Our Commitment to Cybersecurity
Today, vast amounts of sensitive patient information and data are kept within the modern healthcare provider network. For Varian and its customers, cybersecurity is a top priority. Together, we have a shared responsibility to maintain robust end-to-end defenses that keep systems secure.
Our products and services are developed with a focus on quality and patient safety. We continue to improve and extend the security measures for our current products. As threats and associated risks are evolving, not all statements on this page apply to all products and services. Contact your local Varian representative for further details.
We collaborate with vendors and healthcare providers to promote true end-to-end cybersecurity, helping to ensure that our products are safe and secure, with access restricted to authorized users. We take cybersecurity extremely seriously, and forge partnerships with others in the healthcare and technology industries to minimize data security breaches and protect patients.
Our information security office is staffed by employees with broad cybersecurity backgrounds, and we partner with our engineering and IT departments to build security into our systems from inception and by design, through operation, and ultimately to product retirement. The teams also collaborate with cybersecurity experts and IT stakeholders from customer sites to identify risks and plan security enhancements.
Secure Development Lifecycle
Thanks to the Secure Development Lifecycle (SDL), at the heart of the Varian approach to cybersecurity, our products are ready for today’s operational requirements:
- New hardware and software development follow defined state-of-the-art processes
- Product development adheres to Varian’s standardized requirements and industry best practices
- Processes and requirements are aligned across the Varian product portfolio
Built-in security controls
Products currently under development as well as a range of existing offerings have built-in security controls that are essential for modern IT environments:
- Secure configuration and hardening
- Authentication and authorization
- Data encryption
- Trusted machine certificates
- Auditing and logging
We provide the information you need in advance, so there will be no surprises following deployment. Contact your local Sales representative or go to MyVarian for the following documents:
- Product release notes, manual, or whitepaper describing all available product security features
- SBOM (Software Bill of Materials)
- General cybersecurity guidance and consultation
- Secure environment configuration recommendation
- Manufacturers Disclosure Statement for Medical Device Security (MDS2)
Vulnerability monitoring and assessment
In line with the U.S. FDA’s post-market guidance and industry best practices, we monitor and assess if known vulnerabilities could be used to exploit equipment and solutions. We also have a formal process in place for handling and disclosing reported security vulnerabilities related to our equipment and solutions.
Varian Product Security Computer Emergency Response Team (CERT) manages the processing, investigation, and reporting of security issues related to Varian products, solutions, or services. The team is the contact point for external stakeholders such as vendors, security researchers, and Information Sharing & Analysis Organizations (ISAOs) to report potential Varian product security vulnerabilities.
Report a Security Issue
Please use the contact information below to report potential security issues on Varian products. Please encrypt the message using the PGP Key.
State-of-the-art system software
Rapid advances in healthcare technology can make your medical equipment become outdated prior to useful life of the product. With our Varian Service PremierAssurance™ programs, we can help you keep your Varian equipment updated and cybersecure throughout its product lifespan. Choose from a range of service levels and entitlements to cover your regulatory and financial needs. For products that are not eligible for our PremierAssurance program, we offer other service contracts. For more information, please visit our Services page.
Protecting the privacy of your data is very important to us. We follow privacy principles and practices as part of “privacy by design” as we develop and release products and solutions. That means we implement various administrative, physical and technical measures in our products and solutions with the goal of enabling customers to comply with privacy laws (in particular HIPAA Privacy and Security rules in the United States and GDPR in the European Union and the European Economic Area) when customers process protected health information and other personal data while using our products and solutions.
Safeguarding Patient Information
Data analytics and cloud-based, mobile solutions offer huge promise for human-centered cancer care, unlocking useful tools for both physicians and patients. For example, our Noona® app allows patients to actively engage with their cancer care team and report outcomes, providing oncologists with the potential to analyze data and change research and treatment protocols in real-time. Noona is certified to ISO 27001, the internationally recognized security certification, indicating the paramount importance we place on maintaining the integrity of information in our care.
We publish security advisories and bulletins on an ongoing basis to notify you about any validated security vulnerabilities pertaining to Varian products. Mitigation may involve applying an update, performing an upgrade, or other actions on your part. Please visit MyVarian for more information.
Varian Medical Systems, Inc. is aware of the PTC vulnerabilities identified as CVE-2022-25246, CVE-2022-25247, CVE-2022-25248, CVE-2022-25249, CVE-2022-25250, CVE-2022-25251, and CVE-2022-25252 publicly announced on March 7, 2022. Varian uses PTC, a 3rd party solution to support our SmartConnect® tool for remote support, installations, and other services.
Our cybersecurity experts continue to analyze and address potential impact to our products. When appropriate, Varian provides updates to fix the vulnerability, or specific countermeasures for products where fixes are not yet available. The details can be found through Knowledge Articles: 000039516 – SmartConnect Vulnerability Disclosure, and 000039517 - Customer alert regarding the SmartConnect vulnerability [PTC vulnerability] posted on the MyVarian customer portal.
Java library Log4j vulnerability (CVE-2021-44228)
Varian Medical Systems, Inc. is aware of the zero-day remote code execution (RCE) vulnerability in the Java library Log4j, identified as CVE-2021-44228. Our cybersecurity experts are analyzing and addressing any potential impact to our products, infrastructure and services. View the Log4J vulnerabilities update and the impact on Varian Products and Services.