Introduction Transforming care Investing in our people Accelerating possibilities Protecting the environment Creating value responsibly Appendix Ensuring cybersecurity ISO/IEC 27001:2013 and ISO/IEC 27018:2014, and we conduct business in compliance with applicable international laws and regulations and data privacy governing product and data security. With patients and providers increasingly benefiting from our Outside of the company, we do our part to contribute to stronger connected devices, cybersecurity is critical. The Risk Committee data protocols throughout our industry. As a member of the of our Board of Directors oversees cybersecurity and business Health Information Sharing and Analysis Center (H-ISAC) community resiliency, and all senior leaders receive regular updates on of private and public health organizations, we share security best the state of our security and any potential concerns. practices and threat intelligence with peers and partners in the private and public health sectors. The Boston Scientific Global Cybersecurity team takes a For transparency, our product security website updates providers, “ Cybersecurity is a constantly centralized data privacy approach to safeguarding all systems, patients and caregivers on security findings and processes. evolving landscape, so we are notification applications, connected medical devices and continuously pushing ourselves clinician interfaces. Our cybersecurity strategy builds on the National Institute of Standards and Technology principles Protecting personal data and collaborating with industry of identify, protect, detect, respond and recover. We are Health care and data security are increasingly interconnected, experts, customers and outside implementing a zero-trust cybersecurity model focused and patients should be able to use smarter medical solutions partners to evaluate and on users, assets and resources to strengthen our resilience with peace of mind. We updated our website privacy and internal protect against new risks." against cyber threats. personal data use policies in 2022 to reflect current data regulations Drew Bomett and realities. We periodically assess our policies to ensure they vice president and chief information Product cybersecurity remain up to date. security officer Our product cybersecurity focus begins with our design protocols The company conducts outreach with employees, customers and and is supported by quality testing, provider education, and outside partners about data privacy and cybersecurity best practices. packaging and distribution standards. In 2022, we expanded Mandatory employee education programs reinforce zero-trust product security to include multiple risk analysis requirements principles and include simulations to promote security awareness. for every piece of hardware and software in our devices. Employees who interact with customers are required to complete We use penetration testing to simulate cyberattacks and better annual training about the data they may encounter and their understand our exploitable weaknesses, and we monitor threat responsibility to protect information and report privacy concerns. intelligence feeds and use scanning tools to detect and assess We also require all employees to submit impact assessments for vulnerabilities that could affect our products. products, processes and initiatives that collect, use, manage or Health care providers remotely monitor Boston Scientific process personal data. In 2022, our global privacy team reviewed implantable cardiac medical devices via systems certified over 650 privacy impact assessments. by the International Organization for Standardization Learn more about Boston Scientific product security on our website. 55 2022 Performance Report