// Trust & Security Report
GE HealthCare
Caption AI – AI-powered guidance for cardiac ultrasound imaging. Includes Vscan Air SL with Caption AI (handheld device), Venue Family with Caption Guidance (point-of-care systems), and AutoEF (automatic ejection fraction calculation). FDA 510(k) cleared.
Certifications held
8
Maturity
Enterprise
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on gehealthcare.com“GE HealthCare's Global Information Security Management System is globally certified according to ISO 27001... Certificate Number IS 725196... for Europe remote service delivery and technical support data storage, and remote connectivity provided from their GEHC Data Center in France.”
Verify on gehealthcare.com“GE HealthCare's Global Information Security Management System is globally certified according to ISO 27001, 27018 and 27701 standards.”
Verify on investor.gehealthcare.com“the company maintains ISO certification to the privacy standard ISO 27701:2019.”
Verify on gehealthcare.co.uk“GE HealthCare is certified with ISO 9001... covering the sales, delivery, installation, repairing, servicing, commissioning, and decommissioning of GE HealthCare medical devices and multivendor medical devices.”
Verify on gehealthcare.co.uk“GE HealthCare is certified with ISO 13485 covering the sales, delivery, installation, repairing, servicing, commissioning, and decommissioning of GE HealthCare medical devices and multivendor medical devices.”
Verify on gehealthcare.com“Caption AI technology is completely shielded and follows HIPAA privacy regulations. The AI software can be safely downloaded and is routinely refreshed to guarantee data security.”
Verify on landing1.gehealthcare.com“GE HealthCare has developed an efficient GDPR framework... Both GE HealthCare and customers must keep detailed records of processing activities... GE HealthCare adheres to applicable data protection laws, including guidance issued by the French Data Protection Authority (CNIL).”
Verify on gehealthcare.com“Caption AI (Caption Health, GE HealthCare) has received FDA clearance for AI-guided cardiac image acquisition... GE HealthCare signed an agreement to acquire Caption Health... and has demonstrated that individuals without formal echocardiography training can obtain diagnostically interpretable images using AI guidance.”
> Show 1 unconfirmed / not-held certifications
source: gehealthcare.comNo public evidence of GE HealthCare-wide SOC 2 Type 2 certification found. ReadySee (a GE HealthCare product) uses SOC 2-compliant data center infrastructure, but this is a hosting certification, not an organizational certification.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primary data center in France (Europe). International transfers outside EU use GDPR-compliant standard contractual clauses (Article 46 GDPR). Transfers to countries with lower data protection levels (including US) permitted with contractual safeguards.
GE HealthCare collects and uses non-personal data for training, development, and continuous product improvement. For EU AI research, data is pseudonymized. GE HealthCare will not sell data or use it to identify customers without consent. Caption AI itself is HIPAA-compliant and shielded from customer healthcare data exposure.
// Security controls
Encryption in transit
Standard TLS/SSL encryption for remote service connectivity and data storage
gehealthcare.comEncryption at rest
Protected by ISO 27001 and 27002 security controls; France data center provides encryption for remote data storage
gehealthcare.comVulnerability disclosure program
Coordinated Vulnerability Disclosure (CVD) program; submit to Cvd@gehealthcare.com
gehealthcare.comEmployee security training
Mandatory annual cyber training program for all employees
gehealthcare.comSecurity framework alignment
Skeye cybersecurity solution aligns with NIST Cybersecurity Framework; 24/7 managed security for networked medical devices
gehealthcare.comMedical device cybersecurity
Product Security Portal providing security advisories, vulnerability notifications, and patch management
gehealthcare.com// Products & data scope
data: Real-time cardiac imaging guidance; patient ultrasound images (HIPAA protected); device sensor data for AI inference
FDA 510(k) cleared. Handheld device with AI-powered probe positioning guidance and AutoEF calculation. Can be used outside professional healthcare facilities (with environmental restrictions).
data: Cardiac imaging data; patient ultrasound images (HIPAA protected); real-time guidance data
Point-of-care ultrasound systems with AI-powered real-time guidance. Provides step-by-step prompts for probe positioning and quality assessment.
data: Cardiac imaging analysis; calculated ejection fraction metrics
Automatic calculation of left ventricular ejection fraction from ultrasound views. Integrated into both Vscan Air and Venue Family systems.
// What to watch
- SOC 2 Type 2 not publicly confirmed – while ISO 27001:2022 provides comparable controls, SOC 2 is not disclosed (may be in customers' private trust reports). Minor documentation gap given enterprise maturity.
- Vendor website pages (privacy, security, trust center) return 403 Forbidden due to anti-bot protection. Assessment supplemented with public press releases, investor relations, and third-party documentation (BSI certificate, DQS certifications database). Identity and core certifications verified through multiple sources.
- AI training note uses term 'non-personal data' without strict technical definition. GE HealthCare states: 'will not sell the data or use it to identify customers without consent', and Caption AI is 'HIPAA-compliant and shielded.' Consistent with privacy-by-design but could benefit from explicit pseudonymization/anonymization detail in customer-facing documentation.
// At a glance
Pricing model
Medical device (enterprise/hospital procurement); pricing not publicly disclosed
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on GE HealthCare's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
gehealthcare.com