Vulnerabilities in systems of healthcare institutions, medical networks and medical equipment discovered by third parties can be reported to [email protected] (preferably encrypted with our PGP key).
Z-CERT can coordinate so-called Responsible Disclosure notifications for participants, and advise them on the handling. Z-CERT assumes the role of 'man-in-the-middle'. In short, this means that Z-CERT mediates between the reporter and the participant about the handling of the report.
What is Responsible Disclosure?
Responsible Disclosure is the handling of third-party reports about data breaches, whether or not accidental, that are detected by the participant or Z-CERT in a responsible manner and in accordance with the policy of the participant or Z-CERT.
For example: a participant receives a notification from a patient that he can also view the data of another patient online, outside of his own patient data.
Notifications can be legitimate, but that does not always have to be. The interests of the reporter may also vary: one person is in good faith, the other is interested in attention, goods, financial gain or a job. This can also be a form of acquisition for ICT security companies. In an exceptional case, extortion occurs.
The deliberate search for leaks in security, or even just adjusting a URL, can be punishable in accordance with Dutch laws and regulations.
Responsible Disclosure reports must in principle be reported to the participant. The participant can then switch on Z-CERT. First of all, Z-CERT performs a triage: a (technical) analysis is done to determine whether the indicated vulnerability has indeed been indicated by the reporter, how it can be abused and what the impact can be. In addition, it is checked who the reporter is, and whether there are more frequent reports from this person. Finally, Z-CERT can provide the participant with legal advice. Optionally, Z-CERT can invite the reporter and participant to deal with the report.