COMMITMENT TO SECURITY

Mevion is dedicated to ensuring the safety, security, and effectiveness of our products so that our customers can confidentially deliver proton therapy treatments to their patients. We employ a multi-layered security approach to develop our products in a Total Product Lifecycle (TPLC) approach, encompassing design and development, manufacturing, shipping and handling, installation and commissioning, device operation, servicing, and decommissioning.

The company incorporates security risk management as an integrated part of the Quality Management System (QMS) and employs a Secure Product Development Framework (SPDF) including Security Architecture, Security Risk Management, and Security Testing to prevent threats from manifesting patient harm and other potential risks such as exposure of sensitive patient information and data.

Mevion understands that the threat landscape is constantly evolving. The company continues to improve and extend security measures for our products and collaborates with vendors and healthcare providers to establish true end-to-end security, ensuring that our products are safe and secure.

MEVION PRODUCT SECURITY STATEMENT
Our Product Security Team is made up of internal security subject matter experts (SMEs) and is embedded within the Engineering Team. The Product Security Team partners with Mevion IT Department, site implementation, service, as well as outside security SMEs. The Team collaborates with security experts and IT stakeholders of the customer sites to identify and mitigate risks.

Integrated Quality Management System (QMS)
Requirements from cybersecurity regulations, standards, guidelines, and common industry practices are integrated into Mevion’s QMS, enabling Security by Design and Security by Default in parallel with Safety by Design. Mevion has developed product security policy (i.e., this policy), procedures, work instructions, and templates for conducting security risk management work.

The following security controls are employed in the Mevion products:

Secure Product Development
Mevion has implemented secure product development, which includes security requirements and architecture, threat modeling, security risk assessment, secure coding guidelines, Software Bill of Materials (SBOM), vulnerability assessment and remediation, security testing, and security risk management review.

Security Controls
The following security controls are employed in the Mevion products:

• Authentication and authorization for using the Mevion treatment delivery system
• Support for end-to-end Transport Layer Security (TLS) through complete encryption of the communication channels
• Ensuring code, data, and execution integrity
• Ensuring confidentiality of data through multi-layers of security and secure communication
• Event logging and detection before, during, and after treatment delivery
• System resilience and recovery to protect critical function and data, and to recover after security breach
• Firmware and software update per the nature of the vulnerabilities being addressed

Security Transparency
Product Security Guide and Customer Release Notes (which includes a list of known vulnerabilities) are delivered to customers, and the Software Bill of Materials (SBOM) is made available per Mevion process.

MEVION COORDINATED VULNERABILITY DISCLOSURE PROCESS

Mevion has developed a vulnerability handling and Coordinated Vulnerability Disclosure (CVD) process to ensure that the residual risks of our products are maintained at an acceptable level throughout the postmarket phase.

The diagram below shows a schematic of Mevion’s CVD process: 

COORDINATED VULNERABILITY DISCLOSURE POLICY
Mevion’s Coordinated Vulnerability Disclosure (CVD) program will investigate vulnerability reports from researchers, industry partners and groups, CERT organizations, and other sources. Mevion is committed to helping ensure the safety and security of our customers’ systems and will responsibly handle any vulnerability that is verified to be related to Mevion’s products and services. Mevion urges reporting parties to utilize the coordinated disclosure opportunity instead of immediate public disclosure to minimize the risks to our customers and the patients that they serve. Mevion recommends that the reporting party never perform tests on devices that are in active clinical use in a hospital networked environment.

VULNERABILITY REPORTING
Please feel free to contact us with any security-related questions or potential security issues with any product in the Mevion portfolio. Only emails in English or Chinese can be considered, and encrypted communication is preferred. The company will respond within five business days.

PGP Public Key Fingerprint: 3770 CB2D DAA0 0E36 582E B98B 07D9 F6D8 4E0A AEA8

Email: productsecurity@mevion.com

Please include the following information in the report:

• Technical description of the potential vulnerability:
  • When, where, and how the vulnerability was discovered
  • Description of the vulnerability, including proof-of-concept exploit code or network traces (if available) and scenario to reproduce the vulnerability
  • Product information, including product model, product serial number, software/firmware versions (if available), configuration details (if available)
  • Whether any protected health information (PHI) or other personally-identifiable information (PII) were able to be accessed about any user or patient. Please do not include any PHI or PII about others in the email submission.
  • Any additional information that is helpful, including details on the environment and tools for conducting the exploitation.
• Publicity of the potential vulnerability, whether anyone else has been notified about the potential vulnerability, such as regulatory agencies, vulnerability coordinators, Mevion customers, etc.
• Contact information:
  • Name(s), organization(s), phone number(s), email address(es), and PGP key

Everyone is encouraged to report a discovered vulnerability, regardless of service contracts or product lifecycle status. Mevion does not require a nondisclosure agreement for reporting vulnerability and respects the interests of the reporting party (anonymous reports are accepted, as requested). Contact information will only be used to communicate on the submission. Mevion will not share contact information.

VULNERABILITY HANDLING AND DISCLOSURE PROCESS
The Mevion coordinated vulnerability handling and disclosure process consists of the following five steps: 

1. Report Collection

Once Mevion receives a vulnerability report, it acknowledges the receipt of the report and performs an initial analysis to assess a vulnerability’s presence and compares it with existing reports to identify any duplicates. Mevion then catalogs the report, including all relevant information.

2. Investigation and Analysis

Mevion’s Product Security Team will conduct an investigation and analysis to understand the vulnerability by examining the technical issue and the potential risk associated with the vulnerability and will request more information from the reporter if needed to reproduce the security issue.

If the vulnerability is not verified, the reporter will be informed of the result. If the vulnerability is confirmed, the rest of the Vulnerability Handling process applies.

3. Vulnerability Handling

Vulnerability handling takes the following steps:

• Mitigation:

Mevion’s Product Security Team will work to develop a mitigation for the confirmed vulnerability.

• Software Patch and Update:

Mevion’s Engineering team will develop and release a software patch or update to affected customers prior to public disclosure, using existing customer notification process to manage the release of patches or updates.

• Communication

Mevion will maintain regular communication with the reporting party to inform about the current status and Mevion’s position on the reported vulnerability, and may notify US-CERT about a security issue. If available, pre-releases of software fixes may be provided to the reporting party for verification.

4. Vulnerability Disclosure

Mevion will release a security advisory to the reporting party, the customers, and US-CERT. The advisory will contain the following information:

• Description of the vulnerability with CVE reference and CVSS score
• Known affected products and software/firmware versions
• Mitigations and compensating measures as applicable

Acknowledgement and credit to the reporting party for reporting and collaboration will be provided per the reporting party’s consent.

DISCLOSURE TIMELINE
Various factors may affect the time frame for mitigation development and scheduling of disclosure, such as active exploitation of vulnerability by threat actors as well as threats of an especially serious nature. Other factors include but not limited to:

• Whether the vulnerability has been publicly disclosed
• Potential impact on public health and safety
• The availability of effective mitigations and feasibility of developing an update or patch
• The estimated time required for the customers to apply the patch

Mevion will advise the vulnerability reporter of significant changes in the status of the vulnerability reported. Mevion also reserves the right to change any aspect of our coordinated disclosure process at any time without notice, and to make exceptions to it on a case-by-case basis.