ResMed Information Security | ResMed

ResMed Information Security

Mission: ResMed, a world leader in medical software and connected health solutions, seeks to protect the security of information of our customers and their patients, our commercial partners, and our global team.

Learn more about how ResMed fulfills this mission

Vulnerability disclosure

In order to produce secure systems, ResMed recognises the need to engage with the broader security community.

Our security

Because the cybersecurity landscape is ever-evolving, ResMed strives to keep our customers and commercial partners updated on efforts to protect their information.

TLS 1.0 deprecation

To keep our systems up to date with security best practices, we will be disabling support for TLS 1.0 across our systems on May 31st.

ResMed vulnerability disclosure

  1. Send an email to Security Reports
  2. Provide as much information as possible, including steps to reproduce the issue and any logs or scripts used (e.g. text, screenshots)
  3. If you would like follow up, please use a valid email address

  • ResMed will contact you with an incident number, and may request additional information
  • ResMed will verify the vulnerability, and will coordinate internally to plan for remediation, if verified
  • ResMed will coordinate a disclosure timeline with you
  • ResMed will notify you when the issue has been resolved
  • ResMed will make an effort to respond to status inquiries within 10 business days

  • Social engineering and phishing
  • Physical attacks against ResMed-owned systems or sites
  • Actions that may disrupt service (e.g. denial of service, brute force)
  • Sending identifiable customer, patient, employee or user data
  • Premature public disclosure of a cybersecurity vulnerability
  • Testing of non-ResMed systems, such as 3rd-party suppliers

ResMed information security

ResMed’s analysis continues for the ‘Log4Shell’ remote code execution vulnerability related to Apache Log4j disclosed on December 9th, 2021 (CVE-2021-44228). ResMed has confirmed that its core applications, myAir and AirView, have not been impacted, and currently we are not aware of any other products or services threatened by this vulnerability.

As part of our continued vigilance, we are monitoring our systems and our security teams are taking steps to mitigate any increased risk from this threat. There are no indicators of compromise currently detected on ResMed systems, and if this situation changes we will notify the affected party.

We invite you to refer to the CVEs (CVE-2021-44228 and CVE-2021-4506) and the security advisory published by Apache for further information on this vulnerability and how it can be mitigated.

For further information regarding any of the topics below, please contact ResMed Web Security

ResMed strives to protect information in accordance with all applicable laws and regulations. In order to achieve a suitable level of cybersecurity, ResMed focuses on the following activities where appropriate:

  • Security by Design
  • Secure Systems Development
  • System Risk Assessment
  • Vulnerability Management
  • Incident Response

On July 29 2019, the URGENT/11 set of vulnerabilities in Real-Time Operating Systems was made public. If exploited these vulnerabilities could interfere with the function of medical devices, particularly within hospital networks.

We have examined our devices and can confirm that the vulnerable Operating Systems are not in use within our medical devices and that we are not exposed to this set of vulnerabilities.

ResMed disabling TLS 1.0

On May 31st, 2019, ResMed plans to disable the use of TLS 1.0 across websites and services. This change will ensure we maintain secure communications with our partners, customers, and patients, and keeps us aligned with best practices in a changing cybersecurity landscape. ResMed will focus on supporting TLS 1.1 and 1.2.

TLS 1.0 is an older protocol and has weaknesses in its security which hackers have developed attacks against. Some attacks take advantage of outdated cryptography practices, while others utilise the more powerful computers today to break old cryptographic protocols that worked well against slower computers. Due to these reasons, ResMed will stop supporting TLS 1.0 as a protocol.

For the most part, this change will not affect you. Most modern internet browsers already use TLS 1.2, the current standard.

You can use one of the following website tools:

Option 1

https://www.howsmyssl.com/

If the website shows your browser is “Bad,” then you will need to upgrade to a newer browser version. If you see “Probably Okay” or “Improvable” then you will still be able to access ResMed websites and services.

Option 2

https://www.ssllabs.com/ssltest/viewMyClient.html

Under the Protocol Features section, if TLS 1.1 or 1.2 has a ‘Yes’ for supported then you will be able to connect successfully. It is not a problem if your browser also supports TLS 1.0.

This section shows which browsers support more modern versions of TLS. While some older browsers will still work after TLS 1.0 is deprecated by ResMed, the most up-to-date version of a browser should be used to avoid other security vulnerabilities.

The following list is a compiled from various resources. Not all ResMed sites support the browsers below, but we list them to be complete.

  • Microsoft Internet Explorer for Desktop and Laptop: minimum version IE 8, recommended IE 11
  • Microsoft Edge for Desktop and Laptop: no minimum version, recommended 18
  • Mozilla Firefox for Desktop and Laptop: minimum version 27, recommended 65
  • Google Chrome for all devices: minimum version 30, recommended 72
  • Apple Safari for Desktop and Laptop: minimum version 7, recommended 12
  • Opera for all devices: minimum version 17, recommended 58
  • Samsung internet for mobile: minimum version 4, recommended 9
  • Safari for iOS mobile: minimum version 5, recommended 12
  • Microsoft Edge for mobile: minimum version 1, recommended 1

If you connect to ResMed services through other technologies than a web browser, you will need to ensure that TLS 1.1 or TLS 1.2 are supported, which may require updating the environment your system is running in. We cannot provide an exhaustive list of options for these other technologies and programs, but you can test your system against ResMed websites and services today as TLS 1.1 and TLS 1.2 are supported already by our systems. If you do not check connectivity prior to the date mentioned above, your programs may not be able to connect to ResMed services.

Current APIs support TLS 1.1 and 1.2 if you need to test whether your system will function correctly after May 31st. If you have issues connecting to ResMed websites and services contact integration-support@resmed.com and the team can route you to the appropriate ResMed resource. Below are versions of common tools that support TLS 1.1 and 1.2.

  • Version 6: TLS 1.1 = disabled – TLS 1.2 = no – notes: 1.1 available with update 111
  • Version 7: TLS 1.1 = disabled – TLS 1.2 = disabled
  • Version 8: TLS 1.1 = Yes – TLS 1.2 = Yes – notes: current version

  • Version 3.5 and older: TLS 1.1 = no – TLS 1.2 = no
  • Version 4.0: TLS 1.1 = no – TLS 1.2 = no (upgrade to 4.5)
  • Versions 4.5-4.5.2: TLS 1.1 = disabled – TLS 1.2 = disabled (can enable by default in registry or in code)
  • Versions 4.6+: TLS 1.1 = Yes – TLS 1.2 = Yes

Python compatibility varies depending on OS support for Python, documentation for this can be found on the official python site. Python 3.6 and 2.7.9 are compatible with TLS 1.2.

Computers use TLS (Transport Layer Security) to check each other’s identity and ensure they can talk privately. The technology allows you to communicate with ResMed while both protecting the communicated data and verifying the other side is trusted. The support for TLS, in various forms, has been added to many browsers and systems without intruding on a normal user’s experience. These security measures mean that passwords or credit card numbers can be sent over the internet without fear of someone else obtaining that information “in transit.”

In more detail, TLS checks certificates as a form of digital identification. Every TLS-enabled server would have a corresponding certificate that is automatically exchanged and verified during initial connection. A trusted party digitally “signs” the certificate verifying the system. Most operating systems and web browsers have a preconfigured list of trusted parties to compare. After checking the certificate, your web browser and the server will automatically decide how to protect the data using encryption.

For further information or any questions regarding TLS 1.0 deprecation, please contact ResMed Web Security