ACUSON Freestyle™ Security and MDS² Form - VA41

White paper ACUSON Freestyle ultrasound system, release VA41 Security and MDS2 Form Facts about security and privacy requirements siemens-healthineers.com/ultrasound SIEMENS Healthineers Product and security white paper · ACUSON Freestyle VA41 The Siemens Healthineers product and solution security program At Siemens Healthineers, we are committed to working Elements of our product and solution with you to address your cybersecurity and privacy security program requirements. • Providing information about the secure configuration Our Product and Solution Security Office is responsible and use of our medical devices in your IT environment. for our global program to ensure that cybersecurity is addressed throughout the lifecycle of our medical • Formal threat and risk analysis for our medical devices. devices. • Secure architecture, design and coding methodologies Our product and solution security program addresses in our software development process. state-of-the-art cybersecurity in our current and future • Static code analysis of medical device software. products. We support you to protect the privacy of your data, at the same time providing measures that • Security testing of medical devices under development strengthen the resiliency of our products from external as well as medical devices already in the field. cybersecurity attackers. • Patch management tailored to the medical device and To help you meet your IT security and privacy obligations, your needs. we comply with security and privacy regulations of the • Security vulnerability monitoring to track reported U.S. Department of Health and Human Services (HHS), third party components issues in our medical devices. including the Food and Drug Administration (FDA) and Office for Civil Rights (OCR). • Working with our suppliers to ensure security is addressed throughout the supply chain. Vulnerability and incident management • Employee training to ensure their knowledge is consistent with the requirements to contribute to Siemens Healthineers cooperates with government protecting your data and device integrity. agencies and cybersecurity researchers concerning reported potential vulnerabilities. Please contact us anytime to report product and solution Our communications policy strives for coordinated security, cybersecurity or privacy incidents, by email to: disclosure. We work in this way with our customers [email protected] and other parties, when appropriate, in response to For all other communications with Siemens Healthineers potential vulnerabilities and incidents in our medical about product and solution security: devices, no matter what the source. [email protected] Thank you for making Siemens Healthineers your partner of choice! Yours sincerely, Jim Jacobson Chief Product and Solution Security Officer Siemens Healthineers 2 siemens-healthineers.com/freestyle ACUSON Freestyle VA41 · Product and security white paper Contents Basic Information ...................................................... 4 Network Information ................................................ 5 Security Controls ....................................................... 6 Software Bill of Materials .......................................... 7 Manufacturer Disclosure Statement According to IEC 60601-1 .......................................... 8 Manufacturer Disclosure Statement for Medical Device Security – MDS2 ......................... 11 Abbreviations .......................................................... 18 Disclaimer According to IEC 80001-1 ....................... 19 International Electrotechnical Commission Glossary (extract) ................................ 19 Statement on FDA Cybersecurity Guidance ............. 19 siemens-healthineers.com/freestyle 3 Product and security white paper · ACUSON Freestyle VA41 Basic Information Why is cybersecurity important? User account information Keeping patient data safe and secure should typically • ACUSON Freestyle VA41 supports user accounts be one of the top priorities of healthcare institutes. managed by administrators of the system. It is estimated that the cost associated in the recovery • of each medical record in the United States can be as A break-glass mechanism ensures access to the system high as $380.1 According to the Ponemon Institute in emergency situations. research report,2 39% of medical devices were hacked, • The system supports password policies that can be with hackers being able to take control of the device. configured by system administrators. Moreover, 38% of healthcare organizations said that their patients received inappropriate medical treatment Domain integration because of an insecure medical device. In case of domain integration, we recommend that you The Siemens Healthineers product security program put the device in its own Organizational Unit (OU). No Cybersecurity is essential for digitalizing healthcare. global policies are allowed. At Siemens Healthineers, we build secure products, keep them protected throughout their lifecycle, and continuously refine our cybersecurity safeguards for Patching strategy every product generation. We communicate proactively Software releases containing security patches will be about the security controls of our equipment. We inform provided after validation by Siemens Healthineers to about vulnerabilities and how we have addressed them. maintain the clinical function of the medical device. We deliver solutions that help keep the equipment as secure as possible. We follow the FDA’s post-market Cryptography usage guidance and are aligned with industry best practices to continuously monitor all security relevant components The ACUSON Freestyle VA41 software uses cyphers and for newly identified vulnerabilities. protocols built into its operating system for encryption. Our purpose is to help healthcare providers Handling of sensitive data succeed • This ultrasound system is designed for temporary Siemens Healthineers designed ACUSON Freestyle Series data storage only. Siemens Healthineers recommends Ultrasound Systems for those who want flexibility and storing patient data in a long-term archive, e.g., on a accessibility to improve the entire ultrasound experience PACS, and data must be deleted using a facility-defined at the point-of-care. Unlike other ultrasound systems, procedure. the cable-free and portable ACUSON Freestyle Series • Protected Health Information (PHI) is temporarily Systems enable practitioners to improve workflow and stored on the ultrasound system, similar to DICOM improve the overall patient experience. data, raw data, and metadata for DICOM creation. Note: The time for which PHI is stored is determined Operating system by the facility. Please refer to the Software Bill of Materials chapter. • Personally identifiable information (PII) as part of the DICOM records is also temporarily stored on the ultrasound system, e.g., patient’s name, birth date or age, height and weight, personal identification number, and referring physician’s name. Additional sensitive information might be present in user-editable input fields or in the images acquired. • Protected Health Information (PHI) is transmitted via 1 https://healthitsecurity.com/news/how-much-do-healthcare-data-breaches- unencrypted DICOM. cost-organizations 2 Ponemon Institute research report, Medical Device Security: An Industry Under Attack and Unprepared to Defend; https://www.synopsys.com/content/dam/ synopsys/sig-assets/reports/medical-device-security-ponemon-synopsys.pdf 4 siemens-healthineers.com/freestyle ACUSON Freestyle VA41 · Product and security white paper Network Information IN, OUT: DICOM PACS/RIS IN, OUT: DICOM, Mobile Link . . IN, OUT: Mobile Link Mobile Device running ACUSON Freestyle Mobile Link App Ultrasound Machine Clinical Network Figure 1: System Deployment overview with regard to network boundaries. Siemens Healthineers recommends operating the control lists on the network switches to limit traffic ultrasound machine in a dedicated network segment to identified peers. At minimum the DICOM Port (e.g. VLAN). (see Table 1) must be visible to your DICOM network nodes (e.g. PACS, etc.). To minimize the risk of unauthorized network access, Siemens Healthineers recommends operating the Please contact the Siemens Healthineers service ultrasound machine behind a firewall or using access organization for further information. The following ports are used by the system: Port number Service/function Direction Protocol 104 DICOM Communication In/outbound TCP 15104 ACUSON Freestyle Mobile Link (if enabled) In/outbound TCP Table 1: Used port numbers siemens-healthineers.com/freestyle 5 Product and security white paper · ACUSON Freestyle VA41 Security Controls Controlled use of administrative privileges Physical protection • The system distinguishes between clinical and • You are responsible for the physical protection of the administrative roles. Clinical users do not require ACUSON Freestyle VA41 system, e.g., by operating it administrative privileges. in a room with access control. Please note that the • Authorization as administrator is required for system contains patient data and should be protected administrative tasks. against tampering and theft. Authentication authorization controls Data protection controls • • The ACUSON Freestyle VA41 system supports the The system is not intended to be an archive (data at Health Insurance Portability and Accountability rest). Act (HIPAA) regulation with role-based privilege • PHI is protected by the use of a secure storage device assignment and access control. within the system. • The user interface of the ACUSON Freestyle VA41 system provides a screen lock functionality that can Auditing/Logging be engaged manually or automatically after a certain • The ACUSON Freestyle VA41 system provides auditing inactivity time. of operations on PHI, PII and user information (including creation of PHI, read access / modification / Continuous vulnerability assessment and export of PHI, user login, failed user login attempts, remediation user privilege modification). • Continuous Vulnerability Assessment and Remediation is performed. Incident response and management • The incident handling process is defined and executed Network controls on demand to deal with incidents as mandated by the US FDA Post-Market Guidance documents. • The system is designed to make limited use of network ports and protocols. • Siemens Healthineers recommends operating the system in a secured network environment, e.g., a separate network segmented or a VLAN. • Connection to the Internet or private networks used by patients / guests is not recommended. • In case of a denial-of-service (DoS) or malware attack, the system can be taken off the network and operated stand-alone. 6 siemens-healthineers.com/freestyle ACUSON Freestyle VA41 · Product and security white paper Software Bill of Materials The following table lists the most relevant third-party technologies used (general drivers not included). Vendor name /URL Component name Component version Description / use Dejarnette Research DICOM AN/API Software Systems, Inc Object Library 3.2.8 DICOM Library Free Software Foundation ZLib 1.2.3 Lossless compression and decompression of files Green Hills Software Integrity Realtime Operating System 5.0.9 Software Operating System Lee Thomason / Sourceforge Tiny XML Parser 2.5.3 XML Parser Swell Software PEG+ Software Library 1.98c Graphics software TI eXpress DSP Digital Texas Instruments Media Software: JPEG 2.0 JPEG Compressor / Decompressor Codec (TMDJPEGE) 5.33.06 DSP Basic input/output system for Texas Instruments TI DSP BIOS TI DSPs Texas Instruments TI VICP 3.2 Video Imaging Co-Processor Texas Instruments TI EDMA3 LLD 1.10.0.01 Enhanced DMA Version 3 Low Level Driver TI Framework Texas Instruments Components 2.24 API for TI eXpress components siemens-healthineers.com/freestyle 7 Product and security white paper · ACUSON Freestyle VA41 Manufacturer Disclosure Statement According to IEC60601-1 Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13 1. Network properties required by the system and resulting risks 1-1 The device is connected via Ethernet cable or wireless protocol to the hospital using a TCP/IP network with 100 Mb/s. • If the network is down, the network services (see below) are not available which can lead to the risks stated below. • If the network is unavailable, medical images cannot be transferred for remote consultation. • If the wireless network is incorrectly protected (for example, open Wi-Fi configuration), the attack surface of all the connected devices is much larger, which can lead to the risks stated below. • If the recommended network performance (100 Mb/s) is not provided, the transfer of images is extended, and availability of images at destinations (e.g., for consulting) is delayed. • Only the protocols shown in the table of used ports are needed for communication. 1-2 PACS system for archiving images/results • If the PACS is not available: In case of a system hardware failure, all non-archived images can be lost. – Examinations may no longer be possible because the hard drive is full as non-archived images cannot be – automatically removed. In case of manual deletion of images, unarchived images can be lost. – Images are not available for remote consultation via PACS consoles. – Prior images are not available. – • If the recommended network performance (100 Mb/s) is not provided, the transfer time to PACS is extended, and the wait for switching off the system consecutive to the last transfer operations is prolonged. 1-3 RIS system • If the RIS system is not available: the modality worklist is not available. This can lead to data inconsistencies as well as unavailability of – images when sent to the PACS until they are manually coerced with the RIS data in the PACS. In case of a Worklist Query time-out due to poor network connectivity, there is a possibility that non-actual – RIS data is used when registering a patient from the list of schedules on the system. 1-4 Common medical protocol properties • Protocols used in medical environments are typically unsecure. 8 siemens-healthineers.com/freestyle ACUSON Freestyle VA41 · Product and security white paper 2. Instructions for the responsible organization 2-1 Connection of the system to a network that includes other equipment could result in previously unidentified risks to patients, operators or third parties. The RESPONSIBLE ORGANIZATION should identify, evaluate and control these risks. 2-2 Subsequent changes to the network could introduce new RISKS and require additional analysis. 2-3 Changes to the network include: • changes in network configuration • connection to additional items to the network • disconnecting items from the network • update of equipment connected to the network • upgrade of equipment connected to the network 2-4 The RESPONSIBLE ORGANIZATION is fully responsible for the security of the network to which the device is connected. 2-5 The RESPONSIBLE ORGANIZATION is fully responsible to ensure staff who have access to the device do not have the opportunity to provide any harm to the system. 2-6 The RESPONSIBLE ORGANIZATION has to ensure that the internal network cannot be accessed physically by non-authorized persons. 2-7 Staff of the RESPONSIBLE ORGANIZATION has to be trained in security. The RESPONSIBLE ORGANIZATION is responsible for providing this. 2-8 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that only authorized medical/administrative staff shall have access to the device. 2-9 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that visitors/patients do not have unsupervised physical access to the system. 2-10 The RESPONSIBLE ORGANIZATION shall provide access to the system for device administrators and device service engineers. 2-11 The RESPONSIBLE ORGANIZATION has at least one staff person with administrative rights who has access to the system. 2-12 The RESPONSIBLE ORGANIZATION shall ensure that neither access from the public internet or the organization’s intranet to the device is possible. 2-13 The RESPONSIBLE ORGANIZATION is responsible to ensure physical security for the device. 2-14 The RESPONSIBLE ORGANIZATION shall ensure that access to services for the device from other equipment is possible only on a need-to-do basis. An adequate network topology with appropriate firewall settings shall be used. 2-15 The RESPONSIBLE ORGANIZATION is responsible for a secure infrastructure that makes it impossible to change, prevent, or tamper with data in transit in any way. 2-16 RECOMMENDATION: It is highly recommended that the RESPONSIBLE ORGANIZATION monitors the network for unusual traffic. siemens-healthineers.com/freestyle 9 Product and security white paper · ACUSON Freestyle VA41 3. Intended purpose of integrating the device into an IT network 3-1 To integrate the system into the clinical workflow, the whole ultrasound system will interact as a DICOM node in the clinical network. 3-2 The system is DICOM-compliant, allowing it to be connected to a network with other compliant devices for the exchange of images. Networking allows the transmission of images acquired to other DICOM-compatible review stations or PACS. 3-3 The system connects to the network through an Ethernet cable or a wireless protocol. The network interfaces allow DICOM connections to specific clinical systems such as a Radiology PACS or printer. Patient demographic data will be received via DICOM; acquired images will be sent to the Radiology PACS or DICOM workstations for detailed viewing and long-term storage. 4. Network properties required by the system and resulting risks 4-1 Unsuccessful data transfer not recognized Function: Archiving and Networking Hazard: Wrong diagnosis / loss of acquisition data Caution: Data transfers between systems are not verified automatically. Loss of data, if data is deleted locally before it has been successfully transferred to another system. Measure: Since not all PACS systems support automatic storage commitment, verify the correctness of the data transfer at the remote system before deleting the local data. Effect on: Patient 4-2 Incorrect or incomplete data transfer Function: Data Exchange – Network Hazard: Wrong diagnosis, loss of acquisition data, corrupted data Cause: Data corrupted when written to / read from storage or transferred to network. Measure: Verification by testing that corrupt data results in a failed export. Effect on: Patient 4-3 Insecure or incorrectly configured clinical network Function: Network Security Hazard: Incorrect diagnosis basis, wrong diagnosis, wrong treatment, delayed diagnosis, delayed therapy, wrong examination, repetition of examination / loss of acquisition data, corrupted data, system DoS Caution: Unauthorized access may affect system performance and data security. Cause: Any unauthorized access to the system may affect the system performance and data security and may lead to: • Lowered system performance and/or non-operational system • Loss of data security including loss of all patient data Measure: • Enable your system administrator to ensure network security and the security of the operational infrastructure • Consult manuals for secure setup • Perform system updates as required • Run your medical device only in protected network environments, and do not connect it directly to public networks • Update and patch networked systems as required • Enable ACUSON Freestyle Mobile Link access to the system only when needed. See manual for more details. • Monitor for ACUSON Freestyle Mobile Link on-screen icon. Disable Mobile Link if this feature is not in use. See manual for more details. Effect on: Patient, System 10 siemens-healthineers.com/freestyle ACUSON Freestyle VA41 · Product and security white paper Manufacturer Disclosure Statement for Medical Device Security – MDS2 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Device Description Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Healthineers 11291061-EPH-001 July, 2020 Device Model Software Revision Software Release Date ACUSON Freestyle VA41 04/2020 Manufacturer or Company Name Manufacturer Contact Information Representative Contact Siemens Healthineers Siemens Medical Solutions – Ultrasound Information 22010 SE 51st St, Issaquah, WA 98029 Representative Name/Position Global Product Manager, ACUSON Freestyle Intended use of device in network-connected environment The Siemens Healthineers ACUSON Freestyle Ultrasound System is a portable diagnostic ultrasound system. The ACUSON Freestyle is intended for ultrasound imaging in the point-of-care setting. The ACUSON Freestyle introduces the world’s first cableless ultrasound transducers. This innovative breakthrough advances the use of ultrasound in critical and intensive care, emergency, and intraoperative settings, because the advanced image quality, ease-of-use, and portability combine with the cable-free transducers to simplify and speed up the use of ultrasound guidance in sterile procedures. The ACUSON Freestyle wireless transducers use a proprietary, custom radio that provides high quality, fully secure links to the main system console. The ACUSON Freestyle utilizes a dedicated, non-mass market Realtime Operating System (RTOS) that is designed for mission-critical, highly secured applications. By avoiding standard mass market software operating systems such as those based on Microsoft Windows or similar commercial products, the ACUSON Freestyle achieves networking security without the need for constant patch updates. As a portable system with DICOM networking storage capability, the ACUSON Freestyle is intended as a temporary storage of private data. siemens-healthineers.com/freestyle 11 Product and security white paper · ACUSON Freestyle VA41 Management of Private Data Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information Yes, No, Note # requested in this form. N/A, or See Note A Can this device display, transmit, or maintain private data (including electronic Protected Health Yes Information [ePHI])? B Types of private data elements that can be maintained by the device: B.1 Demographic (e.g., name, address, location, unique identification number)? Yes – B.2 Medical record (e.g., medical record #, account #, test or treatment date, device identification number)? Yes – B.3 Diagnostic/therapeutic (e.g., photo/radiograph, test results, or physiologic data with identifying Yes – characteristics)? B.4 Open, unstructured text entered by device user/operator? Yes – B.5 Biometric data? No – B.6 Personal financial information? No – C Maintaining private data ‒ Can the device: C.1 Maintain private data temporarily in volatile memory (e.g., until cleared by power-off or reset)? Yes – C.2 Store private data permanently on local media? Yes – C.3 Import/export private data with other systems? Yes – C.4 Maintain private data during power service interruptions? Yes – D Mechanisms used for the transmitting, importing/exporting of private data – Can the device: D.1 Display private data (e.g., video display, etc.)? Yes – D.2 Generate hardcopy reports or images containing private data? Yes – D.3 Retrieve private data from or record private data to removable media (e.g., disk, DVD, CD-ROM, tape, Yes – CF/SD card, memory stick, etc.)? D.4 Transmit/receive or import/export private data via dedicated cable connection (e.g., IEEE 1073, No – serial port, USB, FireWire, etc.)? D.5 Transmit/receive private data via a wired network connection (e.g., LAN, WAN, VPN, intranet, Yes – Internet, etc.)? D.6 Transmit/receive private data via an integrated wireless network connection (e.g., Wi-Fi, Bluetooth, Yes – infrared, etc.)? D.7 Import private data via scanning? No – D.8 Other? No – Management of private data notes: 12 siemens-healthineers.com/freestyle ACUSON Freestyle VA41 · Product and security white paper Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Healthineers 11291061-EPH-001 July, 2020 Device Model Software Revision Software Release Date ACUSON Freestyle VA41 04/2020 Security capabilities Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information requested in Yes, No, Note # this form. N/A, or See Note 1 Automatic logoff (ALOF) The device’s ability to prevent access and misuse by unauthorized users if the device is left idle for a period of time. 1-1 Can the device be configured to force reauthorization of logged-in user(s) after a predetermined Yes – length of inactivity (e.g., auto-logoff, session lock, password protected screen saver)? 1-1.1 Is the length of inactivity time before auto-logoff/screen lock user or administrator configurable? Yes – (Indicate time [fixed or configurable range] in notes.) 1-1.2 Can auto-logoff/screen lock be manually invoked (e.g., via a shortcut key or proximity sensor, etc.) Yes – by the user? ALOF notes: Automatic Logoff due to inactivity times: 5, 10, 15, 20, 30, 45, 60 minutes 2 Audit controls (AUDT) The ability to reliably audit activity on the device. 2-1 Can the medical device create an audit trail? Yes – 2-2 Indicate which of the following events are recorded in the audit log: 2-2.1 Login/logout Yes – 2-2.2 Display/presentation of data Yes – 2-2.3 Creation/modification/deletion of data Yes – 2-2.4 Import/export of data from removable media Yes – 2-2.5 Receipt/transmission of data from/to external (e.g., network) connection Yes – 2-2.5.1 Remote service activity N/A – 2-2.6 Other events? (describe in the notes section) Yes – 2-3 Indicate what information is used to identify individual events recorded in the audit log: 2-3.1 User ID Yes – 2-3.2 Date/time Yes – AUDT notes: Additional audit events: user added / deleted, user policy change, password policy changed, password change, password change failure, userid lockout, failed logins, software update, date/time change, system log export, study export, modification of network settings, DICOM device setup / deletion 3 Authorization (AUTH) The ability of the device to determine the authorization of users. 3-1 Can the device prevent access to unauthorized users through user login requirements or other Yes – mechanism? 3-2 Can users be assigned different privilege levels within an application based on ‘roles’ (e.g., guests, Yes – regular users, power users, administrators, etc.)? 3-3 Can the device owner/operator obtain unrestricted administrative privileges (e.g., access operating No – system or application via local root or admin account)? AUTH notes: siemens-healthineers.com/freestyle 13 Product and security white paper · ACUSON Freestyle VA41 Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Healthineers 11291061-EPH-001 July, 2020 Device Model Software Revision Software Release Date ACUSON Freestyle VA41 04/2020 Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information requested in Yes, No, Note # this form. N/A, or See Note 4 Configuration of security features (CNFS) The ability to configure/re-configure device security capabilities to meet user’s needs. 4-1 Can the device owner/operator reconfigure product security capabilities? Yes 1 CNFS notes: 1. The ACUSON Freestyle provides the ability for the owner/operator/system administrators to configure the system security features and WiFi settings for different security types. 5 Cyber security product upgrades (CSUP) The ability of on-site service staff, remote service staff, or authorized customer staff to install/upgrade device’s security patches. 5-1 Can relevant OS and device security patches be applied to the device as they become available? See Note 1, 2 5-1.1 Can security patches or other software be installed remotely? No – CSUP notes: 1. The ACUSON Freestyle utilizes a dedicated realtime operating system designed for embedded, mission-critical applications. This operating system is non-PC and non-Microsoft Windows, and has been developed to provide a hardened and unique OS that is not vulnerable to security threats. See also # 15 below. 2. The ACUSON Freestyle supports installation/upgrading of its internal firmware only through manufacturer-supplied update code from USB media. This media includes an integrated OS and application code including all utilized security technologies. 6 Health data DE-identification (DIDT) The ability of the device to directly remove information that allows identification of a person. 6-1 Does the device provide an integral capability to de-identify private data? See Note 1 DIDT notes: 1. The ACUSON Freestyle allows the patient name and identification number to be hidden in captured images. However, this selection must be done prior to capturing the images. The system does not strip the private data from images after the capture is completed nor during image export. Also, the patient identification number embedded within the stored data files is never removed so as to maintain study integrity and authenticity. 7 Data backup and disaster recovery (DTBK) The ability to recover after damage or destruction of device data, hardware, or software. 7-1 Does the device have an integral data backup capability (e.g., backup to remote storage or Yes 1 removable media such as tape, disk)? DTBK notes: 1. Patient data is uploaded to PACS after each exam. Patient data can be backed up to USB. System configuration can be backed up to USB. 8 Emergency access (EMRG) The ability of device users to access private data in case of an emergency situation that requires immediate access to stored private data. 8-1 Does the device incorporate an emergency access (“break-glass”) feature? Yes – EMRG notes: 9 Health data integrity and authenticity (IGAU) How the device ensures that data processed by the device has not been altered or destroyed in an unauthorized manner and is from the originator. 9-1 Does the device ensure the integrity of stored data with implicit or explicit error detection/correction See Note 1, 2 technology? IGAU notes: 1. Image data from the wireless transducer to the system console is formatted using proprietary methods that ensure the data receieved by the system console is not altered or destroyed in an unauthorized manner and is from the authorized originator. 2. The networking and archival of completed patient studies from the system include unique identifiers embedded within the data allowing determination of the originator. Additionally, while stored within the system these unique identifiers are required to reference image data sets to studies. 14 siemens-healthineers.com/freestyle ACUSON Freestyle VA41 · Product and security white paper Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Healthineers 11291061-EPH-001 July, 2020 Device Model Software Revision Software Release Date ACUSON Freestyle VA41 04/2020 Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information requested in Yes, No, Note # this form. N/A, or See Note 10 Malware detection/protection (MLDP) The ability of the device to effectively prevent, detect and remove malicious software (malware). 10-1 Does the device support the use of anti-malware software (or other anti-malware mechanism)? See Note 1 10-1.1 Can the user independently re-configure anti-malware settings? See Note 1 10-1.2 Does notification of malware detection occur in the device user interface? See Note 1 10-1.3 Can only manufacturer-authorized persons repair systems when malware has been detected? See Note 1 10-2 Can the device owner install or update anti-virus software? See Note 1, 2 10-3 Can the device owner/operator (technically/physically) update virus definitions on See Note 1, 2 manufacturer-installed antivirus software? MLDP notes: 1. The ACUSON Freestyle utilizes a dedicated realtime operating system designed for embedded, mission-critical applications. This operating system is non-PC and non-Microsoft Windows, and has been developed to provide a hardened and unique OS that is not vulnerable to security threats. As such,additional anti-malware, anti-virus software is not considered necessary. See also # 15 below. 2. The ACUSON Freestyle supports installation/upgrading of its internal firmware only through manufacturer-supplied update code from USB media. This media includes an integrated OS and application code including all utilized security technologies. 11 Node authentication (NAUT) The ability of the device to authenticate communication partners/nodes. 11-1 Does the device provide/support any means of node authentication that assures both the sender and No – the recipient of data are known to each other and are authorized to receive transferred information? NAUT notes: 12 Person authentication (PAUT) Ability of the device to authenticate users 12-1 Does the device support user/operator-specific username(s) and password(s) for at least one user? Yes – 12-1.1 Does the device support unique user/operator-specific IDs and passwords for multiple users? Yes – 12-2 Can the device be configured to authenticate users through an external authentication service No – (e.g., MS Active Directory, NDS, LDAP, etc.)? 12-3 Can the device be configured to lock out a user after a certain number of unsuccessful logon Yes – attempts? 12-4 Can default passwords be changed at/prior to installation? N/A – 12-5 Are any shared user IDs used in this system? No – 12-6 Can the device be configured to enforce creation of user account passwords that meet established Yes – complexity rules? 12-7 Can the device be configured so that account passwords expire periodically? Yes – PAUT notes: 13 Physical locks (PLOK) Physical locks can prevent unauthorized users with physical access to the device from compromising the integrity and confidentiality of private data stored on the device or on removable media 13-1 Are all device components maintaining private data (other than removable media) physically Yes – secure (e.g., cannot remove without tools)? PLOK notes: siemens-healthineers.com/freestyle 15 Product and security white paper · ACUSON Freestyle VA41 Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Healthineers 11291061-EPH-001 July, 2020 Device Model Software Revision Software Release Date ACUSON Freestyle VA41 04/2020 Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information requested in Yes, No, Note # this form. N/A, or See Note 14 Roadmap for third-party components in the device life cycle (RDMP) Manufacturer’s plans for security support of third-party components within the device life cycle. 14-1 In the notes section, list the provided or required (separately purchased and/or delivered) See Note 1 operating system(s) – including version number(s). 14-2 Is a list available of other third-party applications provided by the manufacturer? See Note 2 RDMP notes: 1. The Operating System is Green Hills Integrity Realtime Operating System (5.0.9 or higher). 2. The ACUSON Freestyle does not allow other third party applications to run on the product. 15 System and application hardening (SAHD) The device’s resistance to cyber attacks and malware. 15-1 Does the device employ any hardening measures? Please indicate in the notes the level of See Note 1 conformance to any industry-recognized hardening standards. 15-2 Does the device employ any mechanism (e.g., release-specific hash key, checksums, etc.) to ensure Yes – the installed program/update is the manufacturer-authorized program or software update? 15-3 Does the device have external communication capability (e.g., network, modem, etc.)? Yes – 15-4 Does the file system allow the implementation of file-level access controls (e.g., New Technology Yes – File System (NTFS) for MS Windows platforms)? 15-5 Are all accounts, which are not required for the intended use of the device, disabled or deleted Yes – for both users and applications? 15-6 Are all shared resources (e.g., file shares), which are not required for the intended use of the device, disabled? Yes – 15-7 Are all communication ports, which are not required for the intended use of the device, closed/disabled? Yes – 15-8 Are all services (e.g., telnet, file transfer protocol [FTP], internet information server [IIS], etc.), which Yes – are not required for the intended use of the device, deleted/disabled? 15-9 Are all applications (COTS applications as well as OS-included applications, e.g., MS Internet Explorer, Yes 2, 3 etc.), which are not required for the intended use of the device, deleted/disabled? 15-10 Can the device boot from uncontrolled or removable media (e.g., a source other than an internal No – drive or memory component)? 15-11 Can software or hardware not authorized by the device manufacturer be installed on the device No – without the use of tools? SAHD notes: 1. The Green Hills Integrity Operating System has been certified by the National Information Assurance Partnership (NIAP – a United States government initiative operated by the National Security Agency (NSA)) against the most rigorous standard for operating system security, the United States Separation Kernal Protection Profile (SKPP). The OS uses hardware memory protection to isolate and protect the embedded system software. Secure partitions guarantee each task the resources it needs to run correctly and fully protect the operating system and user tasks from errant and malicious code, including denial-of-service attacks, worms, and Trojan horses. The Integrity operating system technology has received the following certifications and accreditations that testify to its safety, security, and reliability: – FDA Class II and Class III medical device clearances and approvals; – IEC/EN 61508: Industrial safety SIL-3; – CENELEC: Railway EN 50128 SWSIL4. 2. The ACUSON Freestyle does not support installation of COTS applications and only required OS applications are integrated into the ACUSON Freestyle manufacturer-provided installation code. 3. The ACUSON Freestyle does not allow direct connections to the internet through applications such as MS Internet Explorer. 16 siemens-healthineers.com/freestyle ACUSON Freestyle VA41 · Product and security white paper Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Healthineers 11291061-EPH-001 July, 2020 Device Model Software Revision Software Release Date ACUSON Freestyle VA41 04/2020 Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information requested in Yes, No, Note # this form. N/A, or See Note 16 Security guidance (SGUD) The availability of security guidance for the operator and administrator of the system and the manufacturer sales and service. 16-1 Are security-related features documented for the device user? Yes – 16-2 Are instructions available for device/media sanitization (e.g., instructions for how to achieve Yes 1 the permanent deletion of personal or other sensitive data)? SGUD notes: 1. From the Service organization. 17 Health data storage confidentiality (STCF) The ability of the device to ensure unauthorized access does not compromise the integrity and confidentiality of private data stored on the device or removable media. 17-1 Can the device encrypt data at rest? Yes – STCF notes: 18 Transmission confidentiality (TXCF) The ability of the device to ensure the confidentiality of transmitted private data. 18-1 Can private data be transmitted only via a point-to-point dedicated cable? No – 18-2 Is private data encrypted prior to transmission via a network or removable media? No 1 (If yes, indicate in the notes which encryption standard is implemented.) 18-3 Is private data transmission restricted to a fixed list of network destinations? Yes – TXCF notes: 1. Encrypted DICOM not supported. 19 Transmission integrity (TXIG) The ability of the device to ensure the integrity of transmitted private data. 19-1 Does the device support any mechanism intended to ensure data is not modified during transmission? No 1 (If yes, describe in the notes section how this is achieved.) TXIG notes: 1. Use of industry-standard data encryption (available with wireless networking) enables transmission integrity. 20 Other security considerations (OTHR) Additional security considerations/notes regarding medical device security. 20-1 Can the device be serviced remotely? No – 20-2 Can the device restrict remote access to/from specified devices or users or network locations N/A – (e.g., specific IP addresses)? 20-2.1 Can the device be configured to require the local user to accept or initiate remote access? N/A – OTHR notes: siemens-healthineers.com/freestyle 17 Product and security white paper · ACUSON Freestyle VA41 Abbreviations BIOS Basic Input Output System LLD Low Level Driver DSP Digital Signal Processor MDS2 Manufacturer Disclosure Statement for Medical Device Security DICOM Digital Imaging and Communications in Medicine NEMA National Electrical Manufacturers Association DoS Denial of Service OCR Enhanced Direct Memory Access, Office for Civil Rights EDMA3 Version 3 OU Organizational Unit ePHI Electronic Protected Health Information PACS Picture Archiving and Communication Food and Drug Administration System FDA PHI Protected Health Information FIPS Federal Information Processing Standards PII Personally Identifiable Information HHS Health and Human Services RIS Radiology Information System HIPAA Health Insurance Portability and SW Software Accountability Act TCP Transmission Control Protocol HIMSS Healthcare Information and Management Systems Society TI Texas Instruments HTTP Hypertext Transfer Protocol VICP Video Imaging Co-Processor HTTPS HTTP Secure VPN Virtual Private Network IEC International Electrotechnical XML Extensible Markup Language Commission JPEG Joint Photographic Experts Group 18 siemens-healthineers.com/freestyle ACUSON Freestyle VA41 · Product and security white paper Disclaimer According to International Electrotechnical IEC 80001-1 Commission Glossary (extract) 1-1 The Device has the capability to be connected Responsible organization: to a medical IT network, which is managed under Entity accountable for the use and maintenance of a full responsibility of the operating legal entity medical IT network (hereafter called “RESPONSIBLE ORGANIZATION”). It is assumed that the RESPONSIBLE ORGANIZATION ACUSON Freestyle is a trademark of Siemens Medical assigns a Medical IT Network Risk Manager to Solutions USA, Inc. perform IT Risk Management (see IEC 80001- Microsoft and Windows are registered trademarks of 1:2010 / EN 80001-1:2011) for IT. Microsoft Corporation in the United States and other 1-2 This statement describes Device-specific IT countries. networking safety and security capabilities. It is NOT a RESPONSIBILITY AGREEMENT according to IEC 80001-1:2010 / EN 80001-1:2011. 1-3 Any modification of the platform, the software or the interfaces of the Device – unless authorized and approved by Siemens Healthcare GmbH – voids all warranties, liabilities, assertions and contracts. 1-4 The RESPONSIBLE ORGANIZATION acknowledges that the Device’s underlying standard computer with operating system is to some extent vulnerable to typical attacks such as malware or denial-of-service. 1-5 Unintended consequences (e.g., misuse/loss/ corruption) of data not under control of the Device (e.g., after electronic communication from the Device to an IT network or to a storage media), are under the responsibility of the RESPONSIBLE ORGANIZATION. 1-6 Unauthorized use of the external connections or storage media of the Device can cause hazards regarding the availability and information security of all components of the medical IT network. The RESPONSIBLE ORGANIZATION must ensure – through technical and/or organizational measures – that only authorized use of the external connections and storage media is permitted. siemens-healthineers.com/freestyle 19 Statement on FDA Cybersecurity Guidance Siemens Healthineers will follow cybersecurity guidance issued by the FDA as appropriate. Siemens Healthineers recognizes the principle described in FDA cybersecurity guidance that an effective cybersecurity framework is a shared responsibility among multiple stakeholders (e.g., medical device manufacturers, healthcare facilities, patients and providers), and is committed to drawing on its innovation, engineering and pioneering skills in collective efforts designed to prevent, detect and respond to new and emerging cybersecurity threats. While FDA cybersecurity guidance is informative as to adopting a risk-based approach to addressing potential patient harm, it is not binding and alternative approaches may be used to satisfy FDA regulatory requirements. The representations contained in this white paper are designed to describe Siemens Healthineers approach to cybersecurity of its medical devices and to disclose the security capabilities of the devices/systems described herein. Neither Siemens Healthineers nor any medical device manufacturer can warrant that its systems will be invulnerable to cyberattack. Siemens Healthineers makes no representation or warranty that its cyber-security efforts will ensure that its medical devices/systems will be error-free or secure against cyberattack. Siemens Healthineers Headquarters Legal Manufacturer Siemens Healthcare GmbH Siemens Medical Solutions USA, Inc. Henkestr. 127 Ultrasound 91052 Erlangen, Germany 22010 S.E. 51st Street Phone: +49 9131 84-0 Issaquah, WA 98029, USA siemens-healthineers.com Phone: 1-888-826-9702 siemens-healthineers.com/ultrasound Published by Siemens Medical Solutions USA, Inc. · 9205 0620 online · ©Siemens Medical Solutions USA, Inc., 2020