CyberSecurity and Privacy

Healthcare IT professionals should take the time to review Carestream Health's product security documentation, these documents provide a high-level overview of the security configurations related to the operating systems for our products. Additional documentation assists customers in their purchasing decision related to the requirements and product capability specified by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

Many International security regulations require healthcare providers and payers to protect patient information from improper access, modification, and catastrophe loss. Carestream Health is committed to providing industry leading security capabilities in our products and service delivery

Product Security

Healthcare IT professionals should take the time to review Carestream Health's product security documentation, these documents provide a high-level overview of the security configurations related to the operating systems for our products. Additional documentation assists customers in their purchasing decision related to the requirements and product capability specified by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
Many International security regulations require healthcare providers and payers to protect patient information from improper access, modification, and catastrophe loss. Carestream Health is committed to providing industry leading security capabilities in our products and service delivery.

Manufacturers Disclosure Statement for Medical Device Security (MDS²)
The Manufacturers Disclosure Statement for Medical Device Security provides customers with HIPAA-related security information about their products and services. The MDS ² is endorsed by the American College of Clinical Engineering (ACCE), ECRI (formerly the Emergency Care Research Institute), Healthcare Information and Management Systems Society (HIMSS) and the National Electrical Manufacturers Association (NEMA).

Carestream Health is an active member of the Medical Device Security Workgroup and supports the use of the MDS ². For greater details, go to Manufacturer Disclosure Statement for Medical Device Security. The following links contain product security information outlined in the MDS ².

Our current-generation digital medical products carry the CARESTREAM brand, except in a few instances where we will continue to license the KODAK brand. for use on selected products. While we no longer market previous-generation products carrying the KODAK brand, we will continue to provide technical/support information -- like that contained below -- to customers who previously purchased these products.

Digital Capture Systems 

• Carestream MDS² DRX Revolution ImageView (PDF)
• Carestream MDS² DR SW V5.7 (PDF)
• Carestream MDS² DR SW V5.6 (PDF)
• CARESTREAM ImageSuite 4.0 MDS² (PDF)
• Digital Capture Systems Carestream MDS² for DR SW V5.3 (PDF)
• Carestream MDS ²  for CR SW V5.7 (PDF)
• Carestream MDS ²  for CR SW V5.2 (PDF)
• Carestream MDS ² for Classic, Elite, 975, 950, 850, 825 CR SW V5.1 (PDF)
• Point-of-Care CR 120/140/260 System (PDF)
• Point-of-Care CR ITX560 System (PDF)
• Carestream MDS ² for DRX-Evolution (PDF)
• Carestream MDS² for DRX-1 Detector System (PDF)
• Carestream MDS ² for DRX-1 Mobile Retrofit Kit (PDF)
• Carestream MDS ² for all DR-DRX - Software Version 5.5 (PDF)
• Carestream MDS ² form for DRX-Excel V1.13 (PDF)
• Carestream MDS ² for DRX-Excel, DRX-Excel Plus V1.09 (PDF)

Legacy Digital Capture System Statements

• Carestream MDS² for CR Software V4.6 (PDF)
• MDS ² Form for CR 500-975 and ROP SW v4.5 (PDF)
• MDS ² Form for 500-850-950 and ROP SW v4.3 (PDF)
• Point-of-Care CR 360-260-140-120 System SW v3.0 (PDF)
• MSD² for DR9500 SW v4.5 (PDF)
• MSD² for DR7500 SW v4.0 (PDF)
• MDS² for DR 3000, DR 3500 SW 3.0.x, 3.5.x (PDF)
• MDS² Form for DR 5000-9000 SW v2.0 (PDF)

Ultrasound

• MDS² for Touch Prime and Touch Prime XE Form (PDF) 

Cone Beam CT (CBCT)

• OnSight 3D Extremity ImageView V1.1 (PDF)
• OnSight 3D Extremity ImageView V1 (PDF)

Digital Output Systems

• HG MDS ² Form for DRYVIEW 6950(PDF)
• HG MDS ² Form for DRYVIEW 5700 (PDF)
• HG MDS ² Form for DRYVIEW 5950 (PDF)
• HG MDS² Form for DRYVIEW 5850 (PDF)
• HG MDS ² Form for 5800 (PDF)
• HG MDS ² Form for 6800 (PDF)
• HG MDS ² Form for DRYVIEW 6850 (PDF)
• HG MDS ² 8300 8610 (PDF)
• HG MDS ² Form for 8100 8200 (PDF)
• HG MDS ² Form for 8150 (PDF)
• HG MDS ² Form for 8500 8700 (PDF)
• HG MDS ² Form for 8800 (PDF)
• HG MDS ² Form for 8900 (PDF)
• HG MDS ² Form for PACS Link 25 Print Server r3 (PDF)
• HG MDS ² Form for PACS Link MIM 100 r3 (PDF)
• HG MDS ² Form for PACS Link MIM 200 r3 (PDF)
• HG MDS ² Form for CMI1000 (PDF)

Healthcare Information Solutions

• CARESTREAM PACS V11.0 MDS ²

To our customers, Carestream Health provides documentation below of our product security assessments.

Digital Capture Systems

• Capture Link Server V1.00 (PDF)
• CR V4.31 (PDF)
• DR V2.0 (PDF)
• CR Systems with Software V4.1 (PDF) 
• DIRECTVIEW CR System Software Version 5.1 (PDF)
• CR Systems, Software V3.x.x, V2.2.1 and DR Systems, Software V1.x.x (PDF)

Digital Output Systems (PDF)

• Medical Image Manager (MIM) V6.1.1 (PDF)
• DRYVIEW 8150 Imager (PDF)
• DRYVIEW 8900 Imager (PDF)
• Color Medical Imager 1000 software v1.1 (PDF)

General Data Protection Regulation "GDPR"

There is a new European Privacy initiative--the General Data Protection Regulation "GDPR". This initiative takes effect on May 25, 2018. Please read closely the Annex which is incorporated into the agreement your company may have with Carestream.

• Carestream GDPR Annex Compliance with the EU General Data Protection Regulation

HIPAA Overview

HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law August 21, 1996. This legislation affects nearly everyone involved in healthcare from providers to healthcare information systems vendors. HIPAA contains provisions for:

• Portability of insurance coverage as employees move from one employer to another.
• Protection of patient-identifiable data from inappropriate disclosure and the type of information that must be protected and the circumstances.
• Defined policies, analyses, practices, and mechanisms that must be conducted to ensure the privacy of “protected health information” (PHI) is maintained.
• Government-mandated standards for electronic transactions, code sets and identifiers.

Related Resources:

• Carestream HIPAA Overview (PDF)
• Carestream Dental HIPAA Compliance Information

Carestream HIPAA Business Associate Agreements

Carestream business associates must comply with HIPAA regulations. Please contact your local sales representative or contract manager for information about the provisions and terms in their agreement.

Correspondence should be mailed to:

Carestream Health, Inc.
Attn: US&C Contract Management
150 Verona Street
Rochester, NY 14608

Related Documents: 

• Carestream HIPAA Compliance Business Associates Agreement (PDF) 

Carestream Product Security Policy 

Carestream Health is committed to providing secure products and services to our customers and patients. We strive to maintain and improve the security of our medical devices and systems throughout the product lifecycle, including the use of the following practices as applicable:

• Security by design
• Security risk management
• Secure coding practices
• Security scanning and testing practices
• Vulnerability intake and handling practices
• Third party software vulnerability monitoring
• Patch management
• Information sharing with industry-appropriate organizations such as H-ISAC
• Event and Incident response practices

Carestream Health recognizes the need to share security-relevant information to better understand threats and protect our customers, patients and the overall healthcare infrastructure. We also are dedicated to ensuring our customers receive information related to vulnerabilities and any appropriate actions that need to be taken to assure the confidentiality, integrity and availability of our products and services. In order to fulfill these commitments, Carestream Health is engaged in efforts to foster global programs for communication, event handling and information sharing.

Coordinated Vulnerability Disclosure

Independent cybersecurity researchers are a valuable source of information on the security posture of many manufactured products. It is Carestream’s goal to cooperate and coordinate with these researchers regarding vulnerabilities they discover within our products. The information below describes the Coordinated Vulnerability Disclosure process by which independent cybersecurity researches may collaborate with us on reporting of medical device vulnerabilities.

Scope

The scope of Carestream’s Coordinated Vulnerability Disclosure process includes the following product families:

• Diagnostic Imaging Systems
• Healthcare Information Systems (PACS/RIS)
• Digital Printers

We ask that all security researchers submit vulnerability reports only for all Carestream products.

This reporting process is not to be used to report Product Quality Complaints or to request Technical Support. Please visit the following site for those types of engagements: https://www.carestream.com/en/us/services-and-support. Please also visit this site for security questions or comments about other Carestream products.

Important Legal Information

Carestream Health will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting Form and abide by the agreements outlined as part of this form submission process. We openly accept reports for all Carestream products. We agree not to pursue legal action against individuals who:

• Engage in testing of systems/research without harming Carestream or its customers.
• Perform tests on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
• Engage in vulnerability testing within the scope of our vulnerability disclosure program in accordance with the terms and conditions of any agreements entered into between Carestream and individuals.
• Adhere to the laws of their location and the jurisdictions in which Carestream operates. For example, violating laws that would only result in a non-criminal claim by Carestream may be acceptable, as Carestream is authorizing the activity (reverse engineering or circumventing protective measures) to improve its systems.
• Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

Procedure to Submit a Vulnerability

• To submit a vulnerability report to Carestream’s Product Security Team, please submit this form with a brief description of your discovery. Carestream will send a timely response to your submission (typically within five business days).
• Independent cybersecurity researchers who discover and submit a vulnerability report to us may choose to receive credit after the submission has been accepted and validated by our product security team.

Preference, Prioritization and Acceptance Criteria

Carestream will use the following criteria to prioritize and triage submissions.

What we would like to see from you:

• Well-written reports in English will have a higher chance of resolution.
• Reports that include proof‐of‐concept code equip us to better triage issues.
• Reports that include only crash dumps or other automated tool output may receive lower priority.
• Please include how you discovered the vulnerability, the impact and any potential remediation.
• Please include any plans or intentions for public disclosure.

What you can expect from us:

• A timely response to your email (typically within five business days)
• After triage, we will send an expedited projected timeline and commit to being as transparent as possible about the remediation timeline, as well as on issues or challenges that may extend it.
• An open dialog to discuss issues.
• Notification when the vulnerability analysis has completed each stage of our review.
• Credit after the vulnerability has been validated and fixed.

If we are unable to resolve communication issues or other problems, we may bring in a neutral third party (such as CERT/CC, ICS-CERT, or the relevant regulator) to assist in determining how best to handle the vulnerability.

This webpage was reviewed and/or updated on 1/18//2019