Java library Log4j vulnerability (CVE-2021-44228)
Varian Medical Systems, Inc. is aware of the zero-day remote code execution (RCE) vulnerability in the Java library Log4j, identified as CVE-2021-44228. Our cybersecurity experts are analysing and addressing any potential impact to our products, infrastructure and services. View the Log4J vulnerabilities update and the impact on Varian Products and Services.
Our Commitment to Cybersecurity
Today, vast amounts of sensitive patient information and data are kept within the modern healthcare provider network. For Varian and its customers, cybersecurity is a top priority. Together, we have a shared responsibility to maintain robust end-to-end defences that keep systems secure.
Our products and services are developed with a focus on quality and patient safety. We continue to improve and extend the security measures for our current products. As threats and associated risks are evolving, not all statements on this page apply to all products and services. Contact your local Varian representative for further details.
We collaborate with vendors and healthcare providers to promote true end-to-end cybersecurity, helping to ensure that our products are safe and secure, with access restricted to authorised users. We take cybersecurity extremely seriously, and forge partnerships with others in the healthcare and technology industries to minimise data security breaches and protect patients.
Our information security office is staffed by employees with broad cybersecurity backgrounds, and we partner with our engineering and IT departments to build security into our systems from inception and by design, through operation, and ultimately to product retirement. The teams also collaborate with cybersecurity experts and IT stakeholders from customer sites to identify risks and plan security enhancements.
Secure Development Lifecycle
Thanks to the Secure Development Lifecycle (SDL), at the heart of the Varian approach to cybersecurity, our products are ready for today’s operational requirements:
- New hardware and software development follows defined state-of-the-art processes
- Product development adheres to Varian’s standardised requirements and industry best practices
- Processes and requirements are aligned across the Varian product portfolio
Built-in security controls
Products currently under development as well as a range of existing offerings have built-in security controls that are essential for modern IT environments:
- Secure configuration and hardening
- Authentication and authorisation
- Data encryption
- Trusted machine certificates
- Auditing and logging
We provide the information you need in advance, so there will be no surprises following deployment. Contact your local Sales representative or go to MyVarian for the following documents:
- Product release notes, manual, or whitepaper describing all available product security features
- SBOM (Software Bill of Materials)
- General cybersecurity guidance and consultation
- Secure environment configuration recommendation
- Manufacturer's Disclosure Statement for Medical Device Security (MDS2)
Vulnerability monitoring and assessment
In line with the U.S. FDA’s post-market guidance and industry best practices, we monitor and assess if known vulnerabilities could be used to exploit equipment and solutions. We also have a formal process in place for handling and disclosing reported security vulnerabilities related to our equipment and solutions.
Varian Product Security Computer Emergency Response Team (CERT) manages the processing, investigation, and reporting of security issues related to Varian products, solutions, or services. The team is the contact point for external stakeholders such as vendors, security researchers, and Information Sharing & Analysis Organisations (ISAOs) to report potential Varian product security vulnerabilities.
Report a Security Issue
Please use the contact information below to report potential security issues on Varian products. Please encrypt the message using the PGP Key.
State-of-the-art system software
Rapid advances in healthcare technology can make your medical equipment become outdated prior to useful life of the product. With our Varian Service PremierAssurance™ programs, we can help you keep your Varian equipment updated and cybersecure throughout its product lifespan. Choose from a range of service levels and entitlements to cover your regulatory and financial needs. For products that are not eligible for our PremierAssurance program, we offer other service contracts. For more information, please visit our Services page.
Protecting the privacy of your data is very important to us. We follow privacy principles and practices as part of “privacy by design” as we develop and release products and solutions. That means we implement various administrative, physical and technical measures in our products and solutions with the goal of enabling customers to comply with privacy laws (in particular HIPAA Privacy and Security rules in the United States and GDPR in the European Union and the European Economic Area) when customers process protected health information and other personal data while using our products and solutions.
Safeguarding Patient Information
Data analytics and cloud-based, mobile solutions offer huge promise for human-centred cancer care, unlocking useful tools for both doctors and patients. For example, our Noona® app allows patients to actively engage with their cancer care team and report outcomes, providing oncologists with the potential to analyse data and change research and treatment protocols in real time. Noona is certified to ISO 27001, the internationally recognised security certification, indicating the paramount importance we place on maintaining the integrity of information in our care.
We publish security advisories and bulletins on an ongoing basis to notify you about any validated security vulnerabilities pertaining to Varian products. Mitigation may involve applying an update, performing an upgrade, or other actions on your part. Please visit MyVarian for more information.