Yes. Medtronic operates in a heavily regulated medical device industry. We align our oversight and management of cybersecurity based on the International Organization for Standardization/ International Electro Technical Commission’s 27001 series (ISO/IEC 27001) and to the NIST (National Institute of Standards and Technology) Cybersecurity Framework. The devices, systems, and services we sell meet the applicable medical device regulatory requirements.

A-LIGN is Medtronic Digital Surgery’s contracted third-party assessor (TPA) for the annual HIPAA, SOC 2, and SOC 3 audits of Touch SurgeryTM Enterprise. Amazon Web Services has its own TPAs to assess the cloud hosting infrastructure.

A Touch SurgeryTM Enterprise administrator/privileged user who accesses the Touch SurgeryTM Enterprise AWS cloud platform cannot directly connect to any AWS cloud components (e.g. server, database). This type of user must first authenticate using their authorized AWS Identity & AccessManagement (IAM) account credential (ID, password, and MFA code), and then proceed to login to the Teleport Enterprise AWS web console using their Teleport account credentials (ID, password, and MFA code) before connecting and performing any system administration.

Certain authorized Medtronic Digital Surgery staff members can log in to the Django Admin internal web portal. This gives the user granular access to specific RDS Postgres database tables required for their job role.

No. Touch SurgeryTM Enterprise Servers are run as EC2 instances on AWS, which uses Nitro technology. Nitro technology, which prevents Amazon employees from accessing information on the servers to limit the possibility of human error and tampering. Thus Amazon employees cannot access information from these servers.

Yes. In the event of a contract termination, Medtronic Digital Surgery provides a period of 30 days for you to download videos and data to other devices before access to our cloud storage is removed. As a second option, institution administrators can request the ability to receive a file with the direct download links.

All suspected security incidents are required to be reported to Medtronic’s Global Security Office (GSO) within 24 hours. The GSO conducts a thorough investigation of every incident to determine the impact.

The contract with your institution outlines terms to include breach notification rules. HIPAA breach notification rules do not apply, as no PHI is collected by Touch SurgeryTM Enterprise.

Medtronic Digital Surgery proactively performs privacy impact assessments to identify, assess and address privacy risks, and designs new products and applicable services in accordance with “Security by design” principles. You can read further information on Data and Privacy here for the EU version and here for the US version. Additionally, Medtronic Digital Surgery uses standard templates and processes developed by the Privacy Program to ensure the appropriate privacy provisions are incorporated into third party contracts.

Yes, Medtronic Digital Surgery does collect metadata about customer usage to meet our legal obligations, manage our operations, improve our organization and deliver our Services to you or your institution. We also use cookies to track and analyze how users interact with the platform and to improve our product.

See https://www.touchsurgery.com/privacy and www.touchsurgery.com/cookies for more information.

Yes. The following native cloud tools are used to secure Touch SurgeryTM Enterprise:

Yes. Medtronic’s Third Party Security Standard requires the performance of security and privacy reviews of all new and existing vendors and their solutions prior to: sharing non-public data, or granting access to its information systems/assets.

Third Party Risk (TPR) security and privacy assessments are performed before procurement, and periodically thereafter.