Engineering Impact: Data Privacy and Security
Excerpts from the 2021 Medtronic Integrated Performance Report
Engineering impact: Data privacy and security
By investing in information security, product security, and data privacy, we comply with regulations, build investor confidence, retain customer trust, and respect patients.
We are in a time of rapid adoption of connected data devices and powerful data analysis that is contributing to innovative products, therapies, and delivery modalities, as well as faster research. In parallel, we have seen an unprecedented volume and scale of ransomware attacks and vulnerability announcements across many sectors within the past 12 months. Therefore, it is essential that we safeguard information, assets, and systems in the ever-evolving data and cybersecurity landscape. Our programs are designed to protect data and systems, comply with global regulations, and maintain the safety and privacy of the people who use our products.
Privacy and security approach
Our Global Cybersecurity program operates under strong governance, risk, and compliance processes that are aligned with the National Institute of Standards and Technology Cybersecurity Framework (NIST), the ISO/IEC 27001 standard, and other relevant international security standards. The Audit Committee of the Medtronic board of directors has oversight of cybersecurity risk within our organization and our companywide security policies, standards, and procedures ensure consistency across our organization. We continuously scan our operational environment for cyber risks and vulnerabilities, and we also assess the risks of third-party partners, projects, and initiatives. We secure information, including intellectual property and personal data, with a suite of physical, technical, and administrative controls.
To advance data security practices, we collaborate with third-party organizations such as the Health Information Center (H-ISAC), AdvaMed, and the European Union Agency for Cybersecurity. We also contribute to global product security and cybersecurity standards in collaboration with the U.S. FDA and other regulatory advocacy groups.
Our data privacy policies, standards, and procedures define our principles and approach for stewardship of personal data. They are aligned to common and evolving privacy principles derived from privacy laws such as HIPAA and the E.U. General Data Protection Regulation (GDPR). This approach provides a high level of data protection for our patients, participants in clinical trials, customers, employees, vendors, and partners. We also meet local data privacy requirements where those are stricter than our Medtronic-wide standards.
As with any company, Medtronic employees and contingent workers play a crucial role in safeguarding data. We train all employees and contingent workers on security and privacy so that they understand how to identify, protect, and preserve sensitive data and prevent cyber intrusions. In FY21, we expanded and improved our global training programs to raise employee awareness of privacy and security obligations. Our annual training includes:
- Privacy and security training for global employees and contingent workers
- U.S. privacy law training for U.S. employees, including supplemental California Consumer Privacy Act training, beginning in FY21
- Privacy by Design training for employees in key global functions, such as Legal and IT, as well as the vast majority of E.U. employees
- General Data Protection Regulation training for select global corporate employees, as well as noncorporate E.U. employees
Additionally, we expect our vendors to adhere to our data privacy and security standards, and we evaluate these risks as part of our vendor assessment process. When we acquire a company, we conduct privacy and security due diligence and implement an integration plan that includes training as well as policy and procedure standardization. Medtronic adheres to state, federal, and, where applicable, international data breach notification requirements. As an example, in accordance with HIPAA-related data breach requirements, Medtronic self-reports incidents involving loss of, or inappropriate access to, patient information to the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS).
Looking ahead, we are focused on reducing risks related to data security, product security, and privacy by raising the ‘data and security intelligence’ of employees and continuously improving:
- Processes and technology for threat detection and response
- Processes and technology for privacy risk assessments and data subject request execution
- Guidelines and training on data security, product security, and privacy