We are committed to ensuring the safety, effectiveness and security of our products. Cybersecurity of our products and our customer’s infrastructure is an integral part of our focus.

Security researchers play a role in identifying cybersecurity vulnerabilities and concerns. Our goal is to partner effectively with the research community to understand their findings. We are introducing our initial Coordinated Vulnerability Disclosure Process to promote collaboration and reporting of medical device vulnerabilities as described below.

The scope of our vulnerability reporting programme includes Medical Devices, Software as a Medical Device, and Mobile Medical Applications. It is not intended to provide technical support information on our products or for reporting Adverse Events or Product Quality Complaints.

To report an adverse event or product quality Complaint, please contact us at  stryker.com/productexperience.

How to submit a vulnerability

If you have identified a potential security vulnerability with one of our Medical Devices, Software as a Medical Device, or Mobile Medical Applications, please submit a vulnerability report to Stryker’s Product Security Team by completing the following form and emailing the completed document to ProductSecurity@stryker.com.

Important information:
 

We will not engage in legal action against individuals who submit reports through our Vulnerability Reporting process and enter into a legal agreement with us. We agree to work with individuals who:    

• Engage in testing of systems/research without harming Stryker or its customers.    
• Perform tests on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.  
• Engage in vulnerability testing within the scope of our vulnerability disclosure programme in accordance with the terms and conditions of any agreements entered into between Stryker and individuals.
• Adhere to the laws of their location and the location of Stryker. For example, violating laws that would only result in a claim by Stryker (and not a criminal claim) may be acceptable as Stryker is authorising the activity (reverse engineering or circumventing protective measures) to improve its system.
• Refrain from disclosing vulnerability details before any mutually agreed-upon timeframe expires.
  

Preference, prioritisation and acceptance criteria
We will use the following criteria to prioritise and triage submissions.   

What we would like to see from you:

• Reports written in English.  
• Reports that include proof‐of‐concept code, which will better equip us to triage.   
• How you found the vulnerability, the impact and any potential remediation.   
• Any plans or intentions for public disclosure.   

Note: Reports that include only crash dumps or other automated tool output may receive lower priority.

What you can expect from us:   

• A timely response to your email (within 5 working days).
• We will direct the potential findings to the appropriate product teams for verification and reproduction. You may be contacted to provide additional information at this stage.  
• We will, following investigation of a report, confirm the existence of the vulnerability and the potential impact.  If the identified vulnerability is determined to impact patient safety, we will work expeditiously to develop a resolution and take appropriate action. All other vulnerabilities will be evaluated and addressed based upon the associated risk.
• An open dialogue to discuss issues.   
• Notification when the vulnerability analysis has completed each stage of our review.   
• Credit after the vulnerability has been validated and resolved, if desired.   
• We are committed to being as transparent as possible about the remediation timeline and issues or challenges that may be involved.  
• If we are unable to resolve communication issues or other problems, we may bring in a neutral third party (such as CERT/CC, ICS-CERT, or the relevant regulator) to assist in determining how best to handle the vulnerability.   

All aspects of this process are subject to change without notice, as well as for case-by-case exceptions. No particular level of response is guaranteed.

Notice

In the event, you decide to share any information with Stryker, you agree that the information you submit will be considered as non-proprietary and non-confidential and that Stryker is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Stryker.

As part of our commitment to product security and customer service, we supply our customers with information to help them assess and address the vulnerabilities and risks.

Specifically, we use the Manufacturer Disclosure Statement for Medical Device Security (MDS²) to provide security information about our products.

The MDS² contains product specific security information related to the capabilities of the devices such as:    

• Maintaining, storing and transmitting ePHI 
• Data back-up and removable media capabilities
• Installing security patches and anti-virus software
• Remote service access
• Audit logs of ePHI access including: viewing; creating, modifying and deleting records; importing/exporting

The MDS², a universal reporting form which allows us to supply our customers with model-specific information, is endorsed by the American College of Clinical Engineering (ACCE), ECRI (formerly the Emergency Care Research Institute), the National Electrical Manufacturers Association (NEMA) and the Healthcare Information and Management Systems Society (HIMSS).

The form also contains security practice recommendations and explanatory notes from the manufacturer.