Cybersecurity at MED-EL
Our Commitment
At MED-EL, our mission is to overcome hearing loss as a barrier to communication and quality of life. We are passionate about helping people reconnect with the world through sound. Achieving this mission goes beyond developing advanced hearing technologies. It requires the continuous adoption of emerging technologies and an unwavering commitment to product security, privacy, and trust.
.jpg?auto=format&sfvrsn=8ab4ce41_1 "Cybersecurity at MED-EL")
Product Security
Product security involves protecting our products and services against threats and vulnerabilities to ensure they remain safe and trustworthy for users. It encompasses various activities, including product security risk assessments, threat modeling, secure coding practices, Static Application Security Testing (SAST), software composition analysis, penetration testing, vulnerability management, incident response, and security updates.
Our independent Product Security unit works cross-functionally across the business and oversees the integration of security throughout the entire product life cycle. From initial design through deployment and post-market activities, we ensure that security is embedded by design.
Our security activities continue beyond market release. A dedicated Product Security Incident Response Team (PSIRT) continuously monitors emerging security threats and coordinates responses to potential security issues.
Our Vulnerability Handling and Disclosure Policy addresses potential security vulnerabilities affecting commercially available MED-EL products, including networked embedded devices, software, mobile applications, and services managed by MED-EL.
Data Protection and Privacy
We care about the protection of your personal data and your privacy. When you share personal data through our digital services, it is processed exclusively for clearly defined purposes and protected using robust Technical and Organizational Measures (TOMs).
Our data handling practices comply with all relevant regulations, including GDPR in the European Union (EU) and the European Economic Area (EEA) countries and HIPAA in the USA.
Our established Data Protection Management System (DPMS) ensures regulatory compliance and continuous alignment with evolving privacy requirements.
For details on how we collect, use, and protect personal data, please refer to our Data Privacy Policy.
Trust and Certification
MED-EL maintains an independent certification for its Information Security Management System (ISMS) according to ISO/IEC 27001:2022. This internationally recognized certification demonstrates our commitment to delivering secure medical device software and cloud services that protect sensitive health data, ensuring safety, privacy, and trust for hearing implant recipients, parents and caregivers, and professionals in hospitals around the globe. Our ISMS encompasses key aspects of our operations, including employee security awareness, endpoint protection, business continuity planning, and proactive monitoring and response to cybersecurity threats.
MED-EL has been awarded the Cyber Trust Austria Label Gold certification. This Austrian label is based on the Cyber Risk Rating Scheme and includes compliance with 14 baseline security requirements as well as 11 additional requirements. The Gold certification is granted following a third-party audit conducted by an independent, qualified auditor.
MED-EL UK has successfully achieved the Cyber Essentials and the Cyber Essentials Plus certifications. Cyber Essentials Plus is a UK-specific scheme focused on the following five technical controls: firewalls, secure configuration, security update management, user access control, and malware protection.
.jpg?auto=format&sfvrsn=cd3dc841_1 "Memberships")
Memberships
We believe that active engagement in professional communities and collaboration with security researchers is essential to staying ahead of evolving cybersecurity threats. Through a collaborative approach, we aim to continuously strengthen the security and resilience of our products.
As a member of the European Hearing Instrument Manufacturers Association (EHIMA), we collaborate with leading companies in the hearing industry to exchange insights and drive industry-wide improvements. The EHIMA Cybersecurity Working Group has published a whitepaper outlining best practices for the secure fitting of hearing devices.
We also participate in Health-ISAC (Health Information Sharing and Analysis Center), a global, non-profit, member-driven organization that fosters collaboration among healthcare stakeholders, including medical device manufacturers and clinics, to share threat intelligence and strengthen collective defenses.
Security Research Contributions
We deeply value the contributions of the security research community and encourage responsible disclosure of vulnerabilities in accordance with our Vulnerability Handling and Disclosure Policy. Our policy provides clear guidelines for reporting potential security issues and outlines the structured process we follow to assess, prioritize, and remediate reported vulnerabilities.
FAQs
Our FAQs address common questions about product security, vulnerability reporting and coordinated disclosure, data protection and privacy, and information security.
Product security refers to the protection of medical devices and associated systems from cybersecurity threats and vulnerabilities that could impact patient safety, data confidentiality and integrity, or device functionality.
We integrate security throughout the entire product life cycle. This includes product security risk assessments, threat modeling, secure coding practices, monitoring of known vulnerabilities in third-party components incorporated into the product, penetration testing, security updates, etc.
To support healthcare delivery organizations in assessing the security of our products, MED-EL provides information through the Manufacturer Disclosure Statement for Medical Device Security (MDS²) form. In addition to the MDS², we include relevant security-related information in our user manuals and customer communications.
For any further questions or specific security inquiries, professionals responsible for security risk assessment in the management of medical device security issues are encouraged to contact their local MED-EL representative.
If you identify a potential security issue, please report it to MED-EL PSIRT by following the steps outlined in our Vulnerability Handling and Disclosure Policy.
We are committed to working with the security community to investigate, address, and acknowledge valid reports in a timely manner.
If you believe you have found a cybersecurity issue on our website or within our infrastructure (not related to our products), we appreciate your responsible disclosure.
As outlined in our Vulnerability Handling and Disclosure Policy, please report such issues directly to it-security[at]medel[.]com.
The General Data Protection Regulation (GDPR) is a data protection law enacted by the European Union (EU) that came into effect on May 25, 2018. It applies to any organization that collects, stores, or processes the personal data of individuals in the European Union (EU) and the European Economic Area (EEA). GDPR sets strict rules on how data must be handled, including requirements for transparency, data minimization, user consent, and the right to access, correct, or delete personal information.
All employees are required to complete regular training on data protection. This training covers the fundamentals of data protection, explains what personal data is, and outlines when and how it may be processed. It also includes guidance on protecting data while working from home, instructions on how to respond to a data breach, and tips for safeguarding personal privacy online and on social media.
ISO/IEC 27001 is the world’s best-known standard for Information Security Management Systems (ISMS). It defines the requirements that an ISMS must meet, and it provides organizations of all sizes and industries with clear guidelines for establishing, implementing, maintaining, and continually improving their information security management systems.
All employees must complete the information security awareness training on a regular basis. This training covers several key topics such as recognizing social engineering and phishing attacks, using secure passwords, securing the workplace and home office environments, classifying and protecting sensitive data, etc. It also includes guidance on secure and responsible use of artificial intelligence.
