Product security
At Stryker, we care deeply about the security and safety of our products because we know how important they are. Our dedicated Product Security team works tirelessly to implement robust security measures and collaborates with industry partners to continuously improve our security practices. We take a proactive security approach to stay ahead of emerging threats and take appropriate action to address vulnerabilities. Your trust is our top priority, and we're committed to safeguarding the products and data you depend on.
Our commitment
We conduct thorough security assessments of our products throughout their lifecycle to identify and mitigate potential vulnerabilities. Security is integrated into every stage of our product development process, from design to deployment, ensuring it is a foundational element in everything we do.
Our focus
Device design and development
- During the design and development phases of new medical devices we implement security measures that include threat modeling, risk assessments, and embedding security controls into the product architecture.
- Collaboration between engineering, cybersecurity, privacy, and regulatory teams informs a holistic approach to implement security best practices in product innovation.
- We ensure security is considered from the initial design stages to mitigate potential vulnerabilities and threats that could impact patient safety or compromise sensitive data.
Supply chain
- Supply chain security focuses on mitigating risks associated with the procurement, manufacturing, distribution, and maintenance of medical devices.
- We collaborate closely with suppliers and partners to establish security requirements, perform thorough assessments, and safeguard the integrity of components and software integrated into their products.
- Measures such as secure coding practices, firmware validation, and secure distribution channels help prevent tampering, counterfeiting, or unauthorized modifications throughout the supply chain.
Incident response and vulnerability management
- Stryker has implemented robust incident response and vulnerability management processes in place to promptly detect, assess, and mitigate security issues. This includes establishing communication protocols, coordinating response efforts with customers and regulators, issuing timely patches or updates, and conducting post-incident reviews.
- Despite proactive security measures, vulnerabilities and incidents may still occur during the lifecycle of medical devices.
Healthcare partnerships
- Our subject-matter experts participate with industry groups to advance cybersecurity principles and industry best practices.
- We foster a culture of transparency and collaboration with customers, industry stakeholders, and suppliers to strengthen security.
- We assist in the development of industry frameworks, technical papers, and proactive engagements with regulators to help make healthcare better.
Latest security advisories
Stryker responds to KRACK vulnerability for iBed Wireless-enabled Secure II, S3 MedSurg and InTouch ICU beds
Product coordinated vulnerability disclosure (CVD)
Security researchers play a role in identifying cybersecurity vulnerabilities and concerns. Stryker has a Coordinated Vulnerability Disclosure (CVD) process to foster collaboration and effective reporting of Stryker's medical device vulnerabilities.
Important information about our CVD process
We work in good faith with researchers and parties that test our products and will not engage in legal action against individuals who submit reports through our CVD process. Your use of this process is considered a legal agreement with Stryker.
We agree to work with individuals who:
- Engage in testing of systems/research without harming Stryker or its customers.
- Perform tests on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software.
- Engage in vulnerability testing within the scope of our CVD program in accordance with the terms and conditions of any agreements entered into between Stryker and individuals.
- Adhere to the laws of their location and the location of Stryker.
- Refrain from disclosing vulnerability details before any mutually agreed-upon timeframe expires.
In the event you decide to share any information with Stryker, you agree that the information you submit will be considered non-proprietary and non-confidential and Stryker is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Stryker.
What you can expect from us
- We will provide a timely response to your email (within 10 business days).
- We will direct the potential findings to the appropriate product teams for verification and reproduction. You may be contacted to provide additional information at this stage.
- We will, following the investigation of a report, confirm the existence of the vulnerability and the potential impact. If the identified vulnerability is determined to impact patient safety, we will work expeditiously to develop a resolution and take appropriate action. All other vulnerabilities will be evaluated and addressed based upon the associated risk.
- We will discuss issues in an open dialog.
- We will provide notification when the vulnerability analysis has completed each stage of our review.
- If desired, we will provide recognition after the vulnerability has been validated and resolved.
We are committed to being as transparent as possible about the remediation timeline and issues or challenges that may be involved.
If we are unable to resolve communication issues or other problems, we may engage a neutral third party (such as CERT/CC, ICS-CERT, or the relevant regulator) to assist in determining how best to handle the vulnerability.
All aspects of Stryker's CVD process are subject to change without notice, at Stryker's sole discretion. No particular level of response is guaranteed.
Vulnerability management process
Our Coordinated Vulnerability Disclosure (CVD) process includes regulated medical device and health software products, including medical devices, software as a medical device (SaMD), and mobile medical applications. It is not intended to provide technical support information on our products, for reporting of adverse events, or for submitting product quality complaints.
How to report non-product vulnerabilities
To report non-product vulnerabilities in Stryker’s enterprise infrastructure, please contact us using the Stryker Enterprise IT Vulnerability Disclosure Program at bugcrowd.com/stryker-vdp.
How to submit a vulnerability
If you have identified a potential vulnerability with one of our medical devices, software as a medical device (SaMD), or mobile medical applications, please use the form below to submit a vulnerability report to Stryker's Product Security team.
To report an adverse event or product quality complaint related to a Stryker product, please visit
stryker.com/productexperience.
Vulnerability submission form
What we would like to see from you in your submission
- Reports written in English.
- Reports that include proof‐of‐concept code, which will better equip us to triage.
- How you found the vulnerability, the impact, and any potential remediation.
- Any plans or intentions for public disclosure.
- Note: Reports that include only crash dumps or other automated tool output may receive lower priority.
DRE-GSNPS-PPT-1185510