Code of Ethics
1. Preamble
Cybersecurity in healthcare is not an abstract discipline. The systems we test, the data we touch, and the decisions our clients make based on our advice ultimately affect patient care and patient lives. That weight shapes how we work.
This Code is not a marketing document. It exists to set out, in writing, the standards we hold ourselves to so that clients, candidates, and the public can hold us accountable.
2. Client Trust
The trust a client places in us when they hand over network access, source code, and audit findings is earned through every interaction. We honor that trust by:
- Confidentiality: Client information, vulnerabilities, and engagement findings are never shared outside the engagement team without written authorization.
- Discretion: We do not name clients in marketing or sales without explicit, written permission.
- Data minimization: We collect only the data we need to do the work, and we destroy it when the engagement ends per our retention schedule.
3. Patient Data
When our work involves environments containing protected health information (PHI) or electronic protected health information (ePHI), we treat that data as the property of the patient — not the client and not us.
- We sign a Business Associate Agreement (BAA) before any engagement that may exposure PHI.
- We do not exfiltrate or download patient records during testing unless contractually required to demonstrate impact, and only with explicit written authorization.
- Any inadvertently collected PHI is reported to the client immediately and securely destroyed.
4. Honesty in Findings
A security report is only useful if it is true. We will never:
- Inflate findings to justify scope or follow-on engagements.
- Suppress findings to avoid difficult conversations with executives or auditors.
- Misrepresent severity, exploitability, or impact in any deliverable.
If a finding is wrong, we correct it on the record. If a client disagrees with our characterization, we document the disagreement rather than rewrite the truth.
5. Independence
We do not sell, resell, or accept commissions on third-party security products. Our recommendations are based on what is right for the client's environment, not what generates a kickback. If we suggest a product or vendor, it is on its merits — and we say so, in writing, when no other relationship exists.
6. Conflicts of Interest
We disclose to clients, in writing, any of the following before an engagement begins:
- Personal or financial relationships with the client's vendors, competitors, or counterparties.
- Prior engagements with parties who could be affected by our findings.
- Ownership stakes or board seats at any organization in the engagement scope.
If a conflict cannot be resolved, we decline the engagement.
7. Authorization & Scope
We do not test what we are not authorized to test. Every penetration test, red-team exercise, or active assessment is governed by a written, signed statement of work that defines:
- The systems, networks, and applications in scope.
- The dates and times during which testing may occur.
- The named individuals authorized to approve the engagement.
- The conditions under which testing must stop.
If during an engagement we discover that authorized scope conflicts with what we are seeing in the environment (for example, third-party systems we did not know were in scope), we stop and confirm before continuing.
8. Vulnerability Disclosure
When we identify a previously unknown vulnerability in a third-party product during the course of a client engagement, we follow coordinated disclosure:
- We notify the affected vendor through a responsible-disclosure channel.
- We allow a reasonable remediation window (typically 90 days) before publication.
- We never publicly disclose details of a client's environment.
9. Staff Conduct
Every Cyberency staff member commits to:
- Continuing professional education in their specialty.
- Honesty about the boundaries of their expertise — including saying "I don't know" to clients when warranted.
- Treating client staff, vendors, and auditors with respect, even under pressure.
- Reporting any actual or perceived ethical concern to leadership without fear of reprisal.
10. Enforcement
Violations of this Code are grounds for disciplinary action up to and including termination. Violations that involve client data, patient data, or unauthorized testing are reported to the affected client and, where required, to law enforcement.
Clients who believe a Cyberency staff member has violated this Code are encouraged to contact us directly. Reports are reviewed by the firm's principals and acted on promptly.
11. Contact
Questions about this Code, or reports of suspected violations, may be sent to: