Category Archives: Responsible Disclosure

Philips Healthcare “Responsible Disclosure” Policy To Help Internet of Things (IOT) Security Researchers

At 2014′s DEFCON security convention healthcare security researchers Scott Erven and Shawn Merdinger lauded Philips Healthcare’s new “Responsible Disclosure” policy initiative as a model of cooperation for the Internet of Things (IOT) security research community.  (“Just What the Doctor Ordered?” by Scott Erven and Shawn Merdinger, August 8, 2014 – DEFCON 22)

A draft of the new Philips Healthcare policy plan read as follows and can be adapted by other IOT device manufacturers and start-ups.  (All IOT device makers should draft a vulnerability reporting policy as a matter of best practice; the same practice is already quite common in the software industry.)

“Philips Healthcare and Responsible Disclosure Positioning”
(from Philips Healthcare “Product Security and Services Office” – August 2014 – original)

Philips Healthcare recognizes the need for clear a Responsible Disclosure Policy and protocols as part of its Product Security function.

The company is developing a Responsible Disclosure Policy according to current industry best
practices.

  • The policy will be publicly accessible, with clear communications channels for customers,researchers and other security community stakeholders.
  • The policy will be based on principles of transparency, accountability and responsiveness.
  • The policy will outline defined protocols for reporting and response, managed by the Philips Product Security Team.

The policy protocols will encompass:

  • Monitoring and response of inbound communications
  • Managing confirmation receipt and follow-up communication with senders
  • Evaluation of vulnerability notifications and status tracking
  • Alignment with incident response, stakeholder notification, remediation and prevention protocols as required

Philips has actively sought out researcher and analyst input to help guide policy design and
projected implementation.

  • The company has increasingly engaged with the security research community over the past year.
  • Philips is committed to ongoing dialogue with the security community and to productive partnerships.

Philips Healthcare Product Security Policy Statement

In August 2011 Philips issued another positive security statement about medical IOT devices.  Their “Product Security Policy Statement” was more of a whitepaper than a policy statement, but is also a good example of how responsible IOT device makers can use security to market and sell their products (rather than just treat it as a burden).  Some key excerpts from this document are listed below.

  • At the medical device industry level, Philips works on the HIMSS Medical Device Security Workgroup…
  • In light of the increased focus on medical device security and compliance…(we support) a standard “Manufacturer Disclosure Statement for Medical Device Security” (MDS2)
  • Any connection of a device to a hospital network should be done with appropriate risk management for safety, effectiveness, and data and systems security
  • The Philips Product Security Policy requires Security Designed In objectives as part of all new product creation efforts.