to ensure the security of medical devices and the software contained within. Understanding the importance, Olympus consistently strives to enhance the security of our products. This policy highlights Olympus's approach to product security in our products and services developed by Olympus. Olympus's security approach follows globally recognized standards and regulations breaking product security into two categories, Pre-Market Product Security Activities and Post Market Product Security Activities. Olympus complies with the relevant product security laws and regulations in each country and region.
Pre-Market Product Security Activities
Cyber Security Risk Management
Olympus follows a risk-based approach to proactively identify, analyze, evaluate, control, and monitor cybersecurity threats pertaining to the confidentiality, integrity, and/or availability of the Olympus products.
Secure Development and Coding
Olympus has defined security development and coding standard(s) consistent with current best practices related to design and implementation of secure software systems.
Threat Modeling
Olympus performs threat modeling to inform and support cybersecurity risk management activities, for the purpose of identifying and assessing any cybersecurity threats and their appropriate control mechanisms within the total product life cycle (TPLC).
Security Testing
Olympus performs various forms of cybersecurity testing to identify technical risks, threats, and vulnerabilities within Olympus products. These findings are then integrated into the cybersecurity risk management process, to be assessed and controlled as determined necessary.
Customer Security Documentation
Olympus creates and distributes relevant security documentation (including Product Security White Paper, SBoM, and MDS2) that accurately communicates to customers, relevant stakeholders, and regulatory bodies the relevant cybersecurity information to enable the ongoing safe and effective use of the product from cybersecurity risks.
Post Market Product Security Activities
Education and Training
Olympus provides education and training to its personnel on cybersecurity knowledge, techniques, and skills related to their specific function and/or role.
Monitoring
- Threat and Vulnerability Intelligence
- Olympus Identifies, assesses, and reports emerging threats, vulnerabilities, and related risks to Olympus products in a proactive, traceable, and repeatable manner.
PSIRT
Olympus has established a global PSIRT (Product Security Incident Response Team) that coordinates the following:
- Information Sharing
Proactively ensures consistent, current, and accurate, cybersecurity information is provided to Olympus customers and other relevant stakeholders. - Vulnerability and Patch Management
Handles and tracks vulnerabilities and related risks throughout the vulnerability lifecycle and provides timely cybersecurity patches intended to minimize exploitation and mitigate the vulnerability/risk to an acceptable level. - Incident Response
Addresses cybersecurity incidents to minimize loss, restore operations, report to relevant internal stakeholders, and provide timely notifications and disclosures as required by contractual commitments and/or regulatory bodies. - Coordinated Vulnerability Disclosure
Coordinates the disclosure of any confirmed vulnerabilities contained within an Olympus product including the mitigation/remediation plan for the vulnerability, to affected customers and other relevant stakeholders.