Franklin Lakes, N.J.-based BD (Becton, Dickinson and Company) has become the first medical technology company authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority by the CVE Program, demonstrating the company’s dedication to healthcare cybersecurity.
As a CVE Numbering Authority (CNA), BD is authorized to assign CVE identification numbers to newly discovered vulnerabilities in its software-enabled products. This includes using the Common Weakness Enumeration (CWE) system to classify vulnerability types and applying the Common Vulnerability Scoring System (CVSS) to communicate vulnerability characteristics and severity. The purpose of the CVE Program is to bolster international cybersecurity defense by cataloguing publicly disclosed cybersecurity vulnerabilities. The CVE Program is sponsored by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and operated by MITRE Corp.
“The CVE Program is the de facto international standard for vulnerability identification and naming,” says CVE Board Member Chris Levendis. “Being authorized as a CVE Numbering Authority demonstrates mature vulnerability management practices and a strong commitment to cybersecurity. By making accurate and timely vulnerability information available, CNAs like BD help their customers streamline early-stage vulnerability management.”
BD was among the first medical technology companies to develop a mature coordinated vulnerability disclosure program, enabling customers to manage cybersecurity risks through awareness and guidance. In 2020, the company launched the BD Cybersecurity Trust Center, increasing transparency and collaboration with its customers, and issued its inaugural cybersecurity annual report. In becoming a CNA, BD further demonstrates its commitment to cybersecurity in medical devices, making it easier for customers to manage vulnerabilities affecting BD products.
“Being named a CVE Numbering Authority shows trust and confidence in BD cybersecurity practices and our ability to manage reported vulnerabilities,” says Rob Suárez, chief information security officer of BD. “This designation aligns with our commitment to cybersecurity maturity and making timely information about vulnerabilities in BD products available to customers worldwide.”