The GE HealthCare Third-Party Cyber Security Requirements document outlines the cyber security requirements applicable to GEHC Third Parties, including suppliers and joint ventures. The security requirements outlined herein, are applicable to Third Parties that process, access, interact with, or store GEHC sensitive Information (classified internally as GEHC Confidential or GEHC High Confidential), PII or Sensitive PII, have access to a GEHC Information System, or provide certain services/products, to include OT/Manufacturing services, as described below. The security requirements are designed to vary based on the level of risk the Third-Party presents to GEHC, specifically guided by the type of GEHC information the Third-Party Processes, network connection, and products and services provided by the Third-Party, as well as data availability and resiliency requirements.
GEHC reserves the right to update this document from time to time.
Applicability: The minimum security requirements are applicable to third-parties that process, access, or stores (logically) GEHC Confidential Information or Personal Data, GEHC Highly Confidential Information or Sensitive Personal Data, Controlled Data, or if the Third-Party has a direct network connection to the GEHC managed network.