07-20 / 9316884 002/GB/C / Document and/or pictures not legally binding.

Modifications by bioMérieux can be made without prior notice / BIOMÉRIEUX, the BIOMÉRIEUX logo, BACT/ALERT, D-COUNT, GENE-UP,
LABGUARD, MYLA, TEMPO, VIDAS, VILINK, VIRTUO and VITEK are used pending and/or registered trademarks belonging to bioMérieux, or one of its subsidiaries, or one of its companies.Any other name or trademark is the
property of its respective owner. The MYLA character is a used, pending and/or registered Design belonging to bioMérieux or one of its subsidiaries or one of its companies. / bioMérieux S.A. RCS Lyon 673 620 399 / Printed in
France / théra / RCS Lyon B 398 160 242

www.biomerieux.com • www.biomerieux-diagnostics.com
bioMérieux S.A. • 69280 Marcy l’Étoile • France • Tel.: + 33 (0)4 78 87 20 00 • Fax: +33 (0)4 78 87 20 90
VILINK
privacy protocols for VILINK®
Security, data protection and
INTELLIGENT INSTRUMENT MANAGEMENT SYSTEM
®
 Safe &
Sound

VILINK® is a highly secured modular solution that is firewall-configurable and

compatible with your organization’s security systems. VILINK® provides a direct
connection between bioMérieux’s technical support representative and your systems,
offering traceability, logging and data security via user-approved access and SSL-
based encrypted communication.

VILINK® enables our service support teams to offer real-time troubleshooting and
operator training at your request, reducing down time and improving efficiency in
Safe & Sound System your laboratory by providing:
p. 3 Architecture • Remote technical support
p. 4 • Remote software/firmware updates
• Flexible installation options for connecting instrument computers in your laboratory
local area network.

Highly Secure Data Privacy bioMérieux’s security principles:

p. 8 & Organizational • We protect the integrity of
Security your patient data
p. 10 • We trace activities and all accesses
• We provide flexibility and control to
enforce your business policies

2 3
 System Architecture

VILINK® software is powered by PTC (Axeda Solution), which provides an Outbound information
advanced cloud-based service and software for managing connected products
and machines. PTC has gained industry leadership by incorporating rigorous The combination of VILINK® functionality and our remote technical support capabilities
security principles and standards to the design and operation of services such as creates a full service support offering.
VILINK®. For US requirements, a VILINK server is located in the US for some VILINK® is installed locally on systems computers and only sends device-
customers. Another VILINK server is located in Europe for other customers. relevant service data, so you will never have to accept incoming connections.
VILINK® Agents can also be configured with FIPS mode enabled, which imposes the
strictest security standards (often required in government settings).

VILINK® Server

Internet
Firewall-friendly
VILINK®’s patented Firewall-friendly™ technology provides two-way communication
Client Firewall based on Web Service standards, including Hypertext Transfer Protocol (HTTP),
VILINK® agent loaded onto bioMérieux computers uses TCP port 443 WASP®
outbound to establish TLS tunnel with VILINK® server once user initiates connection Simple Object Access Protocol (SOAP), and eXtensible Markup Language (XML).
Customer LAN/VLAN All outbound communications are initiated using the HTTPS protocol exclusively on
port TCP 443.

Remote access
When remote access is required, the VILINK® support user connects to the VILINK®
VITEK 2 ®
MYLA Server
®
VITEK MS
®
VITEK MS
®
BACT/ALERT
®
Server with his credentials and selects the system he wants to access, creating
Prep Station Acquisition VIRTUO®
Station a secure tunnel (based on HTTPS) between the help desk and your bioMérieux
commercial system.
The remote user uses validated tools (UVNC, Teamviewer, SSH, RDP) to request
remote access, which you can choose to accept or reject. All communication and
transferred data goes through the VILINK® secure tunnel.
VITEK® MS
To optimize the remote support experience, we use the Global Access Server (GAS)
Firewall (optional) Other systems compatible like GENE-UP®, D-COUNT®, LABGUARD®, TEMPO®, VIDAS® PC. on TCP port 443. The VILINK® server uses the commercial system’s nearest GAS server,
For the full list of VILINK compatible systems, please contact your local bioMérieux representative. and if that doesn’t work will use the next nearest server.
Your Firewall and Proxy must enable access to the GAS servers on the HTTPS
For either option, you will need to open up TCP port 443 outbound connection on your firewall.
(TCP/443) port: for the full list of GAS servers please contact your bioMérieux
For the list of URLs and IP adresses, please contact your local bioMérieux representative.
representative.

User directory Assistance workstation US Secured Disk Space

Multi Factor Authentication
4 (MFA) 5
 • Usage of Teamviewer is limited to valid VILINK sessions
User directory Assistance workstation Secured Disk space • By default, the Teamviewer account is inactive and activated only during a VILINK
Multi Factor Authentication (MFA) valid session
Teamviewer is certified SOC2, ISO9001 and help you to be HIPAA compliant

bioMérieux
Automatic monitoring
VILINK® GAS Depending which bioMérieux commercial system VILINK® has been installed
on, it is possible to automatically monitor the system’s computer and devices
Internet
(instru-ment, network or signalization device). Monitoring focuses on technical
VILINK® Server information such as RAM size, disk-filling ratios, log files and instrument sen-
sor values, allowing bioMérieux to detect or anticipate variations that may have
an impact on the bioMérieux commercial system or its behavior. Only technical
Customer Network infor-mation that enables system sup-port is uploaded to the VILINK® Server
(never information related to patients, or to biological results), with access
restricted to bioMérieux.

Options
You can choose to:

• Have the remote intervention re-port on remote accesses on your systems

HTTPS connection Remote Desktop Connection mailed to you
GAS: Global Access Server
• Authorize our service support teams to perform file transfers, or not

Teamviewer® Remote Access • Enable automatic monitoring of your bioMérieux commercial systems, or not
Teamviewer® software can be used in order to improve the speed of the remote
access without any compromise on the security.
Secured Disk space
You can use dedicated
Teamviewer® Direct Mode to the
using theupload
Teamviewer®
Teamviewer® interface of personal data,
infrastructure. To enable this method you will have to
within a VILINK® TLS Specific
OR VILINK training purged periodically
allow the traffic on the tcp port 443 or tcp port 5938
tunnel so using the AES
to the domain *.teamviewer.com or on a specific list
256 bits encryption
of IP addresses to be provided on demand

In this TeamviewerUser directory

Direct Assistance workstation
Mode configuration, Secured
the security features Disk space
are using the following:
• Whitelist to protect access to commercial systems only to bioMérieux accounts and
trusted devices
Firewall friendly bioMérieux
• RSA Public / Private Keys exchange and AES 256 bits session encryption
• Specific login and password for establishing the Teamviewer session
Access control driven from
bioMérieux users directory VILINK® Server
6 7
High availability Encrypted data
AES 128/256 FIPS Internet
Hosted by European
 Highly Secure

HTTPS connection Remote Desktop Connection

bioMérieux VILINK is a highly secured solution using a communication encrypted

®
About the VILINK® Server
in AES 256 bits. An acknowledgment on the customer side is required to approve
the remote access. Only trained users can use the VILINK solution. • The VILINK® Server is hosted in a highly controlled protected area, and
continuously controlled and policed in order to meet both our own high
security standards and the requirements of the most rigorous regulations.
Remote access audit Security &
logs awareness trainings • All Server accounts for bioMérieux users are managed by a robust security
Video Audit trail at Secured disk space to
store sensitive data policy, with encrypted communications established through HTTPS using a
customer’s disposal
during investigation 2048 bit RSA certificate. The only protocol allowed through HTTPS at this
Specific VILINK training level is TLS.
• Audit logs record all VILINK® users' activities (remote sessions, files
transfers etc.) and are maintained on the VILINK® Server during one year.
• The VILINK® Server is maintained at a continuously high security and
User directory Assistance workstation Secured Disk space
Multi Factor Authentication (MFA)
availability level, using the most appropriate and up-to-date security tools
(e.g. security scanners) to follow best practice in monitoring and penetration
testing.
bioMérieux
Firewall friendly
Connections to the VILINK® Server
Access control driven from All Commercial Systems connected to bioMérieux VILINK® communicate
bioMérieux users directory VILINK® Server with the VILINK® Server through a TLS tunnel (AES 128/256 bits
High availability Encrypted data encryption). Every remote session and file transfer goes through this TLS
Hosted in Europe for UE & AES 128/256 FIPS Internet tunnel, protecting any exchange against unauthorised accesses.
ASPAC customers
Hosted in US for AMERICAS User access control
customers Traceability of operations
Security configuration
Customer Network
bioMérieux strongly recommends the customer to install anti-virus
software (supporting Microsoft Windows) on all bioMérieux Commercial
Systems, and to apply regular Operating System security updates. Please see
the documentation provided with your bioMérieux Commercial System relating
to the use of anti-virus and operating systems security updates.

End-user
acknowledgement

8 9
 Data Privacy &
Organizational Security

bioMérieux has implemented a rigorous data privacy and security program to ensure
9. Ebyncrypting access to patient data on laptops used
compliance with all relevant privacy laws during the operation of our software. This bioMérieux personnel.
program includes, but is not limited to:

10. Pfrom
rotecting connected systems on bioMérieux network

Assessing and implementing the regulations and standards applicable external security vulnerabilities through a combination
1. to the healthcare domain. of hardware firewalls, antivirus software, intrusion prevention systems
and regular Microsoft security updates.

2. Gtoaining your formal agreement before implementing remote access

your network and instrumentation.  onitoring events at the remote service in order to provide sound
M
11. and other recordings for use in case of investigation.

3. Iinmplementing a procedure to guard against any data breach

the event of systems being refurbished or swapped over To follow these security principles, bioMérieux – acting with the support of security
by systematically removing hard drives containing patient data. experts – regularly performs penetration tests, security assessments and regulatory
audits (e.g. HIPAA, GDPR).

4. Linimiting users’ access to information and information systems

line with their role in the organization, as part of a comprehensive
security management system. Local data privacy and security regulations
The protection of personal data and respect of privacy are fundamental rights derived
Screening
 (when authorised by local regulation)
5. of the personnel accessing patient information.
from the Universal Declaration of Human rights of 1948. bioMérieux is committed to
protecting the confidentiality of the personal data of his employees and partners.
Many countries have tightened regulations restricting the use and disclosure of

Training all personnel who have access to patient data
6. on internal policies and procedures, to help
personal data (e.g.US HIPAA Federal law, EU GDPR). These laws require companies
to take steps to ensure the confidentiality, integrity and availability of this kind of data.
them understand their responsibility to maintain In 2018, bioMérieux has deployed a compliance program regarding regulation (EU)
the confidentiality of such information 2016/679 of the European Parliament and of the Council of 27 April 2016 which has
and to comply with regulations in force. entered into force in May 25, 2018 (GDPR) as well as national French laws.
bioMérieux has officially designated a Data Protection Officer (DPO) to the French
I mplementing physical security measures to ensure that unauthorised
7. users can not enter bioMérieux premises. These measures include
Data Protection Authority (CNIL) to control and ensure compliance of the Company
with this regulation.
restricting physical access to data servers and data-hosting environments.

8. Cthat
omplying with password security standards to ensure
authentication can not easily be compromised.

10 11