Cybersecurity

We endeavor to bring the latest technology to our products in a safe and secure manner. In doing so, we strive to integrate both privacy and information security into our products and services. LivaNova is subject to various local and international laws that protect the privacy and confidentiality of certain patient health information, including patient medical records, and that restricts the use and disclosure of patient health information. We work to comply with various privacy standards and to adapt our business processes to ensure that the safety of our products and patients’ information remain at the core of what we do.

We have dedicated resources and processes to help prevent, detect, and respond to cyber threats. Our information security team, led by the Chief Information Security Officer (CISO), manages our Information Security Management System (ISMS) with the objective of strengthening our cyber resiliency. Our ISMS strengthening plans consider leading industry standards, such as the NIST cybersecurity framework, ISO 27001, COSO, and other security controls to apply across our business.

On a quarterly basis, the CISO presents key security metrics to various governing bodies internal to LivaNova, including but not limited to the Audit and Compliance Committee and Company management. We maintain a structured cyber incident response program and strive to continually improve our cyber resiliency strategy, including performing periodic simulation exercises for our security responders. We routinely engage third-party experts to assess our IT infrastructure and the strength of our security program to identify and remediate potential vulnerabilities, in addition to deploying security tools with 24/7 monitoring.

We publish our security and acceptable use policies on our company intranet and require annual certification alongside our Code of Conduct. We conduct frequent security awareness initiatives to keep our employees and contract workers abreast of the evolving security challenges, and we provide communication avenues for all our employees and contract workers to report security incidents through our global IT help desk.

LivaNova believes in strong partnership between different stakeholders in the healthcare industry to improve privacy and security of healthcare solutions. Our security and privacy teams work closely with healthcare industry organizations to ensure patient information is protected and our products are safe and secure. To achieve greater security, we partner with several organizations to gather and share cyber information, including, but not limited to:

	Advanced Medical Technology Association (AdvaMed) AdvaMed advocates for patient access to safe, effective, and innovative medical technologies that save and improve lives.
	Health Information Sharing and Analysis Center (H-ISAC) H-ISAC is a global, non-profit, member-driven organization offering healthcare stakeholders a trusted community and forum for coordinating, collaborating, and sharing vital physical and cyber threat intelligence and best practices with each other.
	Health Sector Coordinating Council (HSCC) HSCC serves as a public-private partnership focused on improving the resilience and security of the healthcare and public health sector.

We take our responsibility to protect patient data and ensure the safety and security of our products very seriously. We are continually improving security controls of our products and services. Customers should refer to the latest product specific documents for individual product capabilities. If you have any questions or concerns about our security practices, please do not hesitate to contact our Trust Center.

At LivaNova, we prioritize supporting our customers’ security diligence. To facilitate this, we have established our Trust Center dedicated to addressing security-related inquiries. Customers are encouraged to contact us at trustcenter@livanova.com as needed.

LivaNova Coordinated Vulnerability Disclosure (CVD) Statement

Last updated: Oct 9, 2023
 
LivaNova values and encourages responsible reporting of potential vulnerabilities identified by security researchers and customers. If you have identified a potential security vulnerability, you can submit a report of your findings according to the process outlined in this CVD Statement.

Scope of the CVD Program

LivaNova’s vulnerability disclosure program covers our medical devices, supporting software, web services and mobile applications. This program is not for product technical support or quality complaints; instead, please contact LivaNova Customer Quality or Clinical Technical Services. This program also does not cover LivaNova websites and other enterprise assets.

How to submit a vulnerability report

Please prepare a vulnerability report with the following information:

Note that all information submitted to LivaNova must be encrypted with our PGP key. Please provide the report in English whenever possible.

1.    A technical description of the vulnerability, including:

• The suspected vulnerability.
• The potentially affected product(s), service(s) or application(s), including name and version number, the technical infrastructure used, including operating system and version, and other related information such as network configuration details.
•  For web-based services, the date and time of testing, URLs, browser type and version, and the input provided to the application.
• Reproducible steps regarding the suspected vulnerability, to facilitate analysis or investigation of the report.

2.    Any additional information that may be relevant, including: 

• The tools used to conduct the testing and the test configurations. If you used specific proof-of-concept or exploit code, please provide a copy.
• Whether you identified specific vulnerability threats, assessed the risk, or have seen the vulnerability being exploited.

3.    Whether you notified any vulnerability coordinators (such as ICS-CERT, CERT/CC), including the agency and any tracking number.
4.    Your contact information, including your name, organization and email address.

Email the vulnerability report to LivaNova at productsecurity@LivaNova.com using our PGP public key to encrypt your message. Our public key can be found on PGP public key server (keys.openpgp.org) using the fingerprint 6F4ACC4871FE987AC58D5427D928D3B2EA1C7B40.

Submit only one vulnerability per report, unless you need to connect vulnerabilities to demonstrate their impact.

What you can expect from us

1.    LivaNova will acknowledge receipt of your report within 5-7 business days.
2.    We will take steps to review and investigate the report, as appropriate, and contact you if additional information is required.
3.    If the vulnerability is in a third-party component, we will refer your report to the third party and advise you of that notification. You should work directly with the third party regarding any further status or actions related to your report. We cannot and do not authorize security research involving other entities.
4.    We will provide you with a summary of our findings related to your report.
5.    If the report results in a public disclosure by LivaNova, we can publicly acknowledge the researcher(s) who made the relevant vulnerability report, if you would like to be acknowledged. LivaNova will determine, in its sole discretion, whether public recognition for resolved vulnerabilities will be provided.  In so doing, we will take into consideration, among other factors, whether you complied with this Statement and the contribution to product security.

What we expect from you

When conducting vulnerability testing and reporting potential security vulnerabilities to LivaNova, we request that you:
1.    Comply with all laws, regulations, our Terms of Use and industry standards. 
2.    Do not engage in testing which may impact customers’ or patients’ privacy or safety or patient care.
3.    Do not include sensitive information, personally identifiable information or protected health information in your report or supporting documentation.
4.    Cooperate with LivaNova regarding the release of information, to comply with regulatory requirements and minimize risks to patient safety and privacy.

In particular, please adhere to the following guidelines when performing vulnerability testing:
1.    Do not perform any testing on products actively used in patient care.
2.    Do not attempt to gain physical access to any of our facilities. 
3.    For web-based products, use demo/test environments.
4.    Do not take advantage of the potential vulnerability or utilize a vulnerability or repeatedly access the system beyond what is necessary to identify the potential vulnerabilities. For example, do not download more data than is necessary to demonstrate the vulnerability or delete or modify data. 
5.    Do not damage or alter product or system functionality, make any changes to the system, or build a backdoor in the system in order to demonstrate the vulnerability.
6.    Do not use brute force attacks or social engineering to gain access to the system, or share your access with third parties.

Important:

If you share any information with LivaNova, you agree that LivaNova is allowed to use such information in any manner, in whole or in part, without any restriction, and the information will be considered as non-confidential and non-proprietary to you. You also agree that submitting information does not create any rights for you or any obligation for LivaNova.

LivaNova reserves the right to change or modify this statement at any time and in our sole discretion. By contacting us, you agree that all communications will be governed by this statement, the Privacy Notice and Terms of Use.