Data security, cybersecurity and privacy

We maintain robust privacy protections aligned with global regulations, including HIPAA and GDPR.

• Our global and local data privacy policies align with the applicable privacy regulations, enabling personal data to be collected, processed and stored responsibly.
• We conduct privacy impact assessments across products and processes that handle personal data, supporting transparency, accountability and secure data handling.
• These efforts are underpinned by our Responsible AI policy, which establishes governance principles and helps safeguard the appropriate use of sensitive data.

Cybersecurity is embedded into enterprise risk management and Board oversight.

• Regular updates to our Board of Directors on emerging threats and risk trends.
• Executive security briefings for senior leadership.
• Enterprise-level escalation processes for cybersecurity risks.
• Chief Information Security Officer (CISO) oversight of our Global Cybersecurity Program.

Our cybersecurity strategy is aligned to leading global standards and frameworks, including:

• NIST Cybersecurity Framework (NIST CSF)
• NIST 800-53
• ISO 27001

We establish and maintain controls that apply to employees, contractors, consultants, suppliers and third parties with access to company systems.

• Protecting confidentiality, integrity and availability of information.
• Ensuring accountability for information assets.
• Supporting legal and regulatory compliance.
• Reducing enterprise cyber risk.
• Aligning security practices with our core values.

We monitor a comprehensive set of metrics across:

• Threat detection and incident response.
• Vulnerability management.
• Endpoint, email and network security.
• Privacy impact assessments and data governance requests.

Recent progress includes:

• Strengthened NIST-aligned controls.
• Achieved a ‘Defined’ maturity level and progressed toward ‘Managed’ in an external cybersecurity assessment using the Capability Maturity Model Integration (CMMI) framework, with processes documented, standardized and implemented across the organization.
• Progressed global rollout of Data Loss Prevention (DLP).
• Implemented a company-wide data governance framework.
• Enhanced IT General Controls maturity using data-driven insights.

Our zero-trust model enhances resilience across network, identity, endpoint and data controls.

Key elements include:

• Defense-in-depth architecture (EDR, IDS, email and web filtering).
• AI- and ML-driven threat detection and monitoring.
• Least-privilege access and segmentation.
• Adversary emulation and annual penetration testing.
• Threat hunting and real-time response capabilities.

Our global product security program works with divisional teams to standardize comprehensive secure development lifecycle practices.

• Multi-year quality management project aligning to global regulatory guidance (ISO/IEC 81001-5-1 and FDA cybersecurity guidance).
• Comprehensive security risk assessments in design that incorporate threat modeling and privacy impacts.
• Secure code development practices, including static code analysis and software composition analysis.
• Security testing, including penetration testing, that is applied in both pre- and post-market stages.
• Vulnerability monitoring as part of post-market surveillance.

We actively participate in H-ISAC, AAMI, AdvaMed, MDIC and ISO committees to strengthen cybersecurity across global healthcare.

Key elements include:

• Mandatory annual cybersecurity training.
• Phishing awareness campaigns.
• Third-party risk assessment and vendor incident response programs.
• GenAI usage training including data privacy safeguards.
• Data protection and sensitive information handling education.