Home

Male IT specialist focused on coding or system monitoring, working in a modern office with multiple monitors displaying data.

Cybersecurity for digital healthcare

Trusted security for digital healthcare

Roche safeguards data and healthcare infrastructure with a combination of administrative, technical and physical organizational measures. The company actively monitors threats, responding timely to vulnerabilities. Its ISO/IEC 27001-certified information security management system supports compliance with laws and industry standards.

Data confidentiality, integrity and availability

Our people, processes and technology work together to uphold the confidentiality, integrity, availability (CIA) of data and compliance with relevant laws and standards.

People

At Roche, cybersecurity and data privacy strategy and implementation is led by an internal Product Security & Privacy Organization (PSPO). A main role of the PSPO organization is to help product development teams design, develop and maintain products that are compliant with the ISO/IEC 27001:2022 Roche information security management system (ISMS) and applicable laws and regulations.

The PSPO provides product development lifecycle teams with expertise in:

Establishing and maintaining digital controls
Data privacy impact assessments
Incident response planning
Architecture and design
Third party risk management
Vulnerability monitoring and penetration testing
Security and privacy awareness education and training
Customer facing security and privacy relations
Certification program support

Process

At Roche, any information related to an identified or identifiable person must be collected and processed in compliance with applicable data privacy laws (e.g. Swiss Federal Act on Data Protection, EU General Data Protection Regulation and the US Health Insurance Portability and accountability Act). Roche employees with access to such personal data are expected to apply the privacy principles of lawful, fair and transparent data processing, respecting any purpose limitations, as well as the principles of data minimization, accuracy, storage limitation, integrity and confidentiality.

Our comprehensive information security management (ISMS) framework is backed by certifications, demonstrating security governance, management and security controls. We maintain appropriate IT and information security organizational operations, with commitment at all levels of the organization.

Technologies

Roche is passionate about transforming healthcare by delivering novel diagnostic solutions to help improve patients’ lives. These solutions often integrate innovative hardware and software, handling sensitive health information through creating, processing, sharing and storage.

Roche Diagnostics implements industry standard security and privacy by design strategies.

For detailed technical digital controls on a specific Roche solution, please consult your Roche representative.

Product security

Roche believes in building trust through transparency. The product security page is your central hub for important cybersecurity and data privacy information about our solutions.

Learn more about product security

Technical cybersecurity measures

As part of Roche's defense in depth strategy, product teams classify data, analyze risk and conduct threat modeling during development and commercialization. This effort helps identify technical control requirements to support compliance with laws and regulations, standards and Roche policies.

Advanced firewall security

navify-hosted solutions are protected by a cloud firewall on the Roche-maintained navify Platform. If a navify solution is deployed on-premises, the customer is responsible for security controls.

Effective May 1, 2019, Roche mandates a dedicated, Roche-managed hardware firewall for certain laboratory-based instruments. This establishes a micro-segmented Roche Laboratory Network (RLN) essential for regulatory compliance and patient safety, offering the following value:

Provides primary defense and enables Roche to monitor cyber threats
Establishes a secure, isolated zone for operations enhancing system resilience
Allows for remote system access, software updates and responding to potential cybersecurity incidents

Learn more about the Roche lab network

Data protection standards

Security features may vary depending on the solution. Please consult your Roche representative for product-specific details.

Device hardening

navify products employ various security measures and policies that are designed to minimize vulnerabilities and attack threats.

Data encryption

Roche secures data at rest/in transit with industry-standard encryption. When used, it reduces data compromise risk.

Access and authorization

Roche uses a defense-in-depth strategy to secure access. This includes password protocols, multi-factor authentication and role-based access controls (RBAC).

Cloud security

Roche partners with companies like AWS to host and secure digital solutions. We require all service partners to use anonymization, pseudonymization or equivalent privacy measures.

Secure data storage

Roche provides flexible hosting options (on-premises or cloud) for navify solutions to meet diverse regional needs, prioritizing patient safety and local compliance.

For cloud hosting, Roche partners with leading cloud hosting providers, ensuring data is securely managed across its lifecycle, adhering to global protection laws and giving customers control.

As a trusted partner, Roche

Uses contracts to outline data handling
Transparently discloses data flows and access purposes
Gains customer consent for Roche employee access
Follows applicable laws and regulations

On premises

For Roche solutions that are required to be hosted at a customers location, there are a few key points to be aware of:

It is mandatory to use the Roche validated firewall to protect Roche instrumentation*
For all hosting environments that may need to remain outside of the Roche firewall, the customer is responsible for all security measures for all hardware and software that Roche does not provide
Roche contracts will clearly outline mutual obligations to maintain compliance for both Roche and customers

*Roche point of care and navify cloud software solutions are exempt from this physical firewall mandate.

Cloud hosting

Many Roche customers are taking advantage of the benefits that cloud technologies offer and elect to host navify solutions on the navify Platform. Roche cloud solutions:

Provide industry standard security measures in efforts to protect the confidentiality, integrity and availability of data
Are configured and maintained using tools and services in accordance with laws, regulations and industry standards
Are continuously monitored with technical and automated solutions with the aim of detecting and preventing cybersecurity incidents

Process and procedures

The security and compliance of navify solutions throughout their full lifecycle are managed through a quality management system, which is significantly informed by the Roche ISO/IEC 27001-certified information security management system (ISMS). This ISMS establishes the mandatory minimum security baseline, ensuring compliance with relevant laws, regulations and industry standards.

Learn more about process and procedures

Disclaimer

Not every digital product is available in all markets. The use of any third-party app is subject to a separate license agreement with the respective third-party app developer. Roche gives no warranties (express or implied) with regard to any third-party app. Third-party apps might not be available in your country. This website and its content may be accessible worldwide, Roche assumes no liability with regard to the access to the information, which may not be compatible with legislations or regulations in force in your country.
MC--19866