Seguridad de los productos

Nuestro compromiso con la seguridad de los productos

Estamos comprometidos a garantizar la seguridad y eficacia de nuestros productos.  La ciberseguridad de nuestros productos y la infraestructura de nuestros clientes es una parte integral de nuestro enfoque.

Avisos de seguridad más recientes

Aviso de seguridad sobre la vulnerabilidad WannaCry

Leer más

Notificación de avisos de seguridad sobre las vulnerabilidades Meltdown y Spectre

Leer más

Informe de divulgación de vulnerabilidades del producto

Los investigadores de seguridad desempeñan una función en la identificación de las vulnerabilidades y preocupaciones relativas a la ciberseguridad.  Nuestro objetivo es asociarnos de manera eficaz con la comunidad investigadora para entender sus descubrimientos.  Presentamos nuestro primer proceso de divulgación de vulnerabilidades coordinado para fomentar la colaboración y el informe de las vulnerabilidades de los dispositivos médicos como se describe a continuación.

Alcance

The scope of our vulnerability reporting program includes Medical Devices, Software as a Medical Device, and Mobile Medical Applications.  It is not intended to provide technical support information on our products or for reporting Adverse Events or Product Quality Complaints.

To report an adverse event or product quality Complaint, please contact us at  stryker.com/productexperience.

How to submit a vulnerability

If you have identified a potential security vulnerability with one of our Medical Devices, Software as a Medical Device, or Mobile Medical Applications, please submit a vulnerability report to Stryker’s Product Security Team by completing the following form and emailing the completed document to ProductSecurity@stryker.com.

 
Important information:
 

We will not engage in legal action against individuals who submit reports through our Vulnerability Reporting process and enter into a legal agreement with us. We agree to work with individuals who:    

  • Engage in testing of systems/research without harming Stryker or its customers.    
  • Perform tests on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.  
  • Engage in vulnerability testing within the scope of our vulnerability disclosure program in accordance with the terms and conditions of any agreements entered into between Stryker and individuals.
  • Adhere to the laws of their location and the location of Stryker. For example, violating laws that would only result in a claim by Stryker (and not a criminal claim) may be acceptable as Stryker is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.
  • Refrain from disclosing vulnerability details before any mutually agreed-upon timeframe expires.

 

Preference, prioritization, and acceptance criteria
We will use the following criteria to prioritize and triage submissions.   

What we would like to see from you:

  • Reports written in English.  
  • Reports that include proof‐of‐concept code, which will better equip us to triage.   
  • How you found the vulnerability, the impact, and any potential remediation.   
  • Any plans or intentions for public disclosure.   

Note: Reports that include only crash dumps or other automated tool output may receive lower priority.

 

What you can expect from us:   

  • A timely response to your email (within 5 business days).
  • We will direct the potential findings to the appropriate product teams for verification and reproduction. You may be contacted to provide additional information at this stage.  
  • We will, following investigation of a report, confirm the existence of the vulnerability and the potential impact.  If the identified vulnerability is determined to impact patient safety, we will work expeditiously to develop a resolution and take appropriate action.  All other vulnerabilities will be evaluated and addressed based upon the associated risk.An open dialog to discuss issues.   
  • Notification when the vulnerability analysis has completed each stage of our review.   
  • Credit after the vulnerability has been validated and resolved, if desired.   
  • We are committed to being as transparent as possible about the remediation timeline and issues or challenges that may be involved.  
  • If we are unable to resolve communication issues or other problems, we may bring in a neutral third party (such as CERT/CC, ICS-CERT, or the relevant regulator) to assist in determining how best to handle the vulnerability.   

All aspects of this process are subject to change without notice, as well as for case-by-case exceptions. No particular level of response is guaranteed.

 

Notice

In the event, you decide to share any information with Stryker, you agree that the information you submit will be considered as non-proprietary and non-confidential and that Stryker is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Stryker.

We will use the following criteria to prioritize and triage submissions.   

 
Preference, Prioritization, and Acceptance Criteria
We will use the following criteria to prioritize and triage submissions.   

Declaración de divulgación del fabricante para la seguridad de los dispositivos médicos

Como parte de nuestro compromiso con la seguridad de los productos y el servicio al cliente, brindamos información a nuestros clientes para ayudarlos a evaluar y abordar las vulnerabilidades y los riesgos.

Específicamente, usamos la Declaración de divulgación del fabricante para la seguridad de los dispositivos médicos (Medical Device Securit, MDS²) para proporcionar información sobre la seguridad de nuestros productos.

La MDS² contiene información sobre la seguridad específica de los productos relacionada con las capacidades de los dispositivos, por ejemplo:    

  • Mantenimiento, almacenamiento y transmisión de la información electrónica de salud protegida (electronic protected health information, ePHI) .
  • Respaldo de datos y capacidades de medios extraíbles.
  • Instalación de parches de seguridad y software antivirus.
  • Acceso remoto al servicio.
  • Registros de auditoría del acceso a ePHI que incluyen: visualización, creación, modificación y eliminación de archivos; importación/exportación.

La MDS², un formulario de comunicación universal que nos permite brindarles a nuestros clientes información específica del modelo, está avalado por el American College of Clinical Engineering (ACCE), ECRI (anteriormente Emergency Care Research Institute), la National Electrical Manufacturers Association (NEMA) y la Healthcare Information and Management Systems Society (HIMSS).

El formulario también contiene recomendaciones sobre las prácticas de seguridad y notas explicativas del fabricante.