Product Security

Zimmer Biomet is committed to protecting the security of our patients and customers.

Our mission is to alleviate pain and improve the quality of life for people around the world. One of our guiding principles is our commitment to the highest standards of patient safety, quality and integrity in our products and services.

Commitment to Product Security

Leadership

Our top leadership continuously demonstrates commitment to product security.  This includes ensuring that our strategies align with industry standard product security policies, objectives, and requirements at the forefront of initiatives and throughout.  ZB leaders foster a culture of proactive security and continuous improvement throughout everything we do, including separation of duties, role-based access control, the least-privilege principle, and always applying a risk-based approach to prioritization.  Zimmer Biomet has a dedicated CISO to oversee its Global Information Security Program and a Global Product Security Officer to oversee its Global Product Security Program.

Team Members

Our team members are committed to continuously improving security in our portfolio of digital health technologies.  This includes annual training and awareness across the ZB enterprise as well as specialized role-based training. Our team members uphold the highest standards of patient safety and quality in our digital health products and services.  Our product teams are required to perform product security risk assessments that bi-directionally triage with safety risk assessments in accordance with industry standards.

Policy & Governance

Zimmer Biomet maintains a set of information security programs, policies, and procedures, approved by management, published, and communicated to stakeholders. Policies are reviewed at planned intervals and as necessary to ensure their continuing suitability, adequacy, and effectiveness. Zimmer Biomet’s Information Security program has adopted the ISO 27001 standard for information security governance.

Zimmer Biomet maintains a comprehensive industry standard Global Product Security Program that includes secure total product lifecycle and secure product development framework (SECURE-TPLC/SPDF) for our portfolio of digital health technologies.  Our Secure-TPLC/SPDF includes security-by-design, risk management & threat modeling, secure coding, vulnerability & patch management, application security testing, software composition analysis, penetration testing, quality assurance, formal change management, continuous monitoring & post-market surveillance, MDS2s, et al.

Zimmer Biomet maintains ISO27001 certification for our Surgery Planning Ecosystem (IS 734358); while not all our products and services are within this certification scope today, it does reflect our commitment to security as a company and provides our customers an added level of assurance.  Zimmer Biomet is compliant with applicable regulatory requirements around the world.

Digital health product teams are required to complete new team member training and annual general and role-based specialized digital product security training thereafter. Security Awareness training is conducted annually and as appropriate (e.g., hiring, material changes to policies).  Training is scheduled, conducted, and tracked through a Learning Management System (LMS).

Network solutions at Zimmer Biomet are hardened in accordance with industry standards.  Penetration testing is performed by independent third parties annually. Zimmer Biomet personnel typically do not need remote access to our customers’ networks. In the event remote support is necessary, typically a fully escorted web conference session can be used.  Industry standard anti-malware protections are integrated with our digital health technologies. Detection, prevention, and recovery controls are also maintained within our corporate computing environment to protect against malware, combined with appropriate user awareness. Critical patches are applied on an as-needed basis and may be applied as soon as day of discovery depending on the solution; non-critical patches are typically included in new feature releases. Customers are logically segmented in multi-tenant environments using industry standard unique Customer Site IDs.

Zimmer Biomet maintains a comprehensive industry standard cyber security incident response plan.  The Incident Response Team includes representation from IT Security, Legal, Privacy, and Corporate Communications as required to appropriately communicate breaches to our clients.  Annual incident response exercises are performed. 

Please direct any/all communications associated with our Digital Health Product Security to product.security@zimmerbiomet.com;
including any Coordinated Vulnerability Disclosure (CVD).