Security | Resmed

Resmed Information Security

Mission: Resmed, a world leader in medical software and connected health solutions, seeks to protect the security of information of our customers and their patients, our commercial partners, and our global team.

Our security

Resmed, a global leader in digital health, is dedicated to proactively solving the complex challenges of information security, strengthening our defenses against threats and mitigating risks. We’ve built our processes and protocols from best practices in order to maintain confidentiality and data integrity for the business, our employees, our partners and our patients. Below are a sample of the controls we utilize across Resmed and subsidiary companies:

Layers Threats Defenses
Physical Physical intrusion, social engineering Badged access, data center controls, training, assessments
Cloud Data loss, misconfiguration Data loss prevention (DLP), configuration monitor, security information and event management (SIEM), web application firewall
Network Hacking, denial of service (DOS) IDS/IPS firewalls, Strict ACLs virtual private network (VPN), app security, SIEM
Platform Phishing, malware, hacking Employee training, phishing campaigns, URL filtering, security ops center, email security
PCs and mobile devices Malware, ransomware, hacking, device loss Traditional and next-generation anti-virus, device encryption, asset management
Application SQL injection, man-in-the-middle, software vulnerability, hacking Penetration testing, coding standards, patching, secure software development life cycle (SDLC)
Data Unauthorized access Encryption, IDS/IPS firewalls, backup/recovery, VPN, Multi-factor authentication (MFA)
Response Security event, breach, data corruption or loss, system loss SIEM incident response, dedicated security team, third-party support

Security news

Okta Breach

Resmed is aware of the LAPSUS$ attack on Okta and are assured that none of our customer’s information has been impacted. This has been confirmed both by our internal teams and by Okta.

Log4j (Log4Shell) Vulnerability

Read about how Resmed is dealing with this threat here: Log4j Security Bulletin

AirBreak

Resmed Statement on the Role of CPAP in Mitigating the Effects of COVID-19

Ripple20 Security Vulnerabilities

On June 16 2020, a set of vulnerabilities in the Treck TCP/IP stack was made public. If exploited these vulnerabilities could interfere with the function of medical devices.

We have examined our devices and have confirmed that some products use the affected components – Resmed Connectivity Module Hospital (RCMH), Astral, and TxLink. The ethernet port is disabled at the time of shipping for RCMH and Astral which prevents access to the TCP/IP stack. The TxLink device is intended for use within private networks under supervised conditions and is considered low risk with respect to Ripple20.

URGENT/11 Security Vulnerabilities

On July 29 2019, the URGENT/11 set of vulnerabilities in Real-Time Operating Systems was made public. If exploited these vulnerabilities could interfere with the function of medical devices, particularly within hospital networks.

We have examined our devices and can confirm that the vulnerable Operating Systems are not in use within our medical devices and that we are not exposed to this set of vulnerabilities.

Recruitment Fraud Alert

It has come to our attention that various individuals and organizations are offering false employment opportunities on behalf of Resmed. Such fraudulent communications may come from various sources, including fake websites and/ or unsolicited emails. These communications seek to obtain personal data and payment from victims by offering jobs at Resmed that do not exist.

Please be advised Resmed would never ask for payment to progress a job application. When in doubt, please check to see if the position is posted on our website careers.resmed.com before applying.

Additionally, please report any suspicious recruiting activity to complaint.ic3.gov.

Resmed Responsible Disclosure Program

Response targets

Resmed will make a best effort to meet the following SLAs for hackers participating in our program:

Type of response SLA in business days
First response 5 days
Time to triage 10 days
Time to resolution depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Disclosure policy

  • Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
  • Follow HackerOne’s disclosure guidelines.

Program rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Physical attacks are prohibited.
  • Disclosing any client or patient information is prohibited.
  • Disclosing the vulnerability publicly in any way before Resmed provides permission is prohibited.
  • Testing on third party vendors is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Out-of-scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Highly speculative/theoretical vulnerabilities or previously known vulnerable libraries without a working proof of concept
  • Best practice suggestions that are not vulnerabilities (i.e. missing HTTP Only or Secure flags, SSL/TLS configuration, etc.)
  • Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Credential re-use from public dumps
  • Automated scan reports or search engine results (i.e., Shodan, SSL Labs, Etc.) without valid proof of concept
  • Vulnerabilities only affecting users of outdated or unpatched browsers [fewer than two stable versions behind the latest released stable version]
  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring MITM or physical access to a user’s device
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Rate limiting or bruteforce issues on non-authentication endpoints
  • Software version disclosure/banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
  • Tabnabbing
  • Open redirect – unless an additional security impact can be demonstrated
  • Issues that require unlikely user interaction

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Resmed and our users safe!

As of August 2022 Resmed now uses HackerOne for our responsible disclosure program, all hall of fame members that have submitted via email can be found here.

Submit Vulnerability Report