The Biohacking Village: Device Lab seeks to preserve human life, patient safety, and trustworthiness of medical devices, by building a high-trust, high-collaboration environment among willing allies across healthcare. We welcome medical device makers, security researchers, caregivers, and others who will act in good faith, in the best interest of patients, when discovering, disclosing, and addressing security issues.
Vulnerability discovery, disclosure, and remediation in public safety contexts must be handled with both due haste and due care. Urgency in addressing vulnerabilities can preserve safety, life, and trust, yet acting prematurely puts patients’ lives at risk. At the same time, rigorous testing avoids unintended consequences at the cost of time to deploy fixes. Protecting patient safety is like a relay race: practice and collaboration among teammates is the only way to win.
Saving lives through security research. The manufacturer’s public coordinated disclosure policy lays out the expected rules of engagement, and disclosing through their existing policy is often the best way to get the quickest, highest quality response. Contacting third-party coordinators, such as the FDA, DHS, and CERT/CC, all of whom will be on hand at the Village, gives a safe escalation path. Outreach to friends and colleagues, in a way that avoids disclosing the issue, can also identify reporting and escalation options.
Building teammates and allies. Manufacturers collaborating with the Biohacking Village Device Lab, putting medical devices in the hands of security researchers do so in good faith. We hope that collaboration here in the Lab make discovering and reporting issues much easier and safer, and we also hope to foster more research and reporting through their normal disclosure channels. We hope this relationship between you, medical device makers, and healthcare community continues in future research and ask that you reference the help received in the Biohacking Village in future disclosure publications.
As one who is concerned with public safety and human life I will take sufficient care to avoid inadvertently putting life and safety at risk. I am committed to acting in the best interest of patients, and to disclosing potential vulnerabilities to the manufacturer in good faith.