Security and MDS² Form - VB10

White paper ACUSON Juniper ultrasound system, release VB10 Security and MDS2 Form Facts about security and privacy requirements siemens-healthineers.com/juniper SIEMENS Healthineers Product and Solution Security White Paper · ACUSON Juniper VB10 The Siemens Healthineers product and solution security program At Siemens Healthineers, we are committed to Elements of our product and solution security working with you to address cybersecurity and privacy program: requirements. Our Product and Solution Security Office • is responsible for our global program that focuses Providing information to facilitate secure configuration on addressing cybersecurity throughout the product and use of our medical devices in your IT environment lifecycle of our products. • Conducting formal threat and risk analysis for our Our program targets incorporating state of the art products cybersecurity into our current and future products. • Incorporating secure architecture, design and coding We seek to protect the security of your data while, at methodologies in our software development process the same time, providing measures to strengthen the • resiliency of our products from cyber threats. Performing static code analysis of our products • We comply with applicable security and privacy Conducting security testing of products under regulations from the US Department of Health and development as well as products already in the field Human Services (HHS), including the Food and Drug • Tailoring patch management to the medical device and Administration (FDA) and Office for Civil Rights depth of coverage chosen by you (OCR), to help you meet your IT security and privacy • obligations. Monitoring security vulnerability to track reported third party components issues in our products • Vulnerability and incident management Working with suppliers to address security throughout the supply chain Siemens Healthineers cooperates with government • agencies and cybersecurity researchers concerning Training of employees to provide knowledge consistent reported potential vulnerabilities. with their level of responsibilities regarding your data and device integrity. Our communications policy strives for coordinated disclosure. Contacting Siemens Healthineers about product and We work in this way with our customers and other solution security parties, when appropriate, in response to potential vulnerabilities and incidents in our products, no Siemens Healthineers requests that any cybersecurity matter what the source. or privacy incidents are reported by email to: [email protected] Yours sincerely, Jim Jacobson Chief Product and Solution Security Officer Siemens Healthineers 2 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Contents Foreword 2 Basic Information 4 Data Flow Diagram 6 Network Information 7 Security Controls 31 Software Bill of Materials 32 Manufacturer Disclosure Statement (MDS2) 40 Manufacturer Disclosure Statement (IEC 60601-1) 62 Abbreviations 66 Disclaimer according to IEC 80001-1 67 Statement on FDA Cybersecurity Guidance 68 siemens-healthineers.com/juniper 3 Product and Solution Security White Paper · ACUSON Juniper VB10 Basic Information Why is cybersecurity important? Patching strategy Keeping patient data safe and secure should typically • Security patches will be provided on regular basis after be one of the top priorities of healthcare institutes. validation by Siemens Healthineers to maintain the It is estimated that the cost associated in the recovery clinical function of the medical device. of each medical record in the United States can be as • high as $380.1 According to the Ponemon Institute If connected to Smart Remote Services (SRS) formerly research report,2 39% of medical devices were hacked, Siemens Remote Service, updates will be pushed to the with hackers being able to take control of the device. system automatically. They need to be confirmed/ Moreover, 38% of healthcare organizations said that executed by the actual user. their patients received inappropriate medical treatment • Alternatively, you can manually install updates because of an insecure medical device. by using the Siemens Healthineers ASU service provided in the LifeNet platform. Our purpose is to make healthcare providers succeed • Technologies and software components are actively The new ACUSON Juniper ultrasound system is the result monitored for vulnerabilities and availability of security of more than three decades of experience in ultrasound updates. engineering. A general imaging ultrasound system, it was developed in response to one of the most prevalent Cryptography usage challenges in ultrasound imaging today: As the demand for the transducers as TEE, Cardiac strain and Contrast The ACUSON Juniper system VB10 software uses ciphers Agent imaging, the ACUSON Juniper VB10 system also and protocols built into Windows 10 for encryption and supports 5VT as new TEE, VVI 4.0 and LVO. Also, the data protection. If needed, hardening measures limit ACUSON Juniper system has been improved with high- usage to those that are at least FIPS 140-2-compliant. level system performance and Auto Doppler statistics. With its powerful architecture and innovative features, Handling of sensitive data the ACUSON Juniper system expands precision medicine • This ultrasound system is designed for temporary data by enabling high-resolution imaging that adapts to storage only. Siemens Healthineers recommends patients’ size and personal characteristics, contributing storing patient data in a long-term archive, e.g., on a to more confident diagnosis. PACS, and data must be deleted using a facility-defined procedure. Operating systems • Protected Health Information (PHI) is temporarily Please refer to the Software Bill of Material chapter. stored on the ultrasound system, similar to DICOM data, raw data, and metadata for DICOM creation. Note: The time for which PHI is stored is determined User account information by the facility. • ACUSON Juniper system VB10 software user accounts can be local Windows accounts, managed by the administrator of the system. A break-glass mechanism ensures access to the system in emergency scenarios. • The system provides preconfigured Password Policies that can be customized by administrators. 1 https://healthitsecurity.com/news/how-much-do-healthcare-databreaches-cost-organizations 2 https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/medical-device-security-ponemon-synopsys.pdf 4 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper siemens-healthineers.com/juniper 5 Product and Solution Security White Paper · ACUSON Juniper VB10 Data Flow Diagram Service Healthcare Scheduler SRS Manufacturing Professional System Engineer (Sonographer) (HIS) System System information Operates information Operates Internet DICOM (port 104) Siemens Healthineers VPN IBC Gateway Concentrator Restricted IPs Patches Save config. worklist Local Network Local Network ACUSON Juniper (wired or wireless) (wired or wireless) Status, logs, Get utilization performed procedures DICOM images Image Data data I/O External Media and Transducers OEMs (USB, Blu-ray, PACS printers, etc.) Network X 7 Y X calls Y ACUSON Juniper HW/SW component External entity X Y Call-return (X calls Y) User System boundary X Y Data stream (complex connector) 6 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Network Information E Smart Remote Services IN, OUT: VPN TCP SRS Router Remote Service Access Server O IN, OUT: IN, OUT: DICOM, Smart DICOM Remote Service PACS/RIS ACUSON Juniper OUT: TCP Network Share Ultrasound Machine Clinical Network Internet Figure 1: Security boundaries for system deployment Siemens Healthineers recommends operating the ultrasound machine in a dedicated network segment (e.g., VLAN) To minimize the risk of unauthorized network access, Siemens Healthineers recommends operating the ultrasound machine behind a firewall and/or use access control lists on the network switches to limit traffic to identified peers. At minimum, the DICOM Port (see Table 1) needs to be visible for customer DICOM network nodes (e.g., PACS, syngo®.via, etc.). Please contact the Siemens Healthineers Service organization for further information. siemens-healthineers.com/juniper 7 Product and Solution Security White Paper · ACUSON Juniper VB10 Network Information The following ports are used by the system: Port number Service/function Direction (in/out) Protocol 104 DICOM Communication (unencrypted) In/outbound TCP 80 Administration Portal – Remote Service Inbound TCP 443 Administration Portal – Remote Service Inbound TCP (encrypted) 8226 Managed Node Package MNP Inbound TCP 8227 Managed Node Package MNP Inbound TCP 8228 Managed Node Package MNP Inbound TCP 12061 Managed Node Package MNP Inbound TCP 13001 Managed Node Package MNP Inbound TCP 11080 Remote Assist (eSieLink) Inbound TCP Table 1: Used Port Numbers Allowed services accessible through network running on the device: Service Description Startup type Log on as Provides User Account Control validation for the installation of ActiveX controls from the Internet and ActiveX Installer enables management of ActiveX control installation (AxInstSV) based on Group Policy settings. This service is started Manual Local System on demand and if disabled the installation of ActiveX controls will behave according to default browser settings. Adobe Flash Player This service keeps your Adobe Flash Player installation Update Service up to date with the latest enhancements and security Manual Local System fixes. Routes AllJoyn messages for the local AllJoyn clients. If AllJoyn Router Service this service is stopped the AllJoyn clients that do not Manual Local Service have their own bundled routers will be unable to run. App Readiness Gets apps ready for use the first time a user signs in to this PC and when adding new apps. Manual Local System Determines and verifies the identity of an application. Application Identity Disabling this service will prevent AppLocker from Auto Local Service being enforced. Facilitates the running of interactive applications with Application additional administrative privileges. If this service is Information stopped, users will be unable to launch applications Manual Local System with the additional administrative privileges they may require to perform desired user tasks. 8 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Service Description Startup type Log on as Processes installation, removal, and enumeration requests for software deployed through Group Policy. Application If the service is disabled, users will be unable to install, Management remove, or enumerate software deployed through Manual Local System Group Policy. If this service is disabled, any services that explicitly depend on it will fail to start. Provides infrastructure support for deploying Store AppX Deployment applications. This service is started on demand and if Service (AppXSVC) disabled Store applications will not be deployed to the Manual Local System system, and may not function properly. Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process ASP.NET State Service requests will not be processed. If this service is Manual Network disabled, any services that explicitly depend on it will Service fail to start. Autoreport service Autoreport Auto Local System Background Tasks Windows infrastructure service that controls which Infrastructure Service background tasks can run on the system. Auto Local System The Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering. Stopping Base Filtering Engine or disabling the BFE service will significantly reduce Auto Local Service the security of the system. It will also result in unpredictable behavior in IPsec management and firewall applications. BDESVC hosts the BitLocker Drive Encryption service. BitLocker Drive Encryption provides secure startup for the operating system, as well as full volume encryption for OS, fixed or removable volumes. This service allows BitLocker to prompt users for various BitLocker Drive actions related to their volumes when mounted, Encryption Service and unlocks volumes automatically without user Manual Local System interaction. Additionally, it stores recovery information to Active Directory, if available, and, if necessary, ensures the most recent recovery certificates are used. Stopping or disabling the service would prevent users from leveraging this functionality. The WBENGINE service is used by Windows Backup to perform backup and recovery operations. If this service Block Level Backup is stopped by a user, it may cause the currently Engine Service running backup or recovery operation to fail. Disabling Manual Local System this service may disable backup and recovery operations using Windows Backup on this computer. siemens-healthineers.com/juniper 9 Product and Solution Security White Paper · ACUSON Juniper VB10 Network Information Allowed services accessible through network running on the device: Service Description Startup type Log on as Enables wireless Bluetooth headsets to run on this Bluetooth Handsfree computer. If this service is stopped or disabled, then Service Bluetooth headsets will not function properly with this Manual Local Service machine. The Bluetooth service supports discovery and association of remote Bluetooth devices. Stopping Bluetooth Support or disabling this service may cause already installed Service Bluetooth devices to fail to operate properly and Manual Local Service prevent new devices from being discovered or associated. BranchCache This service caches network content from peers on the Manual Network local subnet. Service BuReService Burning Removable Media Service Manual Local System CDPUserSvc_111157 N/A Auto Local System Copies user certificates and root certificates from Certificate smart cards into the current user's certificate store, Propagation detects when a smart card is inserted into a smart card Manual Local System reader, and, if needed, installs the smart card Plug and Play minidriver. Provides infrastructure support for the Microsoft Store. Client License Service This service is started on demand and if disabled (ClipSVC) applications bought using Windows Store will not Manual Local System behave correctly. The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to CNG Key Isolation private keys and associated cryptographic operations as required by the Common Criteria. The service stores Manual Local System and uses long-lived keys in a secure process complying with Common Criteria requirements. Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) COM+ Event System components. If the service is stopped, SENS will close Auto Local Service and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start. Manages the configuration and tracking of Component COM+ System Object Model (COM)+-based components. If the Application service is stopped, most COM+-based components will Manual Local System not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. 10 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Service Description Startup type Log on as Connected Devices This service is used for Connected Devices and Platform Service Universal Glass scenarios Auto Local Service The Connected User Experiences and Telemetry service enables features that support in-application and Connected User connected user experiences. Additionally, this service Experiences and manages the event driven collection and transmission of diagnostic and usage information (used to improve Auto Local System Telemetry the experience and quality of the Windows Platform) when the diagnostics and usage privacy option settings are enabled under Feedback and Diagnostics. Indexes contact data for fast contact searching. If you Contact Data_111157 stop or disable this service, contacts might be missing Manual Local System from your search results. CoreMessaging Manages communication between system Auto Local Service components. Credential Manager Provides secure storage and retrieval of credentials to users, applications and security service packages. Manual Local System cRSP-Teamviewer- cRSP Teamviewer Moderator Gateway working as proxy Moderator-Gateway for RTC's Auto Local System Provides three management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority Cryptographic certificates from this computer; and Automatic Root Network Services Certificate Update Service, which retrieves root Auto Service certificates from Windows Update and enable scenarios such as SSL. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. CsaCompMgrInit N/A Auto Local System CsaKeyboardFilter N/A Auto Local System Data Sharing Service Provides data brokering between applications. Manual Local System DataCollection The DCP (Data Collection and Publishing) service PublishingService supports first party apps to upload data to cloud. Manual Local System siemens-healthineers.com/juniper 11 Product and Solution Security White Paper · ACUSON Juniper VB10 Network Information Allowed services accessible through network running on the device: Service Description Startup type Log on as The DCOMLAUNCH service launches COM and DCOM servers in response to object activation requests. If this DCOM Server Process service is stopped or disabled, programs using COM Launcher or DCOM will not function properly. It is strongly Auto Local System recommended that you have the DCOMLAUNCH service running. Delivery Optimization Performs content delivery optimization tasks Auto Local System Device Association Enables pairing between the system and wired or Service wireless devices. Manual Local System Enables a computer to recognize and adapt to Device Install Service hardware changes with little or no user input. Stopping or disabling this service will result in system Manual Local System instability. Device Management Performs Device Enrollment Activities for Device Enrollment Service Management Manual Local System Enables the detection, download and installation of Device Setup Manager device-related software. If this service is disabled, devices may be configured with outdated software, Manual Local System and may not work correctly. DevQuery Background Discovery Broker Enables apps to discover devices with a backgroud task Manual Local System Registers and updates IP addresses and DNS records for this computer. If this service is stopped, this computer DHCP Client will not receive dynamic IP addresses and DNS Auto Local Service updates. If this service is disabled, any services that explicitly depend on it will fail to start. The Diagnostic Policy Service enables problem Diagnostic Policy detection, troubleshooting and resolution for Windows Service components. If this service is stopped, diagnostics will Auto Local Service no longer function. The Diagnostic Service Host is used by the Diagnostic Diagnostic Service Policy Service to host diagnostics that need to run in a Local Service context. If this service is stopped, any Auto Local Service Host diagnostics that depend on it will no longer function. The Diagnostic System Host is used by the Diagnostic Diagnostic System Policy Service to host diagnostics that need to run in a Local System context. If this service is stopped, any Manual Local System Host diagnostics that depend on it will no longer function. 12 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Service Description Startup type Log on as Distributed Link Maintains links between NTFS files within a computer Tracking Client or across computers in a network. Auto Local System Coordinates transactions that span multiple resource Distributed managers, such as databases, message queues, Transaction and file systems. If this service is stopped, these Manual Network Coordinator transactions will fail. If this service is disabled, any Service services that explicitly depend on it will fail to start. dmwappushsvc WAP Push Message Routing Service Manual Local System The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is DNS Client stopped, DNS names will continue to be resolved. Network However, the results of DNS name queries will not Auto Service be cached and the computer's name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start. The Embedded Mode service enables scenarios related Embedded Mode to Background Applications. Disabling this service will Manual Local System prevent Background Applications from being activated. Provides the core file encryption technology used to Encrypting File store encrypted files on NTFS file system volumes. If System (EFS) this service is stopped or disabled, applications will be Manual Local System unable to access encrypted files. Enterprise App Management Service Enables enterprise application management. Manual Local System The Extensible Authentication Protocol (EAP) service provides network authentication in such scenarios as 802.1x wired and wireless, VPN, and Network Access Extensible Protection (NAP). EAP also provides application Authentication programming interfaces (APIs) that are used by Manual Local System Protocol network access clients, including wireless and VPN clients, during the authentication process. If you disable this service, this computer is prevented from accessing networks that require EAP authentication. Enables you to send and receive faxes, utilizing fax Fax resources available on this computer or on the Manual Network network. Service File History Service Protects user files from accidental loss by copying them to a backup location Manual Local System siemens-healthineers.com/juniper 13 Product and Solution Security White Paper · ACUSON Juniper VB10 Network Information Allowed services accessible through network running on the device: Service Description Startup type Log on as The FDPHOST service hosts the Function Discovery (FD) network discovery providers. These FD providers supply network discovery services for the Simple Services Discovery Protocol (SSDP) and Web Services Function Discovery ?Discovery (WS-D) protocol. Stopping or disabling the Provider Host FDPHOST service will disable network discovery for Manual Local Service these protocols when using FD. When this service is unavailable, network services using FD and relying on these discovery protocols will be unable to find network devices or resources. Publishes this computer and resources attached to this Function Discovery computer so they can be discovered over the network. Resource Publication If this service is stopped, network resources will no Manual Local Service longer be published and they will not be discovered by other computers on the network. This service monitors the current location of the system and manages geofences (a geographical Geolocation Service location with associated events). If you turn off this Manual Local System service, applications will be unable to use or receive notifications for geolocation or geofences. The service is responsible for applying settings configured by administrators for the computer and users through the Group Policy component. If the Group Policy Client service is disabled, the settings will not be applied and applications and components will not be manageable Auto Local System through Group Policy. Any components or applications that depend on the Group Policy component might not be functional if the service is disabled. Makes local computer changes associated with configuration and maintenance of the homegroup- HomeGroup Listener joined computer. If this service is stopped or disabled, your computer will not work properly in a homegroup Manual Local System and your homegroup might not work properly. It is recommended that you keep this service running. Performs networking tasks associated with configuration and maintenance of homegroups. HomeGroup Provider If this service is stopped or disabled, your computer will be unable to detect other homegroups and Manual Local Service your homegroup might not work properly. It is recommended that you keep this service running. 14 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Service Description Startup type Log on as Provides an interface for the Hyper-V hypervisor to HV Host Service provide per-partition performance counters to the host Manual Local System operating system. Hyper-V Data Provides a mechanism to exchange data between the Exchange Service virtual machine and the operating system running on Manual Local System the physical computer. Hyper-V Guest Service Provides an interface for the Hyper-V host to interact Interface with specific services running inside the virtual Manual Local System machine. Hyper-V Guest Provides a mechanism to shut down the operating Shutdown Service system of this virtual machine from the management Manual Local System interfaces on the physical computer. Monitors the state of this virtual machine by reporting Hyper-V Heartbeat a heartbeat at regular intervals. This service helps you Service identify running virtual machines that have stopped Manual Local System responding. Hyper-V PowerShell Provides a mechanism to manage virtual machine with Direct Service PowerShell via VM session without a virtual network. Manual Local System Hyper-V Remote Provides a platform for communication between the Desktop Virtualization virtual machine and the operating system running on Manual Local System Service the physical computer. Hyper-V Time Synchronization Synchronizes the system time of this virtual machine Service with the system time of the physical computer. Manual Local Service Hyper-V Volume Coordinates the communications that are required Shadow Copy to use Volume Shadow Copy Service to back up Manual Local System Requestor applications and data on this virtual machine from the operating system on the physical computer. Enables this server to administer the IIS metabase. The IIS metabase stores configuration for the SMTP and IIS Admin Service FTP services. If this service is stopped, the server will be unable to configure SMTP or FTP. If this service is Auto Local System disabled, any services that explicitly depend on it will fail to start. siemens-healthineers.com/juniper 15 Product and Solution Security White Paper · ACUSON Juniper VB10 Network Information Allowed services accessible through network running on the device: Service Description Startup type Log on as The IKEEXT service hosts the Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) keying modules. These keying modules are used for authentication and key exchange in Internet Protocol security (IPsec). Stopping or disabling the IKEEXT IKE and AuthIP IPsec service will disable IKE and AuthIP key exchange with Keying Modules peer computers. IPsec is typically configured to use IKE Auto Local System or AuthIP; therefore, stopping or disabling the IKEEXT service might result in an IPsec failure and might compromise the security of the system. It is strongly recommended that you have the IKEEXT service running. Infrared monitor Detects other Infrared devices that are in range and service launches the file transfer application. Stopping the Manual Local System service will prevent file transfer from working Enables user notification of user input for interactive services, which enables access to dialogs created by interactive services when they appear. If this service Interactive Services is stopped, notifications of new interactive service Detection dialogs will no longer function and there might not Manual Local System be access to interactive service dialogs. If this service is disabled, both notifications of and access to new interactive service dialogs will no longer function. Internet Connection Provides network address translation, addressing, Sharing (ICS) name resolution and/or intrusion prevention services Manual Local System for a home or small office network. Internet Protocol security (IPsec) supports network- level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. This service enforces IPsec policies IPsec Policy Agent created through the IP Security Policies snap-in or the command-line tool "netsh ipsec". If you stop this Manual Network Service service, you may experience network connectivity issues if your policy requires that connections use IPsec. Also,remote management of Windows Firewall is not available when this service is stopped. 16 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Service Description Startup type Log on as Coordinates transactions between the Distributed Transaction Coordinator (MSDTC) and the Kernel Transaction Manager (KTM). If it is not needed, it is KtmRm for Distributed recommended that this service remain stopped. If it is Transaction needed, both MSDTC and KTM will start this service Manual Network Coordinator automatically. If this service is disabled, any MSDTC Service transaction interacting with a Kernel Resource Manager will fail and any services that explicitly depend on it will fail to start. Creates a Network Map, consisting of PC and device Link-Layer Topology topology (connectivity) information, and metadata Discovery Mapper describing each PC and device. If this service is Manual Local Service disabled, the Network Map will not function properly. Local Session Core Windows Service that manages local user Manager sessions. Stopping or disabling this service will result Auto Local System in system instability. McAfee Firewall Core Service Provides firewall services to McAfee products Manual Local System McAfee Service Controller Manages McAfee Services Auto Local System McAfee Solidifier McAfee Solidifier Service Auto Local System McAfee Validation Trust Protection Provides validation trust protection services Manual Local System Service Messaging Service supporting text messaging and related Service_111157 functionality. Manual Local System Microsoft (R) Diagnostics Hub Diagnostics Hub Standard Collector Service. When Standard Collector running, this service collects real time ETW events and Manual Local System Service processes them. Enables user sign-in through Microsoft account Microsoft Account identity services. If this service is stopped, users will Sign-in Assistant not be able to logon to the computer with their Manual Local System Microsoft account. Manages Internet SCSI (iSCSI) sessions from this Microsoft iSCSI computer to remote iSCSI target devices. If this service Initiator Service is stopped, this computer will not be able to login or Manual Local System access iSCSI targets. If this service is disabled, any services that explicitly depend on it will fail to start. siemens-healthineers.com/juniper 17 Product and Solution Security White Paper · ACUSON Juniper VB10 Network Information Allowed services accessible through network running on the device: Service Description Startup type Log on as Provides process isolation for cryptographic keys used to authenticate to a user’s associated identity providers. If this service is disabled, all uses and Microsoft Passport management of these keys will not be available, which includes machine logon and single-sign on Manual Local System for apps and websites. This service starts and stops automatically. It is recommended that you do not reconfigure this service. Manages local user identity keys used to authenticate Microsoft Passport user to identity providers as well as TPM virtual smart Container cards. If this service is disabled, local user identity keys Manual Local Service and TPM virtual smart cards will not be accessible. It is recommended that you do not reconfigure this service. Manages software-based volume shadow copies taken Microsoft Software by the Volume Shadow Copy service. If this service Shadow Copy Provider is stopped, software-based volume shadow copies Manual Local System cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Storage Host service for the Microsoft Storage Spaces management provider. If this service is stopped or Manual Network Spaces SMP disabled, Storage Spaces cannot be managed. Service Microsoft Windows SMS Router Service. Routes messages based on rules to appropriate clients. Manual Local System Net.Tcp Port Sharing Provides ability to share TCP ports over the net.tcp Service protocol. Auto Local Service Maintains a secure channel between this computer and the domain controller for authenticating users and services. If this service is stopped, the computer may Netlogon not authenticate users and services and the domain Manual Local System controller cannot register DNS records. If this service is disabled, any services that explicitly depend on it will fail to start. Network Connected Devices Auto-Setup service monitors and installs qualified devices that connect to Network Connected a qualified network. Stopping or disabling this service Devices Auto-Setup will prevent Windows from discovering and installing Manual Local Service qualified network connected devices automatically. Users can still manually add network connected devices to a PC through the user interface. Network Connection Brokers connections that allow Windows Store Apps to Broker receive notifications from the internet. Manual Local System 18 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Service Description Startup type Log on as Manages objects in the Network and Dial-Up Network Connections Connections folder, in which you can view both local Manual Local System area network and remote connections. Network Connectivity Provides DirectAccess status notification for UI Assistant Manual components Local System Identifies the networks to which the computer has Network List Service connected, collects and stores properties for these networks, and notifies applications when these Auto Local Service properties change. Collects and stores configuration information for the network and notifies programs when this information Network Location is modified. If this service is stopped, configuration Network Awareness information might be unavailable. If this service is Auto Service disabled, any services that explicitly depend on it will fail to start. The Network Setup Service manages the installation of Network Setup network drivers and permits the configuration of Service low-level network settings. If this service is stopped, Manual Local System any driver installations that are in-progress may be cancelled. This service delivers network notifications (e.g., interface addition/deleting, etc) to user mode clients. Network Store Stopping this service will cause loss of network Interface Service connectivity. If this service is disabled, any other Auto Local Service services that explicitly depend on this service will fail to start. Saves installation files used for updates and repairs Office Source Engine and is required for the downloading of Setup updates Manual Local System and Watson error reports. Enables serverless peer name resolution over the Peer Name Resolution Internet using the Peer Name Resolution Protocol Protocol (PNRP). If disabled, some peer-to-peer and Manual Local Service collaborative applications, such as Remote Assistance, may not function. Peer Networking Enables multi-party communication using Peer-to-Peer Grouping Grouping. If disabled, some applications, such as Manual Local Service HomeGroup, may not function. siemens-healthineers.com/juniper 19 Product and Solution Security White Paper · ACUSON Juniper VB10 Network Information Allowed services accessible through network running on the device: Service Description Startup type Log on as Provides identity services for the Peer Name Resolution Protocol (PNRP) and Peer-to-Peer Grouping services. If Peer Networking disabled, the Peer Name Resolution Protocol (PNRP) Identity Manager and Peer-to-Peer Grouping services may not function, Manual Local Service and some applications, such as HomeGroup and Remote Assistance, may not function correctly. Enables remote users and 64-bit processes to query Performance Counter performance counters provided by 32-bit DLLs. If this service is stopped, only local users and 32-bit Manual Local Service DLL Host processes will be able to query performance counters provided by 32-bit DLLs. Performance Logs and Alerts Collects performance data from local or remote computers based on Performance Logs & preconfigured schedule parameters, then writes Alerts the data to a log or triggers an alert. If this service Manual Local Service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start. Phone Service Manages the telephony state on the device Manual Local Service Enables a computer to recognize and adapt to Plug and Play hardware changes with little or no user input. Stopping or disabling this service will result in system Manual Local System instability. PNRP Machine Name This service publishes a machine name using the Peer Publication Service Name Resolution Protocol. Configuration is managed Manual Local Service via the netsh context ‘p2p pnrp peer’ Manages power policy and power policy notification Power delivery. Auto Local System This service spools print jobs and handles interaction Print Spooler with the printer. If you turn off this service, you won’t Auto Local System be able to print or see your printers. This service opens custom printer dialog boxes and Printer Extensions handles notifications from a remote print server or a and Notifications printer. If you turn off this service, you won’t be able Manual Local System to see printer extensions or notifications. Problem Reports and This service provides support for viewing, sending Solutions Control and deletion of system-level problem reports for the Manual Local System Panel Support Problem Reports and Solutions control panel. 20 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Service Description Startup type Log on as This service provides support for the Program Program Compatibility Compatibility Assistant (PCA). PCA monitors programs Assistant Service installed and run by the user and detects known Auto Local System compatibility problems. If this service is stopped, PCA will not function properly. Quality Windows Audio Video Experience (qWave) is a networking platform for Audio Video (AV) streaming Quality Windows applications on IP home networks. qWave enhances Audio Video AV streaming performance and reliability by ensuring Experience network quality-of-service (QoS) for AV applications. It Manual Local Service provides mechanisms for admission control, run time monitoring and enforcement, application feedback, and traffic prioritization. Radio Management Service Radio Management and Airplane Mode Service Manual Local Service Manages dial-up and virtual private network (VPN) Remote Access connections from this computer to the Internet or Connection Manager other remote networks. If this service is disabled, any Manual Local System services that explicitly depend on it will fail to start. Remote Desktop Configuration service (RDCS) is responsible for all Remote Desktop Services and Remote Desktop Remote Desktop related configuration and session Configuration maintenance activities that require SYSTEM context. Manual Local System These include per-session temporary folders, RD themes, and RD certificates. Remote Desktop Services UserMode Allows the redirection of Printers/Drives/Ports for RDP connections Manual Local System Port Redirector The RPCSS service is the Service Control Manager for COM and DCOM servers. It performs object activations requests, object exporter resolutions and distributed Remote Procedure garbage collection for COM and DCOM servers. If this Network Call (RPC) service is stopped or disabled, programs using COM Auto Service or DCOM will not function properly. It is strongly recommended that you have the RPCSS service running. In Windows 2003 and earlier versions of Windows, the Remote Procedure Call (RPC) Locator service manages Remote Procedure the RPC name service database. In Windows Vista and later versions of Windows, this service does not Manual Network Call (RPC) Locator Service provide any functionality and is present for application compatibility. siemens-healthineers.com/juniper 21 Product and Solution Security White Paper · ACUSON Juniper VB10 Network Information Allowed services accessible through network running on the device: Service Description Startup type Log on as Retail Demo Service The Retail Demo service controls device activity while the device is in retail demo mode. Manual Local System Resolves RPC interfaces identifiers to transport RPC Endpoint Mapper endpoints. If this service is stopped or disabled, Network programs using Remote Procedure Call (RPC) services Auto Service will not function properly. SAM SAM service Auto Local System SD_SERVER N/A Auto Local System Enables starting processes under alternate credentials. Secondary Logon If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services Manual Local System that explicitly depend on it will fail to start. Secure Socket Provides support for the Secure Socket Tunneling Tunneling Protocol Protocol (SSTP) to connect to remote computers using VPN. If this service is disabled, users will not be able to Manual Local Service Service use SSTP to access remote servers. The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to Security Accounts accept requests. Disabling this service will prevent Manager other services in the system from being notified when Auto Local System the SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled. Sensor Data Service Delivers data from a variety of sensors Manual Local System Monitors various sensors in order to expose data and Sensor Monitoring adapt to system and user state. If this service is Service stopped or disabled, the display brightness will not Manual Local Service adapt to lighting conditions. Stopping this service may affect other system functionality and features as well. A service for sensors that manages different sensors' functionality. Manages Simple Device Orientation (SDO) and History for sensors. Loads the SDO sensor Sensor Service that reports device orientation changes. If this service Manual Local System is stopped or disabled, the SDO sensor will not be loaded and so auto-rotation will not occur. History collection from Sensors will also be stopped. Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, Server these functions will be unavailable. If this service is Auto Local System disabled, any services that explicitly depend on it will fail to start. 22 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Service Description Startup type Log on as Shell Hardware Detection Provides notifications for AutoPlay hardware events. Auto Local System Creates software device nodes for all smart card Smart Card Device readers accessible to a given session. If this service is Enumeration Service disabled, WinRT APIs will not be able to enumerate Manual Local System smart card readers. Smart Card Removal Allows the system to be configured to lock the user Policy desktop upon smart card removal. Manual Local System Receives trap messages generated by local or remote Simple Network Management Protocol (SNMP) agents and forwards the messages to SNMP management SNMP Trap programs running on this computer. If this service is stopped, SNMP-based programs on this computer will Manual Local Service not receive SNMP trap messages. If this service is disabled, any services that explicitly depend on it will fail to start. Enables the download, installation and enforcement of digital licenses for Windows and Windows applications. Software Protection If the service is disabled, the operating system and Network licensed applications may run in a notification mode. Auto Service It is strongly recommended that you not disable the Software Protection service. Spot Verifier Verifies potential file system corruptions. Manual Local System SQL Server Provides storage, processing and controlled access of Network (PIMS_DATABASE) data, and rapid transaction processing. Auto Service SQL Server VSS Writer Provides the interface to backup/restore Microsoft SQL server through the Windows VSS infrastructure. Auto Local System State Repository Provides required infrastructure support for the Service application model. Manual Local System Still Image Acquisition Launches applications associated with still image acquisition events. Manual Local System Events Storage Service Provides enabling services for storage settings and external storage expansion Manual Local System Storage Tiers Optimizes the placement of data in storage tiers on all Management tiered storage spaces in the system. Manual Local System This service synchronizes mail, contacts, calendar and Sync Host_111157 various other user data. Mail and other applications dependent on this functionality will not work properly Auto Local System when this service is not running. siemens-healthineers.com/juniper 23 Product and Solution Security White Paper · ACUSON Juniper VB10 Network Information Allowed services accessible through network running on the device: Service Description Startup type Log on as SysMgmt.WcfService N/A Auto Local System System Event Monitors system events and notifies subscribers to Notification Service COM+ Event System of these events. Auto Local System Coordinates execution of background work for WinRT System Events Broker application. If this service is stopped or disabled, then Auto Local System background work might not be triggered. Enables a user to configure and schedule automated tasks on this computer. The service also hosts multiple Task Scheduler Windows system-critical tasks. If this service is stopped or disabled, these tasks will not be run at their Auto Local System scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. Provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients on the network, therefore enabling users to share files, print, TCP/IP NetBIOS Helper and log on to the network. If this service is stopped, Manual Local Service these functions might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Provides Telephony API (TAPI) support for programs Telephony that control telephony devices on the local computer and, through the LAN, on servers that are also running Manual Network Service the service. Tile Data model Tile Server for tile updates. Auto Local System server Coordinates execution of background work for WinRT Time Broker application. If this service is stopped or disabled, then Manual Local Service background work might not be triggered. Touch Keyboard and Handwriting Panel Enables Touch Keyboard and Handwriting Panel pen Service and ink functionality Auto Local System TRANSFERMGR TransferMgr service Auto Local System Ultrasound SSW Manager N/A Manual Local System Update Orchestrator Service for Windows UsoSvc Manual Local System Update 24 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Service Description Startup type Log on as Provides apps access to structured user data, including User Data contact info, calendars, messages, and other content. Access_111157 If you stop or disable this service, apps that use this Manual Local System data might not work correctly. Handles storage of structured user data, including User Data contact info, calendars, messages, and other content. Storage_111157 If you stop or disable this service, apps that use this Manual Local System data might not work correctly. User Manager provides the runtime components User Manager required for multi-user interaction. If this service is Auto Local System stopped, some applications may not operate correctly. This service is responsible for loading and unloading user profiles. If this service is stopped or disabled, User Profile Service users will no longer be able to successfully sign in or sign out, apps might have problems getting to users' Auto Local System data, and components registered to receive profile event notifications won't receive them. VERSANTD N/A Auto Local System Virtual Disk Provides management services for disks, volumes, file systems, and storage arrays. Manual Local System Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is Volume Shadow Copy stopped, shadow copies will be unavailable for backup Manual Local System and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start. Provides W3C logging for Internet Information Services W3C Logging Service (IIS). If this service is stopped, W3C logging configured Manual Local System by IIS will not work. WalletService Hosts objects used by clients of the wallet Manual Local System The Web Management Service enables remote and Web Management delegated management capabilities for administrators Service to manage for the Web server, sites and applications Manual Local Service present on this machine. Enables Windows-based programs to create, access, and modify Internet-based files. If this service is WebClient stopped, these functions will not be available. If this Manual Local Service service is disabled, any services that explicitly depend on it will fail to start. siemens-healthineers.com/juniper 25 Product and Solution Security White Paper · ACUSON Juniper VB10 Network Information Allowed services accessible through network running on the device: Service Description Startup type Log on as Manages audio for Windows-based programs. If this Windows Audio service is stopped, audio devices and effects will not function properly. If this service is disabled, any Auto Local Service services that explicitly depend on it will fail to start. Manages audio devices for the Windows Audio service. Windows Audio If this service is stopped, audio devices and effects will Endpoint Builder not function properly. If this service is disabled, any Auto Local System services that explicitly depend on it will fail to start. Windows Backup Provides Windows Backup and Restore capabilities. Manual Local System The Windows biometric service gives client Windows Biometric applications the ability to capture, compare, Service manipulate, and store biometric data without gaining Auto Local System direct access to any biometric hardware or samples. The service is hosted in a privileged SVCHOST process. Windows Camera Enables multiple clients to access video frames from Frame Server camera devices. Manual Local Service WCNCSVC hosts the Windows Connect Now Windows Connect Configuration which is Microsoft's Implementation of Now – Config Wireless Protected Setup (WPS) protocol. This is used Registrar to configure Wireless LAN settings for an Access Point Manual Local Service (AP) or a Wireless Device. The service is started programmatically as needed. Makes automatic connect/disconnect decisions based Windows Connection on the network connectivity options currently available Manager to the PC and enables management of network Auto Local Service connectivity based on Group Policy settings. Windows Defender Windows Defender Advanced Threat Protection service Advanced Threat helps protect against advanced threats by monitoring Manual Local System Protection Service and reporting security events that happen on the computer. Windows Defender Helps guard against intrusion attempts targeting Network Inspection known and newly discovered vulnerabilities in network Manual Local Service Service protocols. Windows Defender Helps protect users from malware and other potentially Service unwanted software. Manual Local System Windows Driver Foundation – Creates and manages user-mode driver processes. User-mode Driver This service cannot be stopped. Manual Local System Framework 26 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Service Description Startup type Log on as Windows Encryption Provider Host Service brokers encryption related functionalities from 3rd Party Windows Encryption Encryption Providers to processes that need to Provider Host Service evaluate and apply EAS policies. Stopping this will Manual Local Service compromise EAS compliancy checks that have been established by the connected Mail Accounts. Allows errors to be reported when programs stop working or responding and allows existing solutions Windows Error to be delivered. Also allows logs to be generated Reporting Service for diagnostic and repair services. If this service is Manual Local System stopped, error reporting might not work correctly and results of diagnostic services and repairs might not be displayed. This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Windows Event Vista event logs, hardware and IPMI-enabled event Network Collector sources. The service stores forwarded events in a local Auto Service Event Log. If this service is stopped or disabled event subscriptions cannot be created and forwarded events cannot be accepted. This service manages events and event logs. It supports logging events, querying events, subscribing Windows Event Log to events, archiving event logs, and managing event metadata. It can display events in both XML and plain Auto Local Service text format. Stopping this service may compromise security and reliability of the system. Windows Firewall helps protect your computer by Windows Firewall preventing unauthorized users from gaining access to Auto Local Service your computer through the Internet or a network. Optimizes performance of applications by caching Windows Font Cache commonly used font data. Applications will start this Service service if it is not already running. It can be disabled, Auto Local Service though doing so will degrade application performance. Windows Image Provides image acquisition services for scanners and Acquisition (WIA) Manual Local Service cameras. Windows Insider Service wisvc Manual Local System Adds, modifies, and removes applications provided as Windows Installer a Windows Installer (*.msi, * .msp) package. If this service is disabled, any services that explicitly depend Manual Local System on it will fail to start. siemens-healthineers.com/juniper 27 Product and Solution Security White Paper · ACUSON Juniper VB10 Network Information Allowed services accessible through network running on the device: Service Description Startup type Log on as Provides infrastructure support for the Windows Store. Windows License This service is started on demand and if disabled then Manager Service content acquired through the Windows Store will not Manual Local Service function properly. Provides a common interface and object model to Windows access management information about operating Management system, devices, applications and services. If this service is stopped, most Windows-based software will Auto Local System Instrumentation not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Enables installation, modification, and removal of Windows Modules Windows updates and optional components. If this Installer service is disabled, install or uninstall of Windows Manual Local System updates might fail for this computer. Optimizes performance of Windows Presentation Windows Presentation Foundation (WPF) applications by caching commonly Foundation Font used font data. WPF applications will start this service Cache 3.0.0.0 if it is not already running. It can be disabled, though Manual Local Service doing so will degrade the performance of WPF applications. The Windows Process Activation Service (WAS) Windows Process provides process activation, resource management and Activation Service health management services for message-activated Manual Local System applications. Windows Push This service runs in session 0 and hosts the notification Notifications System platform and connection provider which handles the Auto Local System Service connection between the device and WNS server. Windows Push This service hosts Windows notification platform Notifications User which provides support for local and push Service_111157 notifications. Supported notifications are tile, Manual Local System toast and raw. 28 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Service Description Startup type Log on as Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The WinRM Service needs to be configured with a listener using winrm.cmd command Windows Remote line tool or through Group Policy in order for it to listen Management over the network. The WinRM service provides access Network Auto (WS-Management) to WMI data and enables event collection. Event Service collection and subscription to events require that the service is running. WinRM messages use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but is preconfigured to share a port with IIS on the same machine. The WinRM service reserves the /wsman URL prefix. To prevent conflicts with IIS, administrators should ensure that any websites hosted on IIS do not use the /wsman URL prefix. Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, Windows Time date and time synchronization will be unavailable. If Auto Local Service this service is disabled, any services that explicitly depend on it will fail to start. WinHTTP implements the client HTTP stack and provides developers with a Win32 API and COM WinHTTP Web Proxy Automation component for sending HTTP requests and Auto-Discovery receiving responses. In addition, WinHTTP provides Manual Local Service Service support for auto-discovering a proxy configuration via its implementation of the Web Proxy Auto-Discovery (WPAD) protocol. The Wired AutoConfig (DOT3SVC) service is responsible for performing IEEE 802.1X authentication on Ethernet interfaces. If your current wired network deployment enforces 802.1X authentication, the Wired AutoConfig DOT3SVC service should be configured to run for Auto Local System establishing Layer 2 connectivity and/or providing access to network resources. Wired networks that do not enforce 802.1X authentication are unaffected by the DOT3SVC service. siemens-healthineers.com/juniper 29 Product and Solution Security White Paper · ACUSON Juniper VB10 Network Information Allowed services accessible through network running on the device: Service Description Startup type Log on as The WLANSVC service provides the logic required to configure, discover, connect to, and disconnect from a wireless local area network (WLAN) as defined by IEEE 802.11 standards. It also contains the logic to turn your computer into a software access point so that WLAN AutoConfig other devices or computers can connect to your computer wirelessly using a WLAN adapter that can Auto Local System support this. Stopping or disabling the WLANSVC service will make all WLAN adapters on your computer inaccessible from the Windows networking UI. It is strongly recommended that you have the WLANSVC service running if your computer has a WLAN adapter. Creates and maintains client network connections to remote servers using the SMB protocol. If this service Workstation is stopped, these connections will be unavailable. Network Auto If this service is disabled, any services that explicitly Service depend on it will fail to start. World Wide Web Provides Web connectivity and administration through Publishing Service the Internet Information Services Manager. Auto Local System This service manages mobile broadband (GSM & CDMA) data card/embedded module adapters and WWAN AutoConfig connections by auto-configuring the networks. It is strongly recommended that this service be kept Manual Local Service running for best user experience of mobile broadband devices. 30 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Security Controls Malware protection Physical Safeguards • Whitelisting (McAfee® Application Control) • You are responsible for the physical protection of the ACUSON Juniper system VB10 software, e.g., by Controlled use of administrative privileges operating it in a room with access control. Please note The system distinguishes between clinical and that the system contains patient data and should be • administrative roles. Clinical users do not require protected against tampering and theft. administrative privileges. • It is possible to change the BIOS password. Please • Authorization as administrator is required for contact Siemens Healthineers Service for support. administrative tasks. Data protection controls Authentication • The system is not intended to be an archive (data at The ACUSON Juniper system VB10 software supports rest). • Health Insurance Portability and Accountability • PHI is protected by both role-based access control as Act (HIPPA) regulation with role-based privilege well as hard drive encryption (optional). assignment and access control. • Hard drive encryption is an optional feature that is • The user interface of the ACUSON Juniper system VB10 implemented through Microsoft Bitlocker technology software provides a screen lock functionality that can and use of the TPM (Trusted Platform Module) chip be engaged manually or automatically after a certain on the system’s motherboard. inactivity time. For details, please refer to the User • Manual The system provides auditing of PHI access control. Security Scanning and Vulnerability Assessment Auditing/logging • The system provides HIPAA-compliant auditing of • Regular scanning with Tenable Nessus and monthly assessment of identified vulnerabilities, as per the FDA operations on PHI, PII and user information (i.e., login, Post-Market Cybersecurity Guidance. read access to PHI, modification of PHI). Hardening Remote connectivity • • ACUSON Juniper system VB10 software hardening SRS is optionally used for proactive maintenance. is implemented based on the Security Technical The connection is created using a secured channel Implementation Guidelines developed by the Defense (VPN- or IBC-based connection). It is used, for example, Information Systems Agency (DISA). to download security patches and updates. • Alternatively, you can use the Siemens Healthineers Network controls LifeNet platform to download available hotfixes and install them in offline machines that are not connected • The system is designed to make limited use of network ports and protocols. Microsoft Windows firewall is to the SRS network. configured to block unwanted inbound network traffic except for the ports listed in Table 1. Incident response and management • Siemens Healthineers recommends operating the The incident handling process is defined and executed • system in a secured network environment, e.g., a on demand to deal with incidents as mandated by the separate network segmented or VLAN. United States FDA Post-Market Guidance documents. • Connection to the Internet or private networks for patients/guests is not recommended. • In case of a denial of service (DoS) or malware attack, the system can be taken off the network and operated in a stand-alone state. siemens-healthineers.com/juniper 31 Product and Solution Security White Paper · ACUSON Juniper VB10 Software Bill of Materials The following table comprises the most relevant third-party technologies used (general drivers not included): Vendor name /URL Component name Component version Description / use Merge Healthcare DICOM Toolkit A comprehensive API that conforms to Incorporated 3.8.0 the latest DICOM standards. AMD Specialized Tools AMD Suite 16.07.01.0685 Graphic driver Specialized Tools The .NET Framework 2.0 Service Pack 2 provides cumulative roll-up updates for customer reported issues found after .NET Framework 2.0 2.0.50727.4927 the release of the .NET Framework 2.0. Service Pack 2 In addition, this release provides performance improvements, and prerequisite feature support for the . NET Framework 3.5 Service Pack 1. Microsoft .NET Framework 3.0 Service Pack 1 provides cumulative roll-up updates for customer reported issues .NET Framework 3.0 found after the release of Microsoft Service Pack 1 3.0.30729.4926 .NET Framework 3.0. In addition, this release provides security improvements, and prerequisite feature support for Microsoft Corporation Microsoft .NET Framework 3.5. Microsoft .NET Framework 3.5 Service Pack 1 is a full cumulative update that contains many new features building .NET Framework 3.5 Service Pack 1 3.5.30729.4926 incrementally upon .NET Framework 2.0, 3.0, 3.5, and includes cumulative servicing updates to the .NET Framework 2.0 and .NET Framework 3.0 subcomponents. The Microsoft .NET Framework 4.6 Server Core installer package .NET Framework 4.6 4.6.01586 downloads the .NET Framework 4.6 components required to run on Windows Server 2008 R2 SP1 and higher for Server Core role installation. Microsoft Corporation Windows 10 Enterprise 2016 LTSB 1607 Operation System 18.50.33.01. AMD AMD Driver 190522a-342824C- Graphic driver AES Open Source Jpeg image codec used by RendererVOB (http://libjpeg-turbo. libjpeg-turbo 1.4.0 and PIMS to encode/decode image virtualgl.org) data. 32 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Vendor name /URL Component name Component version Description / use Microsoft Corporation Microsoft SQL Server 12.0.4100.1 PIMS Database Engine. Trillium Technology, Inc. ShowCase Onboard A DICOM viewer. ShowCase viewer is Viewer 5.4.0.0 for displaying full color, still and cineloop ultrasound studies. Robert Simpson. – NuGet Package: System.Data. SQLite 1.0.99.0 Lightweight database engine for SQLite (http://system.data. managing i18n strings sqlite.org/) Open Source (Apache Software Foundation) Log4net 1.2.13.0 Logging library Yann OLLIVIER Mathematical expression parser 2.0 A formula parser for measurement. PDF Sharp is the Open Source Library Open Source (empira PdfSharp-WPF.dll 1.32.2608.0 that easily creates PDF documents from Software GmbH) any .NET language for WPF (http://www.pdfsharp. PDF Sharp is the Open Source Library com) PdfSharp.Xps.dll 1.0.0.0 that easily creates PDF documents from any .NET language for report for XPS Intel® Integrated An extensive library of performance Intel Performance 2018.3.210 profiler tools and software functions Primitives for multimedia processing and data processing applications CrashRpt is a free open-source library OpenSource designed for intercepting exceptions in (https://code.google. CrashRpt 1.4.2 your C++ program, collecting technical com/p/crashrpt/) information about the crash and sending error reports over the Internet to software vendor. ftdchip FTDI drivers (VCP and D3XX) 2.12.28 FTDI chip driver to communicate with CPM (Core Physio Module) Microsoft Corporation MSXML Parser and SDK 6 6.00.0366 Microsoft XML Parser. Library used for GPU programming in Nvidia CUDA (Toolkit and SDK) 4.2 CUDA RTIE and CUDA VIE also SSC. CUDA RTIE and VIE filters. CUDA SDK for compilation and runtime. siemens-healthineers.com/juniper 33 Product and Solution Security White Paper · ACUSON Juniper VB10 Software Bill of Materials The following table comprises the most relevant third-party technologies used (general drivers not included): Vendor name /URL Component name Component version Description / use Microsoft DirectX is a group of technologies designed to make Windows-based computers an ideal Microsoft Corporation DirectX Audio 11 platform for running and displaying applications rich in multimedia elements such as full-color graphics, video, 3D animation, and rich audio. OpenSource (http://glew.sourceforge. GLEW 1.7.0 Library for setting OpenGL Extension net/) Pointers. OpenSource Library used by the UDV for clip (www.ijg.org) Jpeg.lib 8.0 decompression from jpeg to rgb in Review application. Open Source Library used in RendererVOB for (http://luajit.org/luajit. LuaJIT 2.0.2 interpreting and executing Lua script html) languages (.lua). Source code is imported and built by SCR. khronos.org OpenCL 2.0 Parallel programming of heterogeneous systems Library used in RendererVOB for Open Source parsing XML files and load scene graph. (http://sourceforge.net/ tinyXML.lib 2.5.3 In xsg scenegraph parsing. Source code projects/tinyxml/) is imported and built with msbuild by USD. Library for Open inventor implementation. This library is used Open Source as creating open inventor objects (https://bitbucket.org/ Coin3D 4.0 framework for running Open inventor Coin3D/coin/wiki/Home) graphs which aid and rendering and organizing the Renderer application Comes with Singapore. OpenSource To compress overlay image when (https://snappy4net. Snappy transferring from Orchid to UBE 1.1.1.7 codeplex.com/) renderer. Snappy is designed to do both fast compression and decompression. Microsoft Microsoft Visual C++ 2015 The Microsoft Visual C++ 2012 2015 Redistributable Redistributable OpenSource (https://www.nuget.org/ Moq 4.0 Moq is the most popular and friendly packages/moq/) mocking framework for .NET 34 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Vendor name /URL Component name Component version Description / use OpenSource (https://www.nuget.org/ Moq 4.2 Moq is the most popular and friendly packages/moq/) mocking framework for .NET Apache log4cxx is a logging framework for C++ patterned after Apache log4j, which uses Apache Portable Runtime for most platform-specific code and OpenSource Log4cxx 0.10.0.1 should be usable on any platform supported by APR. Apache log4cxx is licensed under the Apache License, an open source license certified by the Open Source Initiative. Application framework for building rich internet applications. Provides frameworks implemented using proven Microsoft Corporation Prism framework 4.0 software design and development best practices. Used as common presentation layer framework to build vertical applications in US SW. Siemens AG Healthcare Sector MNP VI43B Providing remote software installation and support. Open source Nunit 2.6.2 Unit-testing framework WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit Riverbed Technology, Inc. WinPcap 4.1.3 network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture. Teamviewer Teamviewer 10.0.44426.0 Remote service Tool Windows Driver This package contains a Virtual COM Silicon Laboratories Inc. Package – Silicon 03/26/2019 Port Universal driver for Microsoft Laboratories Inc. 10.1.7.2399 Windows 10 for use with Silicon Labs (silabser) Ports VCP USB Serial Bridges. Open Source(Apache Software Foundation) Log4net 2.0.8.0 logging library McAfee Application McAfee and Change Control 8.2.1 Virus protection tool (Solidcore) siemens-healthineers.com/juniper 35 Product and Solution Security White Paper · ACUSON Juniper VB10 Software Bill of Materials The following table comprises the most relevant third-party technologies used (general drivers not included): Vendor name /URL Component name Component version Description / use Igor Pavlov 7-Zip 19.00 (x64 edition) 19.0.0.0 7-Zip is a file archiver with a high compression ratio. A security issue has been identified VC++ Redistributable that could allow an attacker to 2005 (x64) 8.0.59192 compromise your Windows-based system with Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package. A security issue has been identified VC++ Redistributable that could allow an attacker to 2005 (x64) 8.0.61000 compromise your Windows-based system with Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package. A security issue has been identified VC++ Redistributable that could allow an attacker to 2005 (x86) 8.0.61001 compromise your Windows-based system with Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package. The Microsoft Visual C++ 2008 SP1 Redistributable Package (x86) installs VC++ Redistributable runtime components of Visual C++ 9.0.30729.17 Libraries required to run applications Microsoft Corporation 2008 (x86) developed with Visual C++ SP1 on a computer that does not have Visual C++ 2008 SP1 installed. The Microsoft Visual C++ 2008 SP1 Redistributable Package (x86) installs VC++ Redistributable runtime components of Visual C++ 2008 (x64) 9.0.30729.17 Libraries required to run applications developed with Visual C++ SP1 on a computer that does not have Visual C++ 2008 SP1 installed. A security issue has been identified VC++ Redistributable that could allow an attacker to 2008 (x86) 9.0.30729.4148 compromise your Windows-based system with Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package. A security issue has been identified VC++ Redistributable that could allow an attacker to 2008 (x64) 9.0.30729.4148 compromise your Windows-based system with Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package. 36 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Vendor name /URL Component name Component version Description / use A security issue has been identified leading to a vulnerability in MFC VC++ Redistributable 2008 (x86) 9.0.30729.6161 applications that are built with Visual Studio 2008 and ship the Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package. A security issue has been identified leading to a vulnerability in MFC VC++ Redistributable 2008 (x64) 9.0.30729.6161 applications that are built with Visual Studio 2008 and ship the Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package. The Microsoft Visual C++ 2010 SP1 Redistributable Package (x86) installs VC++ Redistributable runtime components of Visual C++ 2010 (x86) 10.0.40219 Libraries required to run applications developed with Visual C++ 2010 SP1 on a computer that does not have Visual C++ 2010 SP1 installed. Microsoft Corporation The Microsoft Visual C++ 2010 SP1 Redistributable Package (x86) installs VC++ Redistributable runtime components of Visual C++ 2010 (x64) 10.0.40219 Libraries required to run applications developed with Visual C++ 2010 SP1 on a computer that does not have Visual C++ 2010 SP1 installed. VC++ Redistributable 2012 (x86) 11.0.61030 The Microsoft Visual C++ 2012 Redistributable VC++ Redistributable 2012 (x64) 11.0.61030 The Microsoft Visual C++ 2012 Redistributable VC++ Redistributable 2013 (x86) 12.0.30501 The Microsoft Visual C++ 2013 Redistributable VC++ Redistributable 12.0.30501 The Microsoft Visual C++ 2013 2013 (x64) Redistributable VC++ Redistributable 2015 (x86) 14.0.24215 The Microsoft Visual C++ 2015 Redistributable VC++ Redistributable 14.0.24215 The Microsoft Visual C++ 2015 2015 (x64) Redistributable Realtek Realtek High Definition Audio 6.0.1.8036 HD audio driver siemens-healthineers.com/juniper 37 Product and Solution Security White Paper · ACUSON Juniper VB10 Software Bill of Materials The following table comprises the most relevant third-party technologies used (general drivers not included). Vendor name /URL Component name Component version Description / use Microsoft's Enhanced Mitigation Experience Toolkit (EMET) is a free EMET 5.52 Windows-based security tool that adds supplemental security defenses to Microsoft Corporation defend potentially vulnerable legacy and third-party applications. Internet Explorer (x86/x64) 11.0 Used as a web browser to display Service screen. Siemens HealthCare GmbH syngo – Typical Siemens base medical layer: providing Developer 9.1 09.01.0001.0001 service-related features Scan for Wi-Fi / WLAN Access Points and monitor their signal strength. Use the detected access points with Google Geolocation, Mozilla Location Service the SZ development Homedale 1.75 and Open WLAN Map Service to locate yourself. It works with 802.11a/b/g/n/ ac wireless networks in the 2.4 GHz and 5 GHz frequency bands using 20, 40, 80 and 160 MHz width channels. WireShare.org Wireshark 3.2.3 Network protocol analyzer. It is needed to isolate network-related problems. mkl-11.3 11.3 Math Kernel Library Intel tbb-4.4 Threading Building Blocks classes and 4.4 functions gmock 1.7.0 Google C++ Mocking Framework Open Source (Google) gtest_1.7.0 1.7.0 Google C++ Testing Framework Pegasus Imaging pegasus 2.00.536 Jpeg lossy Compression khronos.org GLUT 3.7 OpenGL Utility Toolkit intel plsuite 2.5.2.82 Intel Image Processing Library Adobe Reader software is the global standard for electronic document sharing. It is the only PDF file viewer Adobe Systems Inc. Acrobat Reader 20.6.20034.39303 that can open and interact with all PDF documents. Use Adobe Reader to view, search, digitally sign, verify, print, and collaborate on Adobe PDF files. 38 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Vendor name /URL Component name Component version Description / use Open Source DotNetZip is a class library and toolset (http://dotnetzip.codeplex. DotNetZip 1.9.1.8 for manipulating zip files. Use VB, C# or com/) any .NET language to easily create, extract, or update zip files. A PC tool for programming flash-based Embedded Systems Academy Flash Magic 10.50 microcontrollers from NXP using a serial or Ethernet protocol while in the target hardware. Open Source (Thomas Williams, Colin Kelley) gnuplot 5.0.4 A portable command-line driven graphing utility Open Source HDF5 is a data model, library, and file (The HDF Group) HDF5 1.8.15 format for storing and managing data Mitsubishi Mitsubishi P95DE BW Printer Driver 1.2 Build 1 Black & white thermal printer driver Motorola Solutions, Inc. Motorola Scanner SDK 1, 2, 11, 0 Barcode reader SDK Sony Sony UP-D898MD BW Printer Driver 1.1.1.2 Black & white thermal printer driver TLS Toolkit OpenSSL 1.0.2k Library for Secure Connection Get process list for savelog displays Sysinternals PsList 1.26 processes running on local or remote computer Microsoft PuList 1.0 Displays processes running on local or remote computer Sony Sony up-d25md 1.1.1.2 Black & white thermal printer driver blue elephant systems the IT Machine with GmbH correlation module 1.25 Support tool for Remote Service HP Client Automation HP Inc. Application Manager 7.8 Support tool for Remote Service Agent Mitsubishi Mitsubishi CP30DW 2.4 Build 1 Black & white thermal printer driver Used for medical application (Convert Open Source (Python Software Foundation) Python 3.7.3 xml format to html, rtf and so on with high performance than Microsoft xml library Open Source (https:// QRCoder is a library, written in C#.NET, github.com/codebude/ QRCoder 1.3.5 which enables system to create QR QRCoder) codes. siemens-healthineers.com/juniper 39 Product and Solution Security White Paper · ACUSON Juniper VB10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See note DOC-1 Manufacturer Name Siemens Healthineers DOC-2 Device Description Juniper DOC-3 Device Model Juniper VB10 DOC-4 Document ID 11504235-FPD-001 Diagnostic Ultrasound System DOC-5 Manufacturer Contact Information Siemens Medical Solutions Usa, Inc. 22010 S.E. 51st Street Issaquah, WA 98029, USA Optionally, the ACUSON Juniper Ultrasound System can be configured to communicate to a hospital Patient Archival Communication System DOC-6 Intended use of device in network- (PACS). The following connected environment: DICOM Services are supported: Store SCP/SCU, Modality Worklist SCU, Query/Retrieve SCU, Storage Commitment SCU, Print SCU and DICOM Structured Reporting SCU. DOC-7 Document Release Date Nov. 4, 2020 Coordinated Vulnerability Disclosure: Does Yes, see https://new. DOC-8 the manufacturer have a vulnerability siemens.com/global/en/ disclosure program for this device? products/services/cert/ vulnerability-process.html ISAO: Is the manufacturer part of an DOC-9 Information Sharing and Analysis Yes Organization? Diagram: Is a network or data flow diagram DOC-10 available that indicates connections to Yes, see section Network other system components or expected Information external resources? DOC-11 SaMD: Is the device Software as a Medical Device (i.e. software-only, no hardware)? No DOC-11.1 Does the SaMD contain an operating system? N/A 40 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Question ID Question Answer See note DOC-11.2 Does the SaMD rely on an owner/operator provided operating system? N/A DOC-11.3 Is the SaMD hosted by the manufacturer? N/A DOC-11.4 Is the SaMD hosted by the customer? N/A Management of personally identifiable information Can this device display, transmit, store, or modify personally identifiable information MPII-1 (e.g.,electronic Protected Health Yes Information (ePHI))? Does the device maintain personally MPII-2 identifiable information? Yes Does the device maintain personally MPII-2.1 identifiable information temporarily in volatile memory (i.e., until cleared by Yes power-off or reset)? Does the device store personally MPII-2.2 identifiable information persistently on Yes internal media? Is personally identifiable information MPII-2.3 preserved in the device’s non-volatile Yes memory until explicitly erased? MPII-2.4 Does the device store personally identifiable information in a database? Yes Does the device allow configuration to MPII-2.5 automatically delete local personally identifiable information after it is stored No to a long term solution? Does the device import/export personally identifiable information with other systems MPII-2.6 (e.g., a wearable monitoring device might Yes export personally identifiable information to a server)? Does the device maintain personally MPII-2.7 identifiable information when powered off, Yes or during power service interruptions? Does the device allow the internal media to be removed by a service technician (e.g., MPII-2.8 for separate destruction or customer Yes retention)? siemens-healthineers.com/juniper 41 Product and Solution Security White Paper · ACUSON Juniper VB10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See note Does the device allow personally identifiable information records be stored MPII-2.9 in a separate location from the device’s operating system (i.e. secondary internal Yes drive, alternate drive partition, or remote storage location)? Does the device have mechanisms used for MPII-3 the transmitting, importing/exporting of Yes personally identifiable information? Does the device display personally MPII-3.1 identifiable information (e.g., video display, Yes etc.)? Does the device generate hardcopy reports MPII-3.2 or images containing personally identifiable Yes information? Does the device retrieve personally identifiable information from or record MPII-3.3 personally identifiable information to removable media (e.g., removable-HDD, Yes USB memory, DVD-R/RW,CD-R/RW, tape, CF/SD card, memory stick, etc.)? Does the device transmit/receive or import/ MPII-3.4 export personally identifiable information via dedicated cable connection (e.g., Yes RS-232, RS-423, USB, FireWire, etc.)? Does the device transmit/receive personally MPII-3.5 identifiable information via a wired network Yes connection (e.g., RJ45, fiber optic, etc.)? Does the device transmit/receive personally MPII-3.6 identifiable information via a wireless network connection (e.g., WiFi, Bluetooth, Yes NFC, infrared, cellular, etc.)? Does the device transmit/receive personally Over VPN for MPII-3.7 identifiable information over an external Yes remote service network (e.g., Internet)? troubleshooting Does the device import personally MPII-3.8 identifiable information via scanning a No document? Does the device transmit/receive personally MPII-3.9 identifiable information via a proprietary No protocol? 42 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Question ID Question Answer See note Does the device use any other mechanism MPII-3.10 to transmit, import or export personally No identifiable information? Management of Private Data notes: Automatic Logoff (ALOF) The device's ability to prevent access and misuse by unauthorized users if device is left idle for a period of time. Can the device be configured to force reauthorization of logged-in user(s) after ALOF-1 a predetermined length of inactivity Yes (e.g., auto-logoff, session lock, password protected screen saver)? Is the length of inactivity time before auto- ALOF-2 logoff/screen lock user or administrator Yes configurable? Audit Controls (AUDT) The ability to reliably audit activity on the device. Can the medical device create additional AUDT-1 audit logs or reports beyond standard Yes operating system logs? AUDT-1.1 Does the audit log record a USER ID? Yes AUDT-1.2 Does other personally identifiable information exist in the audit trail? Yes User Name Are events recorded in an audit log? AUDT-2 If yes, indicate which of the following Yes events are recorded in the audit log: AUDT-2.1 Successful login/logout attempts? Yes AUDT-2.2 Unsuccessful login/logout attempts? Yes AUDT-2.3 Modification of user privileges? Yes AUDT-2.4 Creation/modification/deletion of users? Yes AUDT-2.5 Presentation of clinical or PII data (e.g., display, print)? Yes siemens-healthineers.com/juniper 43 Product and Solution Security White Paper · ACUSON Juniper VB10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See note AUDT-2.6 Creation/modification/deletion of data? Yes Import/export of data from removable AUDT-2.7 media (e.g., USB drive, external hard drive, Yes DVD)? Receipt/transmission of data or commands AUDT-2.8 over a network or point-to-point Yes connection? AUDT-2.8.1 Remote or on-site support? Yes Application Programming Interface (API) AUDT-2.8.2 and similar activity? No AUDT-2.9 Emergency access? Yes AUDT-2.10 Other events (e.g., software updates)? Yes AUDT-2.11 Is the audit capability documented in more detail? Yes AUDT-3 Can the owner/operator define or select which events are recorded in the audit log? Yes Is a list of data attributes that are captured AUDT-4 in the audit log for an event available? Yes AUDT-4.1 Does the audit log record date/time? Yes Can date and time be synchronized by AUDT-4.1.1 Network Time Protocol (NTP) or equivalent Yes time source? AUDT-5 Can audit log content be exported? Yes AUDT-5.1 Via physical media? Yes AUDT-5.2 Via IHE Audit Trail and Node Authentication (ATNA) profile to SIEM? No Via Other communications (e.g., external AUDT-5.3 service device, mobile applications)? Yes SysLog Server Yes on local Are audit logs encrypted in transit or on storage. In transit AUDT-5.4 storage media? See notes depends on SysLog Server configuration. AUDT-6 Can audit logs be monitored/reviewed by owner/operator? Yes 44 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Question ID Question Answer See note AUDT-7 Are audit logs protected from modification? Yes AUDT-7.1 Are audit logs protected from access? Yes Not by the device, AUDT-8 Can audit logs be analyzed by the device? See notes but yes at the device. Authorization (AUTH) The ability of the device to determine the authorization of users. Does the device prevent access to AUTH-1 unauthorized users through user login Yes Password requirements or other mechanism? Can the device be configured to use AUTH-1.1 federated credentials management of users No for authorization (e.g., LDAP, OAuth)? AUTH-1.2 Can the customer push group policies to the device (e.g., Active Directory)? No AUTH-1.3 Are any special groups, organizational units, or group policies required? See notes syngo Roles Can users be assigned different privilege AUTH-2 levels based on ‘role’ (e.g., user, Yes administrator, and/or service, etc.)? Can the device owner/operator grant themselves unrestricted administrative AUTH-3 privileges (e.g., access operating system or No application via local root or administrator account)? Whitelisting Does the device authorize or control all controls the AUTH-4 API access requests? See notes execution of excutables and dll access. Does the device run in a restricted access AUTH-5 mode, or ‘kiosk mode’, by default? Yes siemens-healthineers.com/juniper 45 Product and Solution Security White Paper · ACUSON Juniper VB10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See note Cybersecurity Product Upgrades (CSUP) The ability of on-site service staff, remote service staff, or authorized customer staff to install/upgrade device's security patches. Does the device contain any software or firmware which may require security updates during its operational life, either CSUP-1 from the device manufacturer or from a Yes third-party manufacturer of the software/ firmware? If no, answer “N/A” to questions in this section. CSUP-2 Does the device contain an Operating System? If yes, complete 2.1–2.4. Yes Does the device documentation provide CSUP-2.1 instructions for owner/operator installation SRS-based Yes of patches or software updates? updates No, if the installation Does the device require vendor or vendor- happens through CSUP-2.2 authorized service to install patches or See notes self-install from software updates? LifeNet (ASU). Yes, for SRS-based updates (RUH). Does the device have the capability to CSUP-2.3 receive remote installation of patches or Yes software updates? Does the medical device manufacturer allow security updates from any third-party CSUP-2.4 manufacturers (e.g., Microsoft) to be No installed without approval from the manufacturer? CSUP-3 Does the device contain Drivers and Firmware? If yes, complete 3.1–3.4. Yes Does the device documentation provide CSUP-3.1 instructions for owner/operator installation SRS-based Yes of patches or software updates? updates 46 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Question ID Question Answer See note No, if the installation Does the device require vendor or vendor- happens through CSUP-3.2 authorized service to install patches or See notes self-install from software updates? LifeNet (ASU). Yes, for SRS-based updates (RUH). Does the device have the capability to CSUP-3.3 receive remote installation of patches or Yes software updates? Does the medical device manufacturer allow security updates from any third-party CSUP-3.4 manufacturers (e.g., Microsoft) to be No installed without approval from the manufacturer? CSUP-4 Does the device contain Anti-Malware Software? If yes, complete 4.1–4.4. Yes Solidcore Does the device documentation provide CSUP-4.1 instructions for owner/operator installation SRS-based Yes of patches or software updates? updates No, if the installation Does the device require vendor or vendor- happens through CSUP-4.2 authorized service to install patches or See notes self-install from software updates? LifeNet (ASU). Yes, for SRS-based updates (RUH). Does the device have the capability to CSUP-4.3 receive remote installation of patches or Yes software updates? Does the medical device manufacturer allow security updates from any third-party CSUP-4.4 manufacturers (e.g., Microsoft) to be No installed without approval from the manufacturer? Does the device contain Non-Operating CSUP-5 System commercial off-the-shelf Yes components? If yes, complete 5.1–5.4. Does the device documentation provide CSUP-5.1 instructions for owner/operator installation SRS-based Yes of patches or software updates? updates siemens-healthineers.com/juniper 47 Product and Solution Security White Paper · ACUSON Juniper VB10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See note No, if the installation Does the device require vendor or vendor- happens through CSUP-5.2 authorized service to install patches or See notes self-install from software updates? LifeNet (ASU). Yes, for SRS-based updates (RUH). Does the device have the capability to CSUP-5.3 receive remote installation of patches or Yes software updates? Does the medical device manufacturer allow security updates from any third-party CSUP-5.4 manufacturers (e.g., Microsoft) to be No installed without approval from the manufacturer? Does the device contain other software components (e.g., asset management CSUP-6 software, license management)? If yes, No please provide details or reference in notes and complete 6.1–6.4. Does the device documentation provide CSUP-6.1 instructions for owner/operator installation N/A of patches or software updates? Does the device require vendor or vendor- CSUP-6.2 authorized service to install patches or N/A software updates? Does the device have the capability to CSUP-6.3 receive remote installation of patches or N/A software updates? Does the medical device manufacturer allow security updates from any third-party CSUP-6.4 manufacturers (e.g., Microsoft) to be N/A installed without approval from the manufacturer? CSUP-7 Does the manufacturer notify the customer when updates are approved for installation? Yes LifeNet CSUP-8 Does the device perform automatic installation of software updates? No Does the manufacturer have an approved CSUP-9 list of third-party software that can be No installed on the device? 48 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Question ID Question Answer See note Can the owner/operator install CSUP-10 manufacturer-approved third-party No software on the device themselves? Does the system have mechanism in place CSUP-10.1 to prevent installation of unapproved Yes Whitelisting software? Does the manufacturer have a process in CSUP-11 place to assess device vulnerabilities and Yes updates? CSUP-11.1 Does the manufacturer provide customers with review and approval status of updates? Yes LifeNet CSUP-11.2 Is there an update review cycle for the device? Yes Monthly Health Data De-Identification (DIDT) The ability of the device to directly remove information that allows identification of a person. Does the device provide an integral DIDT-1 capability to de-identify personally Yes identifiable information? Does the device support de-identification DIDT-1.1 profiles that comply with the DICOM No standard for de-identification? Data Backup and Disaster Recovery (DTBK) The ability to recover after damage or destruction of device data, hardware, software, or site configuration information. Does the device maintain long term primary storage of personally identifiable DTBK-1 information / patient information No (e.g., PACS)? Does the device have a “factory reset” Servics data DTBK-2 function to restore the original device partition available Yes settings as provided by the manufacturer? on booting using F10 DTBK-3 Does the device have an integral data backup capability to removable media? No siemens-healthineers.com/juniper 49 Product and Solution Security White Paper · ACUSON Juniper VB10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See note Does the device have an integral data DTBK-4 backup capability to remote storage? No Does the device have a backup capability Only for for system configuration information, patch ultrasound DTBK-5 Yes restoration, and software restoration? configuration presets Does the device provide the capability to Yes for integrity, DTBK-6 check the integrity and authenticity of a See notes No for backup authenticity. Emergency Access (EMRG) The ability of the device user to access personally identifiable information in case of a medical emergency situation that requires immediate access to stored personally identifiable information. EMRG-1 Does the device incorporate an emergency access (i.e. “break-glass”) feature? Yes Health Data Integrity and Authenticity (IGAU) How the device ensures that the stored data on the device has not been altered or destroyed in a non-authorized manner and is from the originator. Does the device provide data integrity IGAU-1 checking mechanisms of stored health No data (e.g., hash or digital signature)? Does the device provide error/failure IGAU-2 protection and recovery mechanisms for No stored health data (e.g., RAID-5)? Malware Detection/Protection (MLDP) The ability of the device to effectively prevent, detect and remove malicious software (malware). Is the device capable of hosting executable MLDP-1 software? Yes 50 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Question ID Question Answer See note Does the device support the use of anti- malware software (or other anti-malware MLDP-2 mechanism)? Provide details or reference Yes Whitelisting in notes. MLDP-2.1 Does the device include anti-malware software by default? Yes Always included MLDP-2.2 Does the device have anti-malware software available as an option? No and running by default Does the device documentation allow MLDP-2.3 the owner/operator to install or update No anti-malware software? Can the device owner/operator MLDP-2.4 independently (re-)configure anti-malware No settings? MLDP-2.5 Does notification of malware detection occur in the device user interface? No Can only manufacturer-authorized persons MLDP-2.6 repair systems when malware has been Yes detected? MLDP-2.7 Are malware notifications written to a log? Yes Are there any restrictions on anti-malware No additional MLDP-2.8 (e.g., purchase, installation, configuration, malware can be Yes scheduling)? added to the system If the answer to MLDP-2 is NO, and anti- MLDP-3 malware cannot be installed on the device, are other compensating controls in place N/A or available? Does the device employ application whitelisting that restricts the software MLDP-4 and services that are permitted to be run Yes on the device? Does the device employ a host-based MLDP-5 intrusion detection/prevention system? No Can the host-based intrusion detection/ MLDP-5.1 prevention system be configured by the N/A customer? Can a host-based intrusion detection/ MLDP-5.2 prevention system be installed by the N/A customer? siemens-healthineers.com/juniper 51 Product and Solution Security White Paper · ACUSON Juniper VB10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See note Node Authentication (NAUT) The ability of the device to authenticate communication partners/nodes. Does the device provide/support any means of node authentication that assures both the sender and the recipient of data are NAUT-1 known to each other and are authorized to No receive transferred information (e.g., Web APIs, SMTP, SNMP)? Are network access control mechanisms supported (E.g., does the device have NAUT-2 an internal firewall, or use a network Yes connection white list)? NAUT-2.1 Is the firewall ruleset documented and Most important available for review? See notes ports are, but not all of them Only wifi NAUT-3 Does the device use certificate-based connections network connection authentication? See notes based on TLS-based connectivity Connectivity Capabilities (CONN) All network and removable media connections must be considered in determining appropriate security controls. This section lists connectivity capabilities that may be present on the device. CONN-1 Does the device have hardware connectivity capabilities? Yes CONN-1.1 Does the device support wireless connections? Yes Wireless feature CONN-1.1.1 Does the device support Wi-Fi? See notes is optional, customer can select it CONN-1.1.2 Does the device support Bluetooth? No 52 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Question ID Question Answer See note Does the device support other wireless CONN-1.1.3 network connectivity (e.g., LTE, Zigbee, No proprietary)? Does the device support other wireless CONN-1.1.4 connections (e.g., custom RF controls, No wireless detectors)? CONN-1.2 Does the device support physical connections? Yes CONN-1.2.1 Does the device have available RJ45 Ethernet ports? Yes CONN-1.2.2 Does the device have available USB ports? Yes CONN-1.2.3 Does the device require, use, or support removable memory devices? Yes CONN-1.2.4 Does the device support other physical connectivity? No Does the manufacturer provide a list of CONN-2 network ports and protocols that are used Yes or may be used on the device? CONN-3 Can the device communicate with other systems within the customer environment? Yes Can the device communicate with CONN-4 other systems external to the customer Yes SRS environment (e.g., a service host)? The device receives API calls over the SRS CONN-5 Does the device make or receive API calls? See notes network when service interacts with it for troubleshooting purposes. CONN-6 Does the device require an internet connection for its intended use? No CONN-7 Does the device support Transport Layer Security (TLS)? No CONN-7.1 Is TLS configurable? No Does the device provide operator control CONN-8 functionality from a separate device No (e.g., telemedicine)? siemens-healthineers.com/juniper 53 Product and Solution Security White Paper · ACUSON Juniper VB10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See note Person Authentication (PAUT) The ability to configure the device to authenticate users. Does the device support and enforce PAUT-1 unique IDs and passwords for all users and Yes roles (including service accounts)? Does the device enforce authentication of There is no PAUT-1.1 unique IDs and passwords for all users and enforcement if No roles (including service accounts)? the user does not want to. Is the device configurable to authenticate PAUT-2 users through an external authentication service (e.g., MS Active Directory, NDS, No LDAP, OAuth, etc.)? Is the device configurable to lock out a PAUT-3 user after a certain number of unsuccessful Configurable by Yes logon attempts? System Admin. Are all default accounts (e.g., technician PAUT-4 service accounts, administrator accounts) No listed in the documentation? PAUT-5 Can all passwords be changed? Yes Is the device configurable to enforce Password PAUT-6 creation of user account passwords that Complexity is meet established (organization specific) Yes configurable by complexity rules? System Admin. Does the device support account Configurable by PAUT-7 passwords that expire periodically? Yes System Admin. PAUT-8 Does the device support multi-factor authentication? No PAUT-9 Does the device support single sign-on (SSO)? No PAUT-10 Can user accounts be disabled/locked on the device? Yes PAUT-11 Does the device support biometric controls? No PAUT-12 Does the device support physical tokens (e.g., badge access)? No PAUT-13 Does the device support group authentication (e.g., hospital teams)? No 54 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Question ID Question Answer See note Does the application or device store or PAUT-14 manage authentication credentials? Yes Are credentials stored using a secure PAUT-14.1 method? Yes Physical Locks (PLOK)) Physical locks can prevent unauthorized users with physical access to the device from compromising the integrity and confidentiality of personally identifiable information stored on the device or on removable media. PLOK-1 Is the device software only? If yes, answer “N/A” to remaining questions in this section. No Are all device components maintaining personally identifiable information (other PLOK-2 than removable media) physically secure No (i.e., cannot remove without tools)? Are all device components maintaining personally identifiable information (other PLOK-3 than removable media) physically secured No behind an individually keyed locking device? Does the device have an option for the PLOK-4 customer to attach a physical lock to No restrict access to removable media? Roadmap for Third Party Applications and Software Components in Device Life Cycle (RDMP) Manufacturer’s plans for security support of third-party components within the device’s life cycle. Was a secure software development process, such as ISO/IEC 27034 or RDMP-1 IEC 62304, followed during product Yes development? Does the manufacturer evaluate third-party applications and software components RDMP-2 included in the device for secure Yes development practices? siemens-healthineers.com/juniper 55 Product and Solution Security White Paper · ACUSON Juniper VB10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See note Does the manufacturer maintain a web RDMP-3 page or other source of information on Yes LifeNet software support dates and updates? Does the manufacturer have a plan RDMP-4 for managing third-party component Yes end-of-life? Software Bill of Materials (SBoM) A Software Bill of Material (SBoM) lists all the software components that are incorporated into the device being described for the purpose of operational security planning by the healthcare delivery organization. This section supports controls in the RDMP section. SBOM-1 Is the SBoM for this product available? Yes Does the SBoM follow a standard or SBOM-2 common method in describing software Yes components? SBOM-2.1 Are the software components identified? Yes SBOM-2.2 Are the developers/manufacturers of the software components identified? Yes SBOM-2.3 Are the major version numbers of the software components identified? Yes SBOM-2.4 Are any additional descriptive elements identified? Yes Does the device include a command or SBOM-3 process method available to generate a list of software components installed on the No device? SBOM-4 Is there an update process for the SBoM? Yes System and Application Hardening (SAHD) The device's inherent resistance to cyber attacks and malware. SAHD-1 Is the device hardened in accordance with any industry standards? Yes 56 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Question ID Question Answer See note SAHD-2 Has the device received any cybersecurity certifications? No SAHD-3 Does the device employ any mechanisms for software integrity checking No Does the device employ any mechanism (e.g., release-specific hash key, checksums, SAHD-3.1 digital signature, etc.) to ensure the Yes Whitelisting installed software is manufacturer- authorized? Does the device employ any mechanism (e.g., release-specific hash key, checksums, SAHD-3.2 digital signature, etc.) to ensure the Yes Whitelisting software updates are the manufacturer- authorized updates? Can the owner/operator perform software SAHD-4 integrity checks (i.e., verify that the system No has not been modified or tampered with)? Is the system configurable to allow the SAHD-5 implementation of file-level, patient level, No or other types of access controls? SAHD-5.1 Does the device provide role-based access controls? Yes Are any system or user accounts SAHD-6 Unrestricted or disabled by the No manufacturer at system delivery? Are any system or user accounts SAHD-6.1 configurable by the end user after initial No configuration? Does this include restricting certain SAHD-6.2 system or user accounts, such as service No technicians, to least privileged access? Are all shared resources (e.g., file shares) SAHD-7 which are not required for the intended use Yes of the device disabled? Are all communication ports and protocols SAHD-8 that are not required for the intended use Yes of the device disabled? siemens-healthineers.com/juniper 57 Product and Solution Security White Paper · ACUSON Juniper VB10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See note Are all services (e.g., telnet, file transfer protocol [FTP], internet information server SAHD-9 [IIS], etc.), which are not required for Yes the intended use of the device deleted/ disabled? Are all applications (COTS applications as well as OS-included applications, e.g., SAHD-10 MS Internet Explorer, etc.) which are not No required for the intended use of the device deleted/disabled? Can the device prohibit boot from uncontrolled or removable media (i.e., SAHD-11 a source other than an internal drive or Yes memory component)? Can unauthorized software or hardware be SAHD-12 installed on the device without the use of No physical tools? Does the product documentation include SAHD-13 information on operational network No security scanning by users? SAHD-14 Can the device be hardened beyond the default provided state? No SAHD-14.1 Are instructions available from vendor for increased hardening? No SHAD-15 Can the system prevent access to BIOS or other bootloaders during boot? Yes Have additional hardening methods not SAHD-16 included in 2.3.19 been used to harden the No device? Security Guidance (SGUD) Availability of security guidance for operator and administrator of the device and manufacturer sales and service. SGUD-1 Does the device include security documentation for the owner/operator? Yes Does the device have the capability, and SGUD-2 provide instructions, for the permanent Yes deletion of data from the device or media? SGUD-3 Are all access accounts documented? Yes 58 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Question ID Question Answer See note SGUD-3.1 Can the owner/operator manage password control for all accounts? Yes Does the product include documentation SGUD-4 on recommended compensating controls No for the device? Health Data Storage Confidentiality (STCF) The ability of the device to ensure unauthorized access does not compromise the integrity and confidentiality of personally identifiable information stored on the device or removable media. STCF-1 Can the device encrypt data at rest? Yes BitLocker STCF-1.1 Is all data encrypted or otherwise protected? Yes STCF-1.2 Is the data encryption capability configured by default? No STCF-1.3 Are instructions available to the customer to configure encryption? No STCF-2 Can the encryption keys be changed or configured? No STCF-3 Is the data stored in a database located on the device? Yes STCF-4 Is the data stored in a database external to the device? No Transmission Confidentiality (TXCF) The ability of the device to ensure the confidentiality of transmitted personally identifiable information. Can personally identifiable information TXCF-1 be transmitted only via a point-to-point No dedicated cable? Is personally identifiable information TXCF-2 encrypted prior to transmission via a No network or removable media? TXCF-2.1 If data is not encrypted by default, can the customer configure encryption options? No siemens-healthineers.com/juniper 59 Product and Solution Security White Paper · ACUSON Juniper VB10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See note Is personally identifiable information TXCF-3 transmission Unrestricted to a fixed list No of network destinations? TXCF-4 Are connections limited to authenticated systems? No Are secure transmission methods TXCF-5 supported/implemented (DICOM, HL7, See notes DICOM supported IEEE 11073)? Transmission Integrity (TXIG) The ability of the device to ensure the integrity of transmitted data. Does the device support any mechanism TXIG-1 (e.g., digital signatures) intended to ensure No data is not modified during transmission? TXIG-2 Does the device include multiple sub- components connected by external cables? No Remote Service (RMOT) Remote service refers to all kinds of device maintenance activities performed by a service person via network or other remote connection. RMOT-1 Does the device permit remote service connections for device analysis or repair? Yes TeamViewer The owner/ operator would Does the device allow the owner/operator need to put the RMOT-1.1 to initiative remote service sessions for Yes system into full device analysis or repair? access in order to allow a remote service session. 60 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Question ID Question Answer See note There is a telephone answered icon that appears in RMOT-1.2 Is there an indicator for an enabled and the lower right active remote session? Yes hand of the main imaging screen when the system is accessed remotely. Only with owner/ RMOT-1.3 Can patient data be accessed or viewed from the device during the remote session? Yes operator consent provided to the remote requestor. Does the device permit or use remote RMOT-2 service connections for predictive Yes maintenance data? Does the device have any other remotely Remote updates, RMOT-3 accessible functionality (e.g., software Yes remote training, updates, remote training)? remote assistance Other Security Considerations (OTHR) NONE siemens-healthineers.com/juniper 61 Product and Solution Security White Paper · ACUSON Juniper VB10 Manufacturer Disclosure Statement (IEC60601-1) Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13 1. Network properties required by the system and resulting risks 1-1 The device is connected via Ethernet cable or wireless protocol to the hospital using a TCP/IP network with 1Gb/s. • If the network is down, the network services (see below) are not available which can lead to the risks stated below. • If the network is unavailable, medical images cannot be transferred for remote consultation. • If the wireless network is incorrectly protected (for example, open Wi-Fi configuration), the attack surface of all the connected devices is much larger, which can lead to the risks stated below. • If the recommended network performance (1Gbit/s) is not provided, the transfer of images is extended, and availability of images at destinations (e.g., for consulting) is delayed. • Only the protocols shown in the table of used ports are needed for communication. 1-2 PACS system for archiving images/results • If the PACS is not available: images cannot be archived after the examination. In case of a system hardware failure, all non-archived – images can be lost. images cannot be archived after the examination. Examinations may no longer be possible because the – hard drive is full as non-archived images cannot be automatically removed. images cannot be archived after the examination. In case of manual deletion of images, unarchived images – can be lost. images are not available for remote consultation via PACS consoles. – prior images are not available. – • If the recommended network performance (1Gbit/s) is not provided, the transfer time to PACS is extended, and the wait for switching off the system consecutive to the last transfer operations is prolonged. 1-3 DICOM printer • If the DICOM printer is not available, film is not available for diagnosis/archive. 1-4 RIS system • If the RIS system is not available: the modality worklist is not available. This can lead to data inconsistencies as well as unavailability of – images when sent to the PACS until they are manually coerced with the RIS data in the PACS. In case of a Worklist Query time-out due to poor network transfer, there is a possibility that non-actual RIS – data is used when registering a patient from the list of schedules on the system. 1-5 Network connection to the SRS server • If the connection to the Smart Remote Services server is not available, then support from Siemens Healthineers service is limited. 1-6 Common medical protocol properties • Protocols used in medical environments are typically unsecure, with the exception of Secure Smart Remote Services (using HTTPS). 62 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper 2. Instructions for the responsible organization 2-1 Connection of the system to a network that includes other equipment could result in previously unidentified risks to patients, operators or third parties. The RESPONSIBLE ORGANIZATION should identify, evaluate and control these risks. 2-2 Subsequent changes to the network could introduce new RISKS and require additional analysis. 2-3 Changes to the network include: • changes in network configuration • connection to additional items to the network • disconnecting items from the network • update of equipment connected to the network • upgrade of equipment connected to the network 2-4 The RESPONSIBLE ORGANIZATION is fully responsible for the security of the network to which the device is connected. 2-5 The RESPONSIBLE ORGANIZATION is fully responsible to ensure staff who have access to the device do not have the opportunity to provide any harm to the system. 2-6 The RESPONSIBLE ORGANIZATION has to ensure that the internal network cannot be accessed physically by non-authorized persons. 2-7 Staff of the RESPONSIBLE ORGANIZATION has to be trained in security. The RESPONSIBLE ORGANIZATION is responsible for providing this. 2-8 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that only authorized medical/administrative staff shall have access to the device. 2-9 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that visitors/patients do not have unsupervised physical access to the system. 2-10 The RESPONSIBLE ORGANIZATION shall provide access to the system for device administrators and device service engineers. 2-11 The RESPONSIBLE ORGANIZATION has at least one staff person with administrative rights who has access to the system. 2-12 The RESPONSIBLE ORGANIZATION shall ensure that neither access from the public internet or the organization’s intranet to the device is possible. 2-13 The RESPONSIBLE ORGANIZATION is responsible to ensure physical security for the device. 2-14 The RESPONSIBLE ORGANIZATION shall ensure that access to services for the device from other equipment is possible only on a need-to-do basis. An adequate network topology with appropriate firewall settings shall be used. 2-15 The RESPONSIBLE ORGANIZATION is responsible for a secure infrastructure that makes it impossible to change, prevent, or tamper with data in transit in any way. 2-16 RECOMMENDATION: It is highly recommended that the RESPONSIBLE ORGANIZATION monitors the network for unusual traffic. 2-17 The RESPONSIBLE ORGANIZATION is responsible for the hard drive encryption keys and for preventing the theft or loss of those keys. siemens-healthineers.com/juniper 63 Product and Solution Security White Paper · ACUSON Juniper VB10 Manufacturer Disclosure Statement (IEC60601-1) Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13 3. Intended purpose of integrating the device into an IT network 3-1 To integrate the system into the clinical workflow, the whole ultrasound system will interact as a DICOM node in the clinical network. 3-2 The system is DICOM-compliant, allowing it to be connected to a network with other compliant devices for the exchange of images. Networking allows the transmission of images acquired to other DICOM-compatible review stations or PACS. A list of all patients ever imaged can be kept on the Radiology PACS making future retrievals fast and easy. 3-3 The system connects to the network through an Ethernet cable or a wireless protocol. The network interfaces allow DICOM connections to specific clinical systems such as a Radiology PACS or printer. Patient demographic data will be received via DICOM; acquired images will be sent to the Radiology PACS or DICOM workstations for detailed viewing and long-term storage. 4. Network properties required by the system and resulting risks 4-1 Unsuccessful data transfer not recognized Function: Archiving and Networking Hazard: Wrong diagnosis / loss of acquisition data Caution: Data transfers between systems are not verified automatically. Loss of data, if data is deleted locally before it has been successfully transferred to another system. Measure: Since not all systems support automatic storage commitment, verify the correctness of the data transfer at the remote system before deleting the local data. Effect on: Patient 4-2 Incorrect or incomplete data transfer Function: Data Exchange – Network Hazard: Wrong diagnosis, wrong examination / loss of acquisition data, loss of post processing results, corrupted data, inconsistent data Cause: DICOM objects are sent/received/retrieved. While objects are being prepared or during transfer, not all DICOM objects that are not considered are deleted, corrupted or unintentionally manipulated. Data on the sender and receiver side is not consistent. Failure of transfer not recognized. Measure: It has to be verified by testing, that there is no object loss during sending, which means: • Verify that exception scenarios result in a failed job (and check for other exceptions in log files). • Verify that error cases, which result in data not complying with the DICOM standard, are covered by exception scenarios. Effect on: Patient 64 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper 4-3 Insecure or incorrectly configured clinical network Function: Network Security Hazard: Incorrect diagnosis basis, wrong diagnosis, wrong treatment, delayed diagnosis, delayed therapy, wrong examination, repetition of examination / loss of acquisition data, corrupted data, system DoS Caution: Unauthorized access may affect system performance and data security. Cause: Any unauthorized access to the system may affect the system performance and data security and may lead to: • Lowered system performance and/or non-operational system • Loss of data security including loss of all patient data Measure: • Enable your system administrator to ensure network security and the security of the operational infrastructure • Consult manuals for secure setup • Perform system updates as required • Run your medical device only in protected network environments, and do not connect it directly to public networks • Set up firewalls • Prevent configuration files from being changed by users • Update and patch networked systems as required Effect on: Patient, System 4-4 Bitlocker recovery keys not available when needed Function: Hard drive encryption Hazard: loss of patient data, system DoS Caution: Customer should keep Bitlocker recovery keys safe Cause: In the case the customer opted for hard drive encryption and if BitLocker fails to access the encrypted drive for whatever reason, then the recovery keys will be needed by Siemens Healthineers Service to pause encryption and have offline access to the hard drive and the patient data stored in it. Effect on: Patient, System siemens-healthineers.com/juniper 65 Product and Solution Security White Paper · ACUSON Juniper VB10 Abbreviations AD Active Directory MD5 Message Digest 5 AES Advanced Encryption Standard MDS2 Manufacturer Disclosure BIOS Basic Input Output System Statement DES Data Encryption Standard MSTS Microsoft Terminal Server DICOM Digital Imaging and NEMA National Electrical Communications in Medicine Manufacturers Association DISA Defense Information Systems NTP Network Time Protocol Agency OCR Office for Civil Rights DMZ Demilitarized Zone OU Organizational Unit DoS Denial of Service PACS Picture Archiving and ePHI Electronic Protected Health Communication System Information PHI Protected Health Information FDA Food and Drug Administration PII Personally Identifiable FIPS Federal Information Processing Information Standards RIS Radiology Information System GPO Group Policy Object RPC Remote Procedure Call HHS Health and Human Services RSA Random Sequential Absorption HIPAA Health Insurance Portability and SAM Security Accounts Manager Accountability Act SHA Secure Hash Algorithm HIMSS Healthcare Information and Management Systems Society SQL Structured Query Language Hypertext Transfer Protocol SRS Smart Remote Services HTTP HTTPS HTTP Secure STIG Security Technical Implementation Guidelines ICS Integrated Communication Services SW Software IEC International Electrotechnical TCP Transmission Control Protocol Commission UltraVNC Ultra Virtual Network Computing IVM Intervention Module Lightweight Directory Access UDP User Datagram Protocol LDAP Protocol VPN Virtual Private Network 66 siemens-healthineers.com/juniper ACUSON Juniper VB10 · Product and Solution Security White Paper Disclaimer According to IEC 80001-1 1-1 The Device has the capability to be connected International Electrotechnical Commission Glossary to a medical IT network, which is managed under (extract) full responsibility of the operating legal entity (hereafter called “RESPONSIBLE ORGANIZATION”). Responsible organization: It is assumed that the RESPONSIBLE ORGANIZATION Entity accountable for the use and maintenance of a assigns a Medical IT Network Risk Manager to medical IT-network. perform IT Risk Management (see IEC 80001-1:2010 / EN 80001-1:2011) for IT. ACUSON Juniper is a trademark of Siemens Medical Solutions USA, Inc. 1-2 This statement describes Device-specific IT networking safety and security capabilities. It is Adobe is either a trademark or registered trademark of NOT a RESPONSIBILITY AGREEMENT according to Adobe Systems Incorporated in the United States and/or IEC 80001-1:2010 / EN 80001-1:2011. other countries. 1-3 Any modification of the platform, the software or the interfaces of the Device - unless authorized Intel is a trademark of Intel Corporation in the United and approved by Siemens Healthcare GmbH – voids States and other countries. all warranties, liabilities, assertions and contracts. Microsoft and Windows are registered trademarks of 1-4 The RESPONSIBLE ORGANIZATION acknowledges Microsoft Corporation in the United States and other that the Device’s underlying standard computer countries. with operating system is to some extent vulnerable to typical attacks such as malware or denial-of- McAfee is a registered trademark of McAfee, LLC or its service. subsidiaries in the US and other countries. 1-5 Unintended consequences (e.g., misuse/loss/ corruption) of data not under control of the Device NVIDIA is a registered trademark of NVIDIA Corporation. (e.g., after electronic communication from the Device to an IT network or to a storage media), PowerScribe® 360 | Reporting is a registered are under the responsibility of the RESPONSIBLE ORGANIZATION. 1-6 Unauthorized use of the external connections or storage media of the Device can cause hazards regarding the availability and information security of all components of the medical IT network. The RESPONSIBLE ORGANIZATION must ensure – through technical and/or organizational measures – that only authorized use of the external connections and storage media is permitted. siemens-healthineers.com/juniper 67 Statement on FDA Cybersecurity Guidance Siemens Healthineers will follow cybersecurity guidance issued by the FDA as appropriate. Siemens Healthineers recognizes the principle described in FDA cybersecurity guidance that an effective cybersecurity framework is a shared responsibility among multiple stakeholders (e.g., medical device manufacturers, health care facilities, patients and providers), and is committed to drawing on its innovation, engineering and pioneering skills in collective efforts designed to prevent, detect and respond to new and emerging cybersecurity threats. While FDA cybersecurity guidance is informative as to adopting a risk-based approach to addressing potential patient harm, it is not binding and alternative approaches may be used to satisfy FDA regulatory requirements. The representations contained in this whitepaper are designed to describe Siemens Healthineers’ approach to cybersecurity of its medical devices and to disclose the security capabilities of the devices/systems described herein. Neither Siemens Healthineers nor any medical device manufacturer can warrant that its systems will be invulnerable to cyberattack. Siemens Healthineers makes no representation or warranty that its cyber- security efforts will ensure that its medical devices/ systems will be error-free or secure against cyberattack. Siemens Healthineers Headquarters Legal Manufacturer Siemens Healthcare GmbH Siemens Medical Solutions USA, Inc. Henkestr. 127 Ultrasound 91052 Erlangen, Germany 22010 S.E. 51st Street Phone: +49 9131 84-0 Issaquah, WA 98029, USA siemens-healthineers.com Phone: 1-888-826-9702 siemens-healthineers.com/ultrasound Published by Siemens Medical Solutions USA, Inc. · 9713 1120 online · ©Siemens Medical Solutions USA, Inc., 2020