Product & Solutions Security at Koh Young Technology

 

PSSO Message

One of the most important concerns affecting the business is cybersecurity. At Koh Young Technology, we continue to be dedicated to security through design, development, use, and cooperation. To enable our customers to concentrate on what really matters: patient care, we work hard to ensure that our products, systems, and customer environments uphold security standards.

While we continue to follow security measures, we are aware that new security risks appear every day, ranging from concerted attempts to breach healthcare data to coordinated attempts to interfere with clinical or manufacturing workflows. We understand that what our customers don’t know cannot be protected. Because of this, we think cooperation and transparency are crucial. We’re enhancing cybersecurity and resilience across the sector as we forge a solid community of practice, cooperating closely with our clients, industry regulators, and security researchers.

Our Top Concerns

Design & Development Security
Industry-leading cybersecurity standards are used in the development of Koh Young products and solutions in order to ensure their security.

Use Security
Koh Young Technology products and solutions are protected and kept up to date across all platforms and locations for the duration of their intended life cycles.

Cooperation Security
To develop industry best practices, Koh Young Technology upholds a culture of openness and cooperation with customers, industry stakeholders, and reputable third parties. Contact productsecurity@kohyoung.com. Koh Young Technology maintains an ISAO membership per FDA guidelines for medical device coordinated vulnerability disclosures, contact https://members.medisao.com/vulnerability_disclosure/. 

Our Framework

Koh Young Product & Solution Security Framework

Koh Young Technology integrates cybersecurity into product design, development, manufacturing, customer support, and enterprise systems processes. 

For industrial products, cybersecurity integration is based on ISA/IEC 62443 intended for Industrial Automation and Control Systems (IACS). These standards are designed to help organizations secure their industrial operational technology and control system from cyber threats. 

For medical products, cybersecurity integration is based on a variety of industry work products, including FDA’s pre and post market guidance, the Healthcare & Public Health Sector Coordinating Councils (HSCC) Medical Device and Health IT Joint Security Plan (JSP), the Medical Device Innovation Consortium (MDIC) threat modeling playbook, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the International Organization for Standardization (ISO) 27001, 62443, and 80001 standards. 

Koh Young Product & Solution Security Procedures

The Product Security Risk Assessment includes a Threat Risk Assessment (TRA) encompassing the identification of potential threats, defining and prioritizing potential impacts, and determining countermeasures to mitigate the risk to an acceptable level. 

Design Input Requirements for Security are derived from TRA countermeasures as well as the respective business regulations. For Koh Young Technology products, 

  • System Requirements and System Hardening Standards are addressed by STIG or CIS benchmarks available through commercial or open-source scanning tools. 
  • Vulnerability Scanning is addressed manually through the Incident and Vulnerability Management Plan and Test Plan which use commercial or open-source scanning partners. 
  • Secure Coding Standards and Code analysis are internally referred to as static application security testing through manual team code reviews and automatedly with commercial code analyses. 
  • Customer Security Requirements are also referred to as requests for information from Industrial Automation customers and Healthcare Delivery Organizations (HDO) customers for product security entrance requirements. 
  • Patch Management Requirements is addressed through the respective business security disclosure statement disclosures (e.g., MDS2, IDS2). 

Verification Validation, Security Testing, and Penetration Testing is internally referred to as internal and external third-party plans to execute the PSS Test Plan.

Customer Complaints, Vulnerability Management, Incident Response, and End of Life is internally referred to as the Incident and Vulnerability Management Plan. 

Customer Security Documentation is also referred internally as the Product Security Operations Documentation.