Responsible disclosure policy

Preface

Have you found a vulnerability in our systems? Thank you for reporting it to us!

Our essential interests are the continued and secure delivery of healthcare services, healthcare training and healthcare research, and we remain committed to securing our networks and information systems, and we have set in place multiple controls to assure a suitable level of security and privacy.

However, we acknowledge that vulnerabilities, weaknesses, faults and misconfigurations in our networks and information systems may occur. We are committed to work in good faith with all and any individuals or entities that chooses to share vulnerabilities to help us reduce the risk of loss of functionality, injury to our patients, unauthorized access to our systems, or the unlawful disclosure of electronic protected health information.

Scope and limitations

Helse Sør-Øst is a regional specialist health care provider, consisting of several separate health care trusts and hospitals in the south-eastern region of Norway. For full list of health care trusts in the Helse Sør-Øst region, please see appendix A.

The scope of the vulnerability disclosure policy covers all aspects of Helse Sør-Øst operations, but we kindly ask that you observe the following:

 Vulnerabilities believed to impact functionality, design, performance, security or in any other way related to medical technical devices should be directly reported to the manufacturer of such equipment. We may be directly contacted if either;

a) It is not possible to contact the manufacturer (e.g. the manufacturer has been dissolved, or the manufacturer does not reply within a reasonable time, or no contact information is found),

or

b) The manufacturer no longer supports the device, and the manufacturer does not offer any updates that mitigate the vulnerability.

 Vulnerabilities related to the web pages of the hospital trust is to be reported to the Norwegian directorate of eHealth (NDE). For contact information, please see the “security.txt”-file, as linked to in chapter “Contact us”.

 Information related to the unauthorized access to or public sharing of health care data, please contact the Data Privacy Officer for the relevant health care trust(s). For contact information, please see the “security.txt”-file, as linked to in chapter “Contact us”.

 All other technical vulnerabilities shall be reported to the regionalt ICT provider,  Sykehuspartner HF. For contact information, please see the “security.txt”-file, as linked to in chapter “Contact us”.

How to report vulnerabilities

We kindly ask that you:
 Report the vulnerability within a reasonable time frame,

 Verify the vulnerability without impacting our essential interests, or cause harm to anyone, 

 Do not disclose the vulnerability to third parties, until we have had a reasonable time to correct the vulnerability,

 Do not take advantage of the vulnerability, nor that you use the vulnerability to gain access to data more than strictly necessary as to prove that the vulnerability exists, and

 Provide a description on how you discovered the vulnerability, and step-by-step instructions on how to reproduce an exploit of the vulnerability.

Legal posture

Neither Helse Sør-Øst, Sykehuspartner HF nor the health care trusts in the region intend to engage in legal actions against individuals or entities who in good faith follow the steps described above.

However: Any actions made willingly or made against better judgement that impact or may impact our essential interests so that our equipment or systems no longer render the services for which they were set up, whether temporarily or permanently, reversibly or not, will constitute an unlawful cyber attack, and such actions will not be covered by the responsible vulnerability policy.

Protection of health care services by international humanitarian law

It is prohibited by international humanitarian law, in particular the Genèva convention along with the Tallinn Manual 2.0, to target hospitals, medical facilities, and medical personnel, as objects of cyber attacks. This also includes data of civilian nature, such as medical data and health care records.

Rewards and recognition

Sykehuspartner HF will reward individuals whose reported vulnerabilities follow the steps described above with a letter of recognition and acknowledgement. Helse Sør-Øst does not provide a bounty programme, or any monetary rewards for reporting vulnerabilities.

Contact us

We kindly ask that all communications should be made by email. Please see “security.txt”, located at /.well-known/security.txt. A full list of all health care trusts in the South Eastern health care region, and the URI of their specific security.txt, is listed in Appendix A.

Appendix A: List of health care trusts in Helse Sør-Øst

​Health Care Trust​Location of "secutity.txt"
​Sykehuset Sørlandet HFhttps://www.sshf.no/.well-known/security.txt
​Sykehuset Telemark HFhttps://www.sthf.no/.well-known/security.txt
​Sykehuset i Vestfold HFhttps://www.siv.no/.well-known/security.txt
​Sunnaas sykehus HFhttps://www.sunnaas.no/.well-known/security.txt
​Vestre Viken HFhttps://vestreviken.no/.well-known/security.txt
​Oslo Universitetssykehus HFhttps://oslo-universitetssykehus.no/.well-known/security.txt
​Akershus Universitetssykehus HUFhttps://www.ahus.no/.well-known/security.txt
​Sykehuset Østfold HFhttps://sykehuset-ostfold.no/.well-known/security.txt
​Sykehuset Innlandet HFhttps://sykehuset-innlandet.no/.well-known/security.txt
​Sykehuspartner HFhttps://sykehuspartner.no/.well-known/security.txt
​Helse Sør-Øst HFhttps://sykehuspartner.no/.well-known/security.txt

Appendix B: Acknowledgements

We kindly thank the following organizations for ideas and inspiration for this Responsible Disclosure policy:

NTIA Coordinated Vulnerability Disclosure Template:
https://www.ntia.doc.gov/files/ntia/publications/ntia_vuln_disclosure_early_stage_template.pdf

Visma Responsible Disclosure Policy:
https://www.visma.com/trust-centre/smb/security-and-privacy/operational/responsible-disclosure/

Oslo Børs Responsible Disclosure Policy:
https://www.oslobors.no/ob_eng/Oslo-Boers/About-Oslo-Boers/Responsible-Disclosure

Siemens Vulnerability Handling and Disclosure Process:
https://new.siemens.com/global/en/products/services/cert/vulnerability-process.html


Fant du det du lette etter?