Version 1.0
Last updated 13/10/2022
Health IT Responsible Disclosure Policy
How we handle security vulnerabilities
As an IT provider working in the Healthcare sector, we recognise how important it is to help protect patient security and privacy. We understand that security is integral to the delivery of patient care, and we hold that as a core focus in everything we do.
This policy services to outline how we handle security vulnerabilities.
Reporting security issues
If you believe you have discovered a vulnerability in any Health IT system or service, and wish to report it, please complete the form below. We will provide you with confirmation upon receipt of the disclosure.
Health IT’s vulnerability disclosure policy
We believe that vulnerability disclosure is a two-way street. Vendors, as well as researchers and other IT professionals must act responsibly. This is why we adhere to a 90-day disclosure deadline. We notify vendors of vulnerabilities immediately, and may share details with the appropriate people, be they Healthcare organisations, or members of the Information Security community after 90 days has past, or sooner if the vendor releases a fix.
This deadline may vary in some circumstances, and we will always strive to be non-punitive in enforcing it. At all times we intend to act in good faith and will review each case to ensure that is the situation.
If we observe a vulnerability being actively exploited in the wild as part of a zero day, we believe that more urgent action may be required. In those circumstances we reserve the right to disclose to those who may be affected by this vulnerability to ensure they are able to take steps to prevent exploitation. In those circumstances we will provide the vendor with as much notice as possible before taking this action.
We call on all vendors to adopt disclosure deadlines in some form and give permission for this document to be reproduced verbatim if you find our reasoning compelling. Creating pressure towards more reasonably timed fixes will result in smaller windows of opportunity for malicious actors to abuse vulnerabilities, which serves to enhance patient care.