CYBERSECURITY AND PRIVACY
CyberSecurity and Privacy
Carestream's commitment to product security
The rapid adoption of electronic medical records and demand for greater access to patient services requires the highest data protection standards. Ensuring patient privacy and trust is critical. Carestream delivers product security that helps you achieve compliance with HIPAA, PIPEDA, EU Directive or additional regulations in your country. Together we can increase patient safety and meet clinical and business needs for confidentiality, integrity, availability and accountability in radiology workflow.
Product Security
Healthcare IT professionals should take the time to review Carestream Health's product security documentation, these documents provide a high-level overview of the security configurations related to the operating systems for our products. Additional documentation assists customers in their purchasing decision related to the requirements and product capability specified by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
Many International security regulations require healthcare providers and payers to protect patient information from improper access, modification, and catastrophe loss. Carestream Health is committed to providing industry leading security capabilities in our products and service delivery.
Additional Product Security Information
Additional information may be found on our service portal located at: https://my.carestream.com/en/us/signin
This information is restricted to Carestream customers. For access, please contact Carestream and request Cyber Security End User Group Access to the Service Portal.
From the service portal, you may:
- Subscribe for E-Mail notification for new security advisories
- Download the latest security updates for your medical device
- Find product security information such as network maps, software inventory / SBOM, firewall settings, and group policy configuration
Vulnerability Assessments
Digital Medical Solutions
Carestream Health remains committed to ensuring our products are safe, reliable, and secure. The cybersecurity threat environment continuously evolves requiring constant diligence and information sharing in order to mitigate potential risk and to keep equipment protected. Security advisories and relevant security patch information for Carestream products will be provided below.
| Product Security Advisories | Last Update |
|---|---|
| Print Nightmare | 08/12/2021 |
| CVE-2021-31166 - HTTP RCE | 06/29/2021 |
| Embedded TCP/IP Network Vulnerabilities URGENT/11, Ripple20, Amnesia:33, NUMBER:JACK, NAME:WRECK |
04/15/2021 |
| Heap Overflow vulnerability in Google Chrome / Microsoft Edge | 03/02/2021 |
| Bad Neighbor Vulnerability | 01/12/2021 |
| Windows Embedded Standard 7 SP1 End of Service Life | 10/06/2020 |
| Bluetooth Low Energy Vulnerability | 03/05/2020 |
| CryptoAPI (Curveball) Vulnerability | 02/04/2020 |
| Remote Desktop Protocol Vulnerability (Bluekeep - Part 2) | 06/07/2021 |
| Meltdown and Spectre Vulnerabilities | 01/18/2018 |
| Wi-Fi Protected Access Key Reinstallation Attack (KRACK) |
12/28/2017 |
General Data Protection Regulation "GDPR"
General Data Protection Regulation "GDPR"
There is a new European Privacy initiative--the General Data Protection Regulation "GDPR". This initiative takes effect on May 25, 2018. Please read closely the Annex which is incorporated into the agreement your company may have with Carestream.
HIPAA Overview
HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law August 21, 1996. This legislation affects nearly everyone involved in healthcare from providers to healthcare information systems vendors. HIPAA contains provisions for:
- Portability of insurance coverage as employees move from one employer to another.
- Protection of patient-identifiable data from inappropriate disclosure and the type of information that must be protected and the circumstances.
- Defined policies, analyses, practices, and mechanisms that must be conducted to ensure the privacy of “protected health information” (PHI) is maintained.
- Government-mandated standards for electronic transactions, code sets and identifiers.
Related Resources:
Carestream HIPAA Business Associate Agreements
Carestream business associates must comply with HIPAA regulations. Please contact your local sales representative or contract manager for information about the provisions and terms in their agreement.
Correspondence should be mailed to:
Carestream Health, Inc.
Attn: US&C Contract Management
150 Verona Street
Rochester, NY 14608
Related Documents: