Security is a foundational and fundamental aspect of our technology programs at Stryker and is led by our Chief Information Officer and Chief Information Security Officer, Alan Douville as established in Corporate Policy 11 Global Privacy and Data Protection. Alan meets with our Board of Directors annually, and the Corporate Compliance Committee multiple times a year. Alan also leads the Corporate Security Sub-committee.
We have a thorough global security program encompassing both corporate and product security that is committed to attaining and retaining external certifications including Global ISO 27001 and the SOC 2 certification of Stryker’s health cloud.
Our cybersecurity program leverages a defense-in-depth strategy that is supported by a highly experienced team of cybersecurity experts. Our team follows leading industry cybersecurity practices and methodologies and leverages Artificial Intelligence and Machine Learning to provide state-of-the-art global cybersecurity protection.
We have strong relationships with government partners, cybersecurity industry partners and security researchers to enhance our cybersecurity profile across our highly regulated and controlled infrastructure for facilities, data and assets. Some of our key memberships include:
Cybersecurity at Stryker is a multi-faceted program. Our program includes a Tier 1 and Tier 2 Security Operations and Cyber Fusion Center that monitors and detects threat activity 24/7 to proactively gather, analyze and act upon relevant intelligence to defend Stryker, including risk management, compliance assurance, regulatory and audit. The program also includes teams dedicated to digital product security and traditional product security and a global incident response plan.
Our program conducts security-related exercises quarterly to improve our ability to provide coverage for our digital products and corporate infrastructure, the safeguarding of data and incident response. In addition, our Quality Management Program includes internal and external security reviews of products and systems, and security and privacy by design.
Our security team holds approx. 120 security security, risk and compliance certifications including:
We have implemented annual mandatory security education to help employees understand security risks and comply with our policies. Additionally, we provide frequent communications around pertinent security topics and policies to all employees. These include formal and awareness training such as newsletter articles, direct email, posters, digital signage, town halls and presentations. We provide additional security and data protection training and awareness of specific topics consistent with employee roles.
We conduct cybersecurity and privacy assessments on all third parties who integrate with Stryker’s data, network, systems and products. We use a combination of our Security Operations Center and external tools to help ensure that these third parties meet security requirements. We leverage standard industry threat model and privacy impact assessment concepts to help ensure data minimization and adequate data protections are in place.
We perform supplemental reviews commensurate with the risk associated with each vendor.
Product security is dedicated to the safety and security of our global products. Product security is an integral part of our holistic global security program.
We utilize a continuous improvement approach focused on enhancements to the software development lifecycle and new technical capabilities that reinforce the effectiveness of defense-in-depth security controls used to protect our products.