ACUSON Freestyle™ Security and MDS² Form - VA40

ACUSON Freestyle VA40 Security White Paper and MDS2 Form The facts about the security of our products and solutions siemens-healthineers.com/freestyle SIEMENS SK 8.5 Freeze Clip Save Gain Depth Color TGC Tools C5-2 18-3 Exams L13-5 NL 0.0 GB Needle V Setup Patient Measure ACUSON Freestyle SIEMENS Healthineers Product and Solution Security White Paper · ACUSON Freestyle VA40 The Siemens Healthineers product and solution security program At Siemens Healthineers, we are committed to working Elements of our product and solution security with you to address your cybersecurity and privacy program: requirements. Our Product and Solution Security Office • is responsible for our global program to ensure that Providing information about the secure configuration cybersecurity is addressed throughout the lifecycle of and use of our medical devices in your IT environment our medical devices. • Formal threat and risk analysis for our medical devices • Our program addresses state of the art cybersecurity Secure architecture, design and coding methodologies in our current and future products. We support you in our software development process to protect the privacy of your data at the same time • Static code analysis of medical device software providing measures that strengthen the resiliency of • Security testing of medical devices under development our products from external cybersecurity attackers. as well as medical devices already in the field We comply with security and privacy regulations from • Patch management tailored to the medical device and the US Department of Health and Human Services (HHS), your needs including the Food and Drug Administration (FDA) and • Security vulnerability monitoring to track reported Office for Civil Rights (OCR), to help you meet your IT third party components issues in our medical devices security and privacy obligations. • Working with our suppliers to ensure security is addressed throughout the supply chain • Vulnerability and incident management Employee training to ensure their knowledge is consistent with the requirements to contribute to Siemens Healthineers cooperates with government protecting your data and device integrity. agencies and cybersecurity researchers concerning reported potential vulnerabilities. Contacting Siemens Healthineers about product Our communications policy strives for coordinated and solution security disclosure. We work in this way with our customers and other parties, when appropriate, in response to Siemens Healthineers requests that any cybersecurity potential vulnerabilities and incidents in our medical or privacy incidents are reported by email to: devices, no matter what the source. [email protected] For all other communication with Siemens Healthineers about product and solution security: [email protected] Jim Jacobson Chief Product and Solution Security Officer Siemens Healthineers 2 siemens-healthineers.com/freestyle ACUSON Freestyle VA40 · Product and Solution Security White Paper Contents Basic Information ....................................................... 4 Network Information ................................................. 5 Security Controls ........................................................ 6 Software Bill of Materials ........................................... 7 Manufacturer Disclosure Statement According to IEC60601-1 ............................................ 8 Manufacturer Disclosure Statement for Medical Device Security – MDS2.......................... 11 Abbreviations........................................................... 18 Disclaimer According to IEC 80001-1 ....................... 19 International Electrotechnical Commission Glossary (extract) ................................ 19 siemens-healthineers.com/freestyle 3 Product and Solution Security White Paper · ACUSON Freestyle VA40 Basic Information Why is cybersecurity important? Patching strategy Keeping patient data safe and secure should typically Software releases containing security patches will be be one of the top priorities of healthcare institutes. provided after validation by Siemens Healthineers to It is estimated that the cost associated in the recovery maintain the clinical function of the medical device. of each medical record in the United States can be as high as $380.1 According to the Ponemon Institute research report,2 39% of medical devices were hacked, Cryptography usage with hackers being able to take control of the device. Moreover, 38% of healthcare organizations said that The ACUSON Freestyle VA40 software uses cyphers and their patients received inappropriate medical treatment protocols built into its operating system for encryption. because of an insecure medical device. Handling of sensitive data Our purpose is to help healthcare providers succeed • This ultrasound system is designed for temporary Siemens Healthineers designed ACUSON Freestyle Series data storage only. Siemens Healthineers recommends Ultrasound Systems for those who want flexibility and storing patient data in a long-term archive, e.g. on a accessibility to improve the entire ultrasound experience PACS, and data must be deleted using a facility-defined at the point-of-care. Unlike other ultrasound systems, the procedure. cable-free and portable ACUSON Freestyle Series Systems • Protected Health Information (PHI) is temporarily enable practitioners to improve workflow and improve stored on the ultrasound system, similar to DICOM the overall patient experience. data, raw data, and metadata for DICOM creation. Note: The time for which PHI is stored is determined Operating systems by the facility. • Please refer to the Software Bill of Materials chapter. Personally identifiable information (PII) as part of the DICOM records is also temporarily stored on the ultrasound system, e.g. patient’s name, birthday User account information or age, height and weight, personal identification number and physician’s name. Additional sensitive ACUSON Freestyle VA40 does not support user accounts. information might be present in user-editable input fields or in the images acquired. • Domain integration Protected Health Information (PHI) is transmitted via unencrypted DICOM. In case of domain integration, we recommend that you put the device in its own Organizational Unit (OU). No global policies are allowed. 1 https://healthitsecurity.com/news/how-much-do-healthcare-data-breaches-cost-organizations 2 Ponemon Institute research report, Medical Device Security: An Industry Under Attack and Unprepared to Defend; https://www.ajg.com/media/ 1699098/medical-device-cybersecurity-whitepaper.pdf 4 siemens-healthineers.com/freestyle ACUSON Freestyle VA40 · Product and Solution Security White Paper Network Information < IN, OUT: DICOM PACS/RIS IN, OUT: DICOM, Mobile Link IN, OUT: Mobile Link Mobile Device running ACUSON Freestyle Mobile Link App ACUSON Freestyle System Clinical Network Figure 1: Security boundaries for system deployment. Siemens Healthineers recommends operating the control lists on the network switches to limit traffic ultrasound machine in a dedicated network segment to identified peers. At minimum the DICOM Port (e.g. VLAN). (see Table 1) must be visible to your DICOM network nodes (e.g. PACS, etc.). To minimize the risk of unauthorized network access, Siemens Healthineers recommends operating the Please contact the Siemens Healthineers service ultrasound machine behind a firewall or using access organization for further information. The following ports are used by the system: Port number Service/function Direction Protocol 80 Port opened by OS, but no software N/A N/A monitors / services this port 81 Port opened by OS, but no software N/A N/A monitors / services this port 104 DICOM communication In/outbound TCP (with DICOM option installed) 8080 Port opened by OS, but no software N/A N/A monitors / services this port 15104 ACUSON Freestyle Mobile Link (if enabled) In/outbound TCP 21474 Used by Green Hills debugger In/outbound TCP 21484 Used by Green Hills debugger In/outbound TCP Table 1: Used Port Numbers siemens-healthineers.com/freestyle 5 Product and Solution Security White Paper · ACUSON Freestyle VA40 Security Controls Continuous vulnerability assessment and remediation Physical protection Continuous Vulnerability Assessment and Remediation Customer is responsible for the physical protection of the is performed. ACUSON Freestyle VA40, e.g. by installing in a room with access control. Please note that the system contains patient data and should be protected against tampering Network controls and theft. • The system is designed to make limited use of network ports and protocols. Data protection controls • Siemens Healthineers recommends operating the system in a secured network environment, e.g. a The system is not intended to be an archive (data at rest). separate network segmented or a VLAN. • Connection to the Internet or private networks for Incident response and management patients/guests is not recommended. Incident handling process is defined and executed on • In case of a denial of service (DoS) or malware attack, demand to deal with incidents as mandated by the US the system can be taken off the network and operated FDA Post-Market Guidance. standalone. 6 siemens-healthineers.com/freestyle ACUSON Freestyle VA40 · Product and Solution Security White Paper Software Bill of Materials The following table lists comprises the most relevant third party technologies used (general drivers not included). Vendor name /URL Component name Component version Description / use Dejarnette Research DICOM AN/API Software 3.2.8 DICOM Library Systems, Inc Object Library Free Software Foundation ZLib 1.2.3 Lossless compression and decompression of files Greenhills Software Integrity Realtime 5.0.9 Software Operating System Operating System Lee Thomason / Tiny XML Parser 2.5.3 XML Parser Sourceforge Swell Software PEG+ Software Library 1.98c Graphics software Texas Instruments TI eXpress DSP Digital 2.0 JPEG Compressor/Decompressor Media Software: JPEG Codec (TMDJPEGE) Texas Instruments TI DSP BIOS 5.33.06 DSP Basic input/ output system for TI DSPs Texas Instruments TI VICP 3.2 Video Imaging Co-Processor Texas Instruments TI EDMA3 LLD 1.10.0.01 Enhanced DMA Version 3 Low Level Driver Texas Instruments TI Framework 2.24 API for TI eXpress components Components siemens-healthineers.com/freestyle 7 Product and Solution Security White Paper · ACUSON Freestyle VA40 Manufacturer Disclosure Statement According to IEC60601-1 Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13 1. Network properties required by the system and resulting risks 1-1 The device is connected via Ethernet cable or wireless protocol to the hospital using a TCP/IP network with 100 Mb/s. • If the network is down, the network services (see below) are not available which can lead to the risks stated below. • If the network is unavailable, medical images cannot be transferred for remote consultation. • If the wireless network is incorrectly protected (for example, open Wi-Fi configuration), the attack surface of all the connected devices is much larger, which can lead to the risks stated below. • If the recommended network performance (1Gbit/s) is not provided, the transfer of images is extended, and availability of images at destinations (e.g., for consulting) is delayed. • Only the protocols shown in the table of used ports are needed for communication. 1-2 PACS system for archiving images/results • If the PACS is not available: images cannot be archived after the examination. In case of a system hardware failure, all non-archived – images can be lost. images cannot be archived after the examination. Examinations may no longer be possible because the – hard drive is full as non-archived images cannot be automatically removed. images cannot be archived after the examination. In case of manual deletion of images, unarchived images – can be lost. images are not available for remote consultation via PACS consoles. – prior images are not available. – • If the recommended network performance (100 Mb/s) is not provided, the transfer time to PACS is extended, and the wait for switching off the system consecutive to the last transfer operations is prolonged. 1-3 RIS system • If the RIS system is not available: the modality worklist is not available. This can lead to data inconsistencies as well as unavailability of – images when sent to the PACS until they are manually coerced with the RIS data in the PACS. In case of a Worklist Query time-out due to poor network transfer, there is a possibility that non-actual RIS – data is used when registering a patient from the list of schedules on the system. 1-4 Common medical protocol properties • Protocols used in medical environments are typically unsecure. 8 siemens-healthineers.com/freestyle ACUSON Freestyle VA40 · Product and Solution Security White Paper 2. Instructions for the responsible organization 2-1 Connection of the system to a network that includes other equipment could result in previously unidentified risks to patients, operators or third parties. The RESPONSIBLE ORGANIZATION should identify, evaluate and control these risks. 2-2 Subsequent changes to the network could introduce new RISKS and require additional analysis. 2-3 Changes to the network include: • changes in network configuration • connection to additional items to the network • disconnecting items from the network • update of equipment connected to the network • upgrade of equipment connected to the network 2-4 The RESPONSIBLE ORGANIZATION is fully responsible for the security of the network to which the device is connected. 2-5 The RESPONSIBLE ORGANIZATION is fully responsible to ensure staff who have access to the device do not have the opportunity to provide any harm to the system. 2-6 The RESPONSIBLE ORGANIZATION has to ensure that the internal network cannot be accessed physically by non-authorized persons. 2-7 Staff of the RESPONSIBLE ORGANIZATION has to be trained in security. The RESPONSIBLE ORGANIZATION is responsible for providing this. 2-8 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that only authorized medical/administrative staff shall have access to the device and, the RESPONSIBLE ORGANIZATION has at least one staff member with administrative rights to access the system. 2-9 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that visitors/patients do not have unsupervised physical access to the system. 2-10 The RESPONSIBLE ORGANIZATION shall provide access to the system for device service engineers. 2-11 The RESPONSIBLE ORGANIZATION shall ensure that neither access from the public internet or the organization’s intranet to the device is possible. 2-12 The RESPONSIBLE ORGANIZATION is responsible to ensure physical security for the device. 2-13 The RESPONSIBLE ORGANIZATION shall ensure that access to services for the device from other equipment is possible only on a need-to-do basis. An adequate network topology with appropriate firewall settings shall be used. 2-14 The RESPONSIBLE ORGANIZATION is responsible for a secure infrastructure that makes it impossible to change, prevent, or tamper with data in transit in any way. 2-15 RECOMMENDATION: It is highly recommended that the RESPONSIBLE ORGANIZATION monitors the network for unusual traffic. siemens-healthineers.com/freestyle 9 Product and Solution Security White Paper · ACUSON Freestyle VA40 Manufacturer Disclosure Statement According to IEC60601-1 Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13 3. Intended purpose of integrating the device into an IT network 3-1 To integrate the system into the clinical workflow, the whole ultrasound system will interact as a DICOM node in the clinical network. 3-2 The system is DICOM-compliant, allowing it to be connected to a network with other compliant devices for the exchange of images. Networking allows the transmission of images acquired to other DICOM-compatible review stations or PACS. 3-3 The system connects to the network through an Ethernet cable or a wireless protocol. The network interfaces allow DICOM connections to specific clinical systems such as a Radiology PACS or printer. Patient demographic data will be received via DICOM; acquired images will be sent to the Radiology PACS or DICOM workstations for detailed viewing and long-term storage. 4. Network properties required by the system and resulting risks 4-1 Unsuccessful data transfer not recognized Function: Archiving and Networking Hazard: Wrong diagnosis / loss of acquisition data Caution: Data transfers between systems are not verified automatically. Loss of data, if data is deleted locally before it has been successfully transferred to another system. Measure: Since not all PACS systems support automatic storage commitment, verify the correctness of the data transfer at the remote system before deleting the local data. Effect on: Patient 4-2 Incorrect or incomplete data transfer Function: Data Exchange – Network Hazard: Wrong diagnosis, loss of acquisition data, corrupted data Cause: Data corrupted when written to / read from storage or transferred to network. Measure: Verification by testing that corrupt data results in a failed export. Effect on: Patient 4-3 Insecure or incorrectly configured clinical network Function: Network Security Hazard: Incorrect diagnosis basis, wrong diagnosis, wrong treatment, delayed diagnosis, delayed therapy, wrong examination, repetition of examination / loss of acquisition data, corrupted data, system DoS Caution: Unauthorized access may affect system performance and data security. Cause: Any unauthorized access to the system may affect the system performance and data security and may lead to: • Lowered system performance and/or non-operational system • Loss of data security including loss of all patient data Measure: • Enable your system administrator to ensure network security and the security of the operational infrastructure • Consult manuals for secure setup • Perform system updates as required • Run your medical device only in protected network environments, and do not connect it directly to public networks • Update and patch networked systems as required • Enable ACUSON Freestyle Mobile Link access to the system only when needed. See manual for more details. • Monitor for ACUSON Freestyle Mobile Link on-screen icon. Disable Mobile Link if this feature is not in use. See manual for more details. Effect on: Patient, System 10 siemens-healthineers.com/freestyle ACUSON Freestyle VA40 · Product and Solution Security White Paper Manufacturer Disclosure Statement for Medical Device Security – MDS2 Device Description Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions 11510327-EPH-001-01 Release Date USA, Inc. September, 2020 Device Model Software Revision Software Release Date ACUSON Freestyle VA40, all versions 10/26/2016 Manufacturer or Company Name Manufacturer Contact Information Representative Contact Siemens Medical Solutions 22010 S.E. 51st Street Information USA, Inc. Issaquah, WA 98029 USA Representative Name/Position Global Product Manager Intended use of device in network-connected environment The Siemens Healthineers ACUSON Freestyle Ultrasound System is a portable diagnostic ultrasound system. The ACUSON Freestyle is intended for ultrasound imaging in the point-of-care setting. The ACUSON Freestyle features the world’s first cableless ultrasound transducers. This innovative breakthrough advances the use of ultrasound in critical and intensive care, emergency, and intraoperative settings, because the advanced image quality, ease-of-use, and portability combine with the cable-free transducers to simplify and speed up the use of ultrasound guidance in sterile procedures. The ACUSON Freestyle wireless transducers use a proprietary, custom radio that provides high quality, fully secure links to the main system console. The ACUSON Freestyle utilizes a dedicated, non-mass market Realtime Operating System (RTOS) that is designed for mission-critical, highly secured applications. By avoiding standard mass market software operating systems such as those based on Microsoft Windows or similar commercial products, the ACUSON Freestyle achieves networking security without the need for constant patch updates. As a portable system with DICOM networking storage capability, the ACUSON Freestyle is intended as a temporary storage of private data. siemens-healthineers.com/freestyle 11 Product and Solution Security White Paper · ACUSON Freestyle VA40 Management of Private Data Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information Yes, No, Note # requested in this form. N/A, or See Note A Can this device display, transmit, or maintain private data (including electronic Protected Health Yes Information [ePHI])? B Types of private data elements that can be maintained by the device: B.1 Demographic (e.g., name, address, location, unique identification number)? Yes – B.2 Medical record (e.g., medical record #, account #, test or treatment date, device identification number)? Yes – B.3 Diagnostic/therapeutic (e.g., photo/radiograph, test results, or physiologic data with identifying Yes – characteristics)? B.4 Open, unstructured text entered by device user/operator? Yes – B.5 Biometric data? No – B.6 Personal financial information? No – C Maintaining private data ‒ Can the device: C.1 Maintain private data temporarily in volatile memory (e.g., until cleared by power-off or reset)? Yes – C.2 Store private data permanently on local media? Yes – C.3 Import/export private data with other systems? Yes – C.4 Maintain private data during power service interruptions? Yes – D Mechanisms used for the transmitting, importing/exporting of private data – Can the device: D.1 Display private data (e.g., video display, etc.)? Yes – D.2 Generate hardcopy reports or images containing private data? Yes – D.3 Retrieve private data from or record private data to removable media (e.g., disk, DVD, CD-ROM, tape, Yes – CF/SD card, memory stick, etc.)? D.4 Transmit/receive or import/export private data via dedicated cable connection (e.g., IEEE 1073, No – serial port, USB, FireWire, etc.)? D.5 Transmit/receive private data via a wired network connection (e.g., LAN, WAN, VPN, intranet, Yes – Internet, etc.)? D.6 Transmit/receive private data via an integrated wireless network connection (e.g., Wi-Fi, Bluetooth, Yes – infrared, etc.)? D.7 Import private data via scanning? No – D.8 Other? No – Management of private data notes 12 siemens-healthineers.com/freestyle ACUSON Freestyle VA40 · Product and Solution Security White Paper Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions 11510327-EPH-001-01 Release Date USA, Inc. September, 2020 Device Model Software Revision Software Release Date ACUSON Freestyle VA40, all versions 10/26/2016 Security capabilities Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information requested in Yes, No, Note # this form. N/A, or See Note 1 Automatic logoff (ALOF) The device’s ability to prevent access and misuse by unauthorized users if the device is left idle for a period of time. 1-1 Can the device be configured to force reauthorization of logged-in user(s) after a predetermined No 1 length of inactivity (e.g., auto-logoff, session lock, password protected screen saver)? 1-1.1 Is the length of inactivity time before auto-logoff/screen lock user or administrator configurable? N/A – (Indicate time [fixed or configurable range] in notes.) 1-1.2 Can auto-logoff/screen lock be manually invoked (e.g., via a shortcut key or proximity sensor, etc.) N/A – by the user? ALOF notes: 1. The ACUSON Freestyle does not incorporate logon features for routine operation. 2 Audit controls (AUDT) The ability to reliably audit activity on the device. 2-1 Can the medical device create an audit trail? No – 2-2 Indicate which of the following events are recorded in the audit log: 2-2.1 Login/logout N/A – 2-2.2 Display/presentation of data N/A – 2-2.3 Creation/modification/deletion of data N/A – 2-2.4 Import/export of data from removable media N/A – 2-2.5 Receipt/transmission of data from/to external (e.g., network) connection N/A – 2-2.5.1 Remote service activity N/A – 2-2.6 Other events? (describe in the notes section) N/A – 2-3 Indicate what information is used to identify individual events recorded in the audit log: 2-3.1 User ID N/A – 2-3.2 Date/time N/A – AUDT notes: 3 Authorization (AUTH) The ability of the device to determine the authorization of users. 3-1 Can the device prevent access to unauthorized users through user login requirements or other No – mechanism? 3-2 Can users be assigned different privilege levels within an application based on ‘roles’ (e.g., guests, No – regular users, power users, administrators, etc.)? 3-3 Can the device owner/operator obtain unrestricted administrative privileges (e.g., access operating No – system or application via local root or admin account)? AUTH notes: siemens-healthineers.com/freestyle 13 Product and Solution Security White Paper · ACUSON Freestyle VA40 Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions 11510327-EPH-001-01 Release Date USA, Inc. September, 2020 Device Model Software Revision Software Release Date ACUSON Freestyle VA40, all versions 10/26/2016 Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information requested in Yes, No, Note # this form. N/A, or See Note 4 Configuration of security features (CNFS) The ability to configure/re-configure device security capabilities to meet user’s needs. 4-1 Can the device owner/operator reconfigure product security capabilities? Yes 1 CNFS notes: 1. The ACUSON Freestyle provides the ability for the owner/operator to configure the WiFi settings for different security types. 5 Cyber security product upgrades (CSUP) The ability of on-site service staff, remote service staff, or authorized customer staff to install/upgrade device’s security patches. 5-1 Can relevant OS and device security patches be applied to the device as they become available? See Note 1, 2 5-1.1 Can security patches or other software be installed remotely? No – CSUP notes: 1. The ACUSON Freestyle utilizes a dedicated realtime operating system designed for embedded, mission- critical applications. This operating system is non-PC and non-Microsoft Windows, and has been developed to provide a hardened and unique OS that is not vulnerable to security threats. See also # 15 below. 2. The ACUSON Freestyle supports installation/upgrading of its internal firmware only through manufacturer-supplied update code from USB media. This media includes an integrated OS and application code including all utilized security technologies. 6 Health data DE-identification (DIDT) The ability of the device to directly remove information that allows identification of a person. 6-1 Does the device provide an integral capability to de-identify private data? See Note 1 DIDT notes: 1. The ACUSON Freestyle allows the patient name and identification number to be hidden in captured images. However, this selection must be done prior to capturing the images. The system does not strip the private data from images after the capture is completed nor during image export. Also, the patient identification number embedded within the stored data files is never removed so as to maintain study integrity and authenticity. 7 Data backup and disaster recovery (DTBK) The ability to recover after damage or destruction of device data, hardware, or software. 7-1 Does the device have an integral data backup capability (e.g., backup to remote storage or Yes 1 removable media such as tape, disk)? DTBK notes: 1. Patient data is uploaded to PACS after each exam. Patient data and system configuration can be backed up to USB media. 8 Emergency access (EMRG) The ability of device users to access private data in case of an emergency situation that requires immediate access to stored private data. 8-1 Does the device incorporate an emergency access (“break-glass”) feature? See Note 1 EMRG notes: 1. As a device intended for dedicated usage in emergency and critical care-type settings, immediate access is considered a basic design requirement. 9 Health data integrity and authenticity (IGAU) How the device ensures that data processed by the device has not been altered or destroyed in an unauthorized manner and is from the originator. 9-1 Does the device ensure the integrity of stored data with implicit or explicit error detection/correction See Note 1, 2 technology? IGAU notes: 1. Image data from the wireless transducer to the system console is formatted using proprietary methods that ensure the data receieved by the system console is not altered or destroyed in an unauthorized manner and is from the authorized originator. 2. The networking and archival of completed patient studies from the system include unique identifiers embedded within the data allowing determination of the originator. Additionally, while stored within the system these unique identifiers are required to reference image data sets to studies. 14 siemens-healthineers.com/freestyle ACUSON Freestyle VA40 · Product and Solution Security White Paper Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions 11510327-EPH-001-01 Release Date USA, Inc. September, 2020 Device Model Software Revision Software Release Date ACUSON Freestyle VA40, all versions 10/26/2016 Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information requested in Yes, No, Note # this form. N/A, or See Note 10 Malware detection/protection (MLDP) The ability of the device to effectively prevent, detect and remove malicious software (malware). 10-1 Does the device support the use of anti-malware software (or other anti-malware mechanism)? See Note 1 10-1.1 Can the user independently re-configure anti-malware settings? See Note 1 10-1.2 Does notification of malware detection occur in the device user interface? See Note 1 10-1.3 Can only manufacturer-authorized persons repair systems when malware has been detected? See Note 1 10-2 Can the device owner install or update anti-virus software? See Note 1, 2 10-3 Can the device owner/operator (technically/physically) update virus definitions on See Note 1, 2 manufacturer-installed antivirus software? MLDP notes: 1. The ACUSON Freestyle utilizes a dedicated realtime operating system designed for embedded, mission-critical applications. This operating system is non-PC and non-Microsoft Windows, and has been developed to provide a hardened and unique OS that is not vulnerable to security threats. As such,additional anti-malware, anti-virus software is not considered necessary. See also # 15 below. 2. The ACUSON Freestyle supports installation/upgrading of its internal firmware only through manufacturer-supplied update code from USB media. This media includes an integrated OS and application code including all utilized security technologies. 11 Node authentication (NAUT) The ability of the device to authenticate communication partners/nodes. 11-1 Does the device provide/support any means of node authentication that assures both the sender and No – the recipient of data are known to each other and are authorized to receive transferred information? NAUT notes: 12 Person authentication (PAUT) Ability of the device to authenticate users 12-1 Does the device support user/operator-specific username(s) and password(s) for at least one user? No – 12-1.1 Does the device support unique user/operator-specific IDs and passwords for multiple users? No – 12-2 Can the device be configured to authenticate users through an external authentication service No – (e.g., MS Active Directory, NDS, LDAP, etc.)? 12-3 Can the device be configured to lock out a user after a certain number of unsuccessful logon No – attempts? 12-4 Can default passwords be changed at/prior to installation? N/A – 12-5 Are any shared user IDs used in this system? No – 12-6 Can the device be configured to enforce creation of user account passwords that meet established N/A – complexity rules? 12-7 Can the device be configured so that account passwords expire periodically? No – PAUT notes: 13 Physical locks (PLOK) Physical locks can prevent unauthorized users with physical access to the device from compromising the integrity and confidentiality of private data stored on the device or on removable media 13-1 Are all device components maintaining private data (other than removable media) physically Yes – secure (e.g., cannot remove without tools)? PLOK notes: siemens-healthineers.com/freestyle 15 Product and Solution Security White Paper · ACUSON Freestyle VA40 Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions 11510327-EPH-001-01 Release Date USA, Inc. September, 2020 Device Model Software Revision Software Release Date ACUSON Freestyle VA40, all versions 10/26/2016 Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information requested in Yes, No, Note # this form. N/A, or See Note 14 Roadmap for third-party components in the device life cycle (RDMP) Manufacturer’s plans for security support of third-party components within the device life cycle. 14-1 In the notes section, list the provided or required (separately purchased and/or delivered) See Note 1 operating system(s) – including version number(s). 14-2 Is a list available of other third-party applications provided by the manufacturer? See Note 2 RDMP notes: 1. The Operating System is Greenhills Integrity Realtime Operating System (5.0.9 or higher). 2. The ACUSON Freestyle does not allow other third party applications to run on the product. 15 System and application hardening (SAHD) The device’s resistance to cyber attacks and malware. 15-1 Does the device employ any hardening measures? Please indicate in the notes the level of See Note 1 conformance to any industry-recognized hardening standards. 15-2 Does the device employ any mechanism (e.g., release-specific hash key, checksums, etc.) to ensure Yes – the installed program/update is the manufacturer-authorized program or software update? 15-3 Does the device have external communication capability (e.g., network, modem, etc.)? Yes – 15-4 Does the file system allow the implementation of file-level access controls (e.g., New Technology Yes – File System (NTFS) for MS Windows platforms)? 15-5 Are all accounts, which are not required for the intended use of the device, disabled or deleted Yes – for both users and applications? 15-6 Are all shared resources (e.g., file shares), which are not required for the intended use of the device, disabled? Yes – 15-7 Are all communication ports, which are not required for the intended use of the device, closed/disabled? Yes – 15-8 Are all services (e.g., telnet, file transfer protocol [FTP], internet information server [IIS], etc.), which Yes – are not required for the intended use of the device, deleted/disabled? 15-9 Are all applications (COTS applications as well as OS-included applications, e.g., MS Internet Explorer, Yes 2, 3 etc.), which are not required for the intended use of the device, deleted/disabled? 15-10 Can the device boot from uncontrolled or removable media (e.g., a source other than an internal No – drive or memory component)? 15-11 Can software or hardware not authorized by the device manufacturer be installed on the device No – without the use of tools? SAHD notes: 1. The Greenhills Integrity Operating System has been certified by the National Information Assurance Partnership (NIAP – a United States government initiative operated by the National Security Agency (NSA)) against the most rigorous standard for operating system security, the United States Separation Kernal Protection Profile (SKPP). The OS uses hardware memory protection to isolate and protect the embedded system software. Secure partitions guarantee each task the resources it needs to run correctly and fully protect the operating system and user tasks from errant and malicious code, including denial-of-service attacks, worms, and Trojan horses. The Integrity operating system technology has received the following certifications and accreditations that testify to its safety, security, and reliability: - FDA Class II and Class III medical device clearances and approvals; - IEC/EN 61508: Industrial safety SIL-3; - CENELEC: Railway EN 50128 SWSIL4. 2. The ACUSON Freestyle does not support installation of COTS applications and only required OS applications are integrated into the ACUSON Freestyle manufacturer-provided installation code. 3. The ACUSON Freestyle does not allow direct connections to the Internet through applications such as MS Internet Explorer. 16 Security guidance (SGUD) The availability of security guidance for the operator and administrator of the system and the manufacturer sales and service. 16-1 Are security-related features documented for the device user? Yes – 16-2 Are instructions available for device/media sanitization (e.g., instructions for how to achieve Yes 1 the permanent deletion of personal or other sensitive data)? SGUD notes: 1. From the Service organization. 16 siemens-healthineers.com/freestyle ACUSON Freestyle VA40 · Product and Solution Security White Paper Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions 11510327-EPH-001-01 Release Date USA, Inc. September, 2020 Device Model Software Revision Software Release Date ACUSON Freestyle VA40, all versions 10/26/2016 Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information requested in Yes, No, Note # this form. N/A, or See Note 17 Health data storage confidentiality (STCF) The ability of the device to ensure unauthorized access does not compromise the integrity and confidentiality of private data stored on the device or removable media. 17-1 Can the device encrypt data at rest? No – STCF notes: 18 Transmission confidentiality (TXCF) The ability of the device to ensure the confidentiality of transmitted private data. 18-1 Can private data be transmitted only via a point-to-point dedicated cable? No – 18-2 Is private data encrypted prior to transmission via a network or removable media? See Note 1 (If yes, indicate in the notes which encryption standard is implemented.) 18-3 Is private data transmission restricted to a fixed list of network destinations? Yes – TXCF notes: 1. Encryption via industry standards is available with wireless networking. 19 Transmission integrity (TXIG) The ability of the device to ensure the integrity of transmitted private data. 19-1 Does the device support any mechanism intended to ensure data is not modified during transmission? Yes 1 (If yes, describe in the notes section how this is achieved.) TXIG notes: 1. Use of industry-standard data encryption (available with wireless networking) enables transmission integrity. 20 Other security considerations (OTHR) Additional security considerations/notes regarding medical device security. 20-1 Can the device be serviced remotely? No – 20-2 Can the device restrict remote access to/from specified devices or users or network locations N/A – (e.g., specific IP addresses)? 20-2.1 Can the device be configured to require the local user to accept or initiate remote access? N/A – OTHR notes: siemens-healthineers.com/freestyle 17 Product and Solution Security White Paper · ACUSON Freestyle VA40 Abbreviations BIOS Basic Input Output System LLD Low Level Driver DSP Digital Signal Processor MDS2 Manufacturer Disclosure Statement for Medical Device Security DICOM Digital Imaging and Communications in Medicine NEMA National Electrical Manufacturers Association DoS Denial of Service OCR Enhanced Direct Memory Access, Office for Civil Rights EDMA3 Version 3 OU Organizational Unit ePHI Electronic Protected Health Information PACS Picture Archiving and Communication Food and Drug Administration System FDA PHI Protected Health Information FIPS Federal Information Processing Standards PII Personally Identifiable Information HHS Health and Human Services RIS Radiology Information System HIPAA Health Insurance Portability and SW Software Accountability Act TCP Transmission Control Protocol HIMSS Healthcare Information and Management Systems Society TI Texas Instruments HTTP Hypertext Transfer Protocol VICP Video Imaging Co-Processor HTTPS HTTP Secure VPN Virtual Private Network IEC International Electrotechnical XML Extensible Markup Language Commission JPEG Joint Photographic Experts Group 18 siemens-healthineers.com/freestyle ACUSON Freestyle VA40 · Product and Solution Security White Paper Disclaimer According to International Electrotechnical IEC 80001-1 Commission Glossary (extract) 1-1 The Device has the capability to be connected Responsible organization: to a medical IT network, which is managed under Entity accountable for the use and maintenance of a full responsibility of the operating legal entity medical IT network (hereafter called “RESPONSIBLE ORGANIZATION”). It is assumed that the RESPONSIBLE ORGANIZATION ACUSON Freestyle is a trademark of Siemens Medical assigns a Medical IT Network Risk Manager to Solutions USA, Inc. perform IT Risk Management Microsoft and Windows are registered trademarks of (see IEC 80001-1:2010 / EN 80001-1:2011) for IT. Microsoft Corporation in the United States and other countries. 1-2 This statement describes Device-specific IT networking safety and security capabilities. It is NOT a RESPONSIBILITY AGREEMENT according to IEC 80001-1:2010 / EN 80001-1:2011. 1-3 Any modification of the platform, the software or the interfaces of the Device - unless authorized and approved by Siemens Healthcare GmbH – voids all warranties, liabilities, assertions and contracts. 1-4 The RESPONSIBLE ORGANIZATION acknowledges that the Device’s underlying standard computer with operating system is to some extent vulnerable to typical attacks such as malware or denial-of- service. 1-5 Unintended consequences (e.g., misuse/loss/ corruption) of data not under control of the Device (e.g., after electronic communication from the Device to an IT network or to a storage media), are under the responsibility of the RESPONSIBLE ORGANIZATION. 1-6 Unauthorized use of the external connections or storage media of the Device can cause hazards regarding the availability and information security of all components of the medical IT network. The RESPONSIBLE ORGANIZATION must ensure – through technical and/or organizational measures – that only authorized use of the external connections and storage media is permitted. siemens-healthineers.com/freestyle 19 Siemens Healthineers Headquarters Legal Manufacturer Siemens Healthcare GmbH Siemens Medical Solutions USA, Inc. Henkestr. 127 Ultrasound 91052 Erlangen, Germany 22010 S.E. 51st Street Phone: +49 9131 84-0 Issaquah, WA 98029, USA siemens-healthineers.com Phone: 1-888-826-9702 siemens-healthineers.com/ultrasound Published by Siemens Medical Solutions USA, Inc. · 9729 1020 online · ©Siemens Medical Solutions USA, Inc., 2020