PEPconnect

Security and MDS 2 Form

Keeping patient data safe and secure typically should be one of the top priorities of healthcare institutions. At Siemens Healthineers, we are committed to working with you to address cybersecurity and privacy requirements. Our Product and Solution Security Office is responsible for our global program that focuses on addressing cybersecurity throughout the product lifecycle of our medical devices.

White paper ACUSON Redwood ultrasound system, release VA10 Security and MDS2 Form Facts about security and privacy requirements siemens-healthineers.com/redwood SIEMENS Healthineers Product and solution security white paper · ACUSON Redwood VA10 The Siemens Healthineers product and solution security program At Siemens Healthineers, we are committed to • Performing static code analysis of medical device working with you to address cybersecurity and privacy software. requirements. Our Product and Solution Security Office • is responsible for our global program that focuses Conducting security testing of medical devices under on addressing cybersecurity throughout the product development as well as medical devices already in lifecycle of our medical devices. the field. • Our program targets incorporating state-of-the-art Tailoring patch management to the medical device cybersecurity in our current and future products. and depth of coverage chosen by you. We seek to protect the security of your data while, at • Monitoring security vulnerability to track reported the same time, providing measures to strengthen the third party components issues in our medical devices. resiliency of our products from external cybersecurity • attackers. Working with suppliers to address security throughout the supply chain. We comply with applicable security and privacy • regulations from the US Department of Health and Training of employees to provide knowledge consistent Human Services (HHS), including the Food and Drug with their level of responsibilities regarding your data Administration (FDA) and Office for Civil Rights and device integrity. (OCR), to help you meet your IT security and privacy obligations. Contacting Siemens Healthineers about product and solution security Vulnerability and incident management Siemens Healthineers requests that any cybersecurity Siemens Healthineers cooperates with government or privacy incidents are reported by email to: agencies and cybersecurity researchers concerning [email protected] reported potential vulnerabilities. Our communications For all other communication with Siemens Healthineers policy strives for coordinated disclosure. We work in about product and solution security: this way with our customers and other parties, when [email protected] appropriate, in response to potential vulnerabilities siemens-healthineers.com and incidents in our medical devices, no matter what the source. Yours sincerely, Elements of our product and solution security program • Providing information to facilitate secure configuration and use of our medical devices in your IT environment. • Conducting formal threat and risk analysis for our medical devices. Jim Jacobson • Incorporating secure architecture, design and coding Chief Product and Solution Security methodologies in our software development process. Officer Siemens Healthineers 2 siemens-healthineers.com/redwood ACUSON Redwood VA10 · Product and solution security white paper Contents Basic Information ..................................................... 4 Network Information ............................................... 6 Security Controls ...................................................... 8 Software Bill of Materials ......................................... 9 Manufacturer Disclosure Statement According to IEC 60601-1 ........................................ 22 Manufacturer Disclosure Statement for Medical Device Security – MDS2 ......................... 26 Abbreviations .......................................................... 33 Disclaimer According to IEC 80001-1 ....................... 34 International Electrotechnical Commission Glossary (extract) .................................................... 34 Statement on FDA Cybersecurity Guidance ............. 35 siemens-healthineers.com/redwood 3 Product and solution security white paper · ACUSON Redwood VA10 Basic Information Why is cybersecurity important? Healthineers provides a robust set of remote platforms and services designed to help you maximize system Keeping patient data safe and secure typically should be performance, stay secure and enhance uptime. one of the top priorities of healthcare institutions. It is Smart Remote Services (SRS), powered by eSieLink, estimated that the cost associated in the recovery of is your rapid, secure connection to technical and each medical record in the United States can be as high clinical support. as $380.1 According to the Ponemon Institute research report,2 39% of medical devices were hacked, with Operating systems hackers able to take control of the device. Moreover, 38% of healthcare organizations said that their patients Refer to the Software Bill of Materials chapter. received inappropriate medical treatment because of an insecure medical device. User account information The Siemens Healthineers product • ACUSON Redwood system VA10 software user security program accounts can be local Windows accounts, managed by the administrator of the system. Cybersecurity is essential for digitalizing healthcare. • A break-glass mechanism ensures access to the At Siemens Healthineers, we build secure products, system in emergency scenarios. keep them protected throughout their lifecycle, and continuously refine our cybersecurity safeguards for • The system provides preconfigured Password Policies every product generation. We communicate proactively that can be customized by administrators. about the security controls of our equipment. We inform about vulnerabilities and how we have addressed them. Patching strategy We deliver solutions that help keep the equipment as secure as possible. We follow the FDA’s post-market • Security patches will be provided on regular basis guidance and are aligned with industry best practices after validation by Siemens Healthineers to maintain to continuously monitor all security-relevant components the clinical function of the medical device. for newly identified vulnerabilities. • If connected to Smart Remote Services (SRS) formerly Foundation and purpose of the products Siemens Remote Service, updates will be pushed to the system automatically. They need to be confirmed/ executed by the actual user. Our purpose is to help healthcare providers succeed. ACUSON Redwood™ Ultrasound system is the result • Alternatively, you can manually install updates by of more than three decades of experience in ultrasound using the Siemens Healthineers ASU service provided engineering. Meeting the demand for early detection, in the LifeNet platform. diagnosis and timely treatment of a variety of chronic diseases is tremendously challenging for a physician. • Technologies and software components are actively Ultrasound imaging must enable answers to a breadth monitored for vulnerabilities and availability of of important clinical questions – fast. To do that in most security updates. accurate and reproducible way, the ACUSON Redwood system offers a comprehensive suite of advanced applications. To reduce system downtime, Siemens 1 https://healthitsecurity.com/news/how-much-do-healthcare-data-breaches-cost-organizations 2 https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/medical-device-security-ponemon-synopsys.pdf 4 siemens-healthineers.com/redwood ACUSON Redwood VA10 · Product and solution security white paper ---- -- Cryptography usage • Protected Health Information (PHI) is temporarily stored on the ultrasound system, similar to DICOM The ACUSON Redwood system VA10 software uses data, raw data, and metadata for DICOM creation. ciphers and protocols built into Windows 10 for Note: The time for which PHI is stored is determined encryption and data protection. If needed, hardening by the facility. measures limit usage to those that are at least FIPS • Personally Identifiable Information (PII) as part of 140-2-compliant. the DICOM records is also temporarily stored on the ultrasound system, e.g., patient’s name, birthday Handling of sensitive data or age, height and weight, personal identification number, and referring physician’s name. Additional • This ultrasound system is designed for temporary sensitive information might be present in user- data storage only. Siemens Healthineers recommends editable input fields or in the images acquired. storing patient data in a long-term archive, e.g., • on a PACS, and data must be deleted using a facility- Protected Health Information (PHI) Is transmitted defined procedure. via DICOM (encrypted/ unencrypted). siemens-healthineers.com/redwood 5 Product and solution security white paper · ACUSON Redwood VA10 Network Information SRS Router Smart Remote Services ... VPN V IN, OUT: TCP, UCP Remote Service Access Server ... IN, OUT: DICOM IN, OUT: PACS/RIS DICOM, Smart Remote Services ... OUT: TCP Network Share Ultrasound Machine Clinical Network Internet Figure 1: Security boundaries for system deployment Siemens Healthineers recommends operating the ultrasound machine in a dedicated network segment (e.g., VLAN). To minimize the risk of unauthorized network access, Siemens Healthineers recommends operating the ultrasound machine behind a firewall and/or use access control lists on the network switches to limit traffic to identified peers. At minimum, the DICOM Port (see Table 1) needs to be visible for customer DICOM network nodes (e.g., PACS, syngo®.via etc). Please contact the Siemens Healthineers Service organization for further information. 6 siemens-healthineers.com/redwood ACUSON Redwood VA10 · Product and solution security white paper The following ports are used by the system. All the ports are closed except for the ports listed in Table 1. Port number Service/Function Direction Protocol 80 Administration Portal – Remote Service Inbound TCP 104 DICOM Communication (unencrypted) In/outbound TCP 443 Administration Portal – Remote Service Inbound TCP (encrypted) 2762 Secure DICOM (optional) In/outbound TCP 8226 Managed Node Package MNP Inbound TCP 8227 Managed Node Package MNP Inbound TCP 8228 Managed Node Package MNP Inbound TCP 11080 Remote Assist (SieLink) Inbound TCP 12061 Managed Node Package MNP Inbound TCP 13001 Managed Node Package MNP Inbound TCP Table 1: Used Port Numbers siemens-healthineers.com/redwood 7 Product and solution security white paper · ACUSON Redwood VA10 Security Controls Malware protection Physical protection • Whitelisting (Microsoft Device Guard) • You are responsible for the physical protection of the ACUSON Redwood system VA10 software, e.g., by Controlled use of administrative privileges operating it in a room with access control. Please note that the system contains patient data and should be • The system distinguishes between clinical and administrative roles. Clinical users do not require protected against tampering and theft. administrative privileges. • The system is protected by Secure Boot, which blocks Authorization as administrator is required for unsigned boot media. • administrative tasks. • It is possible to change the BIOS password. Please contact Siemens Healthineers Service for support. Authentication authorization controls Data protection controls • The ACUSON Redwood system VA10 software supports Health Insurance Portability and Accountability • The system is not intended to be an archive (data at rest). Act (HIPPA) regulation with role-based privilege • assignment and access control. PHI is protected by both role-based access control as well as hard drive encryption (optional). • The user interface of the ACUSON Redwood system • VA10 software provides a screen lock functionality that Hard drive encryption is an optional feature that is can be engaged manually or automatically after a implemented through Microsoft Bitlocker technology certain inactivity time. For details, please refer to the and use of the TPM (Trusted Platform Module) chip User Manual. on the system’s motherboard. • The system provides auditing of PHI access control. Continuous vulnerability assessment and remediation • Optionally, confidentiality and integrity of PHI/PII data • Continuous vulnerability assessment and remediation can be protected by encryption of DICOM nodes. is performed. Note: In the VA10 software release for the ACUSON Redwood system, encrypted communication can be Hardening used if all connected DICOM nodes support it. • ACUSON Redwood system VA10 software hardening is implemented based on the Security Technical Auditing/logging Implementation Guidelines developed by the Defense • The system provides HIPPA-compliant auditing Information Systems Agency (DISA). of operations on PHI, PII, and user information (i.e., login, read access to PHI, modification of PHI). Network controls • The system is designed to make limited use of network Remote connectivity ports and protocols. Microsoft Windows firewall is • SRS is optionally used for proactive maintenance. configured to block unwanted inbound network traffic The connection is created using a secured channel except for the ports listed in Table 1. (VPN- or IBC-based connection). It is used, for example, Siemens Healthineers recommends operating the to download security patches and updates. • system in a secured network environment, e.g., a • Alternatively, you can use the Siemens Healthineers separate network segmented or VLAN. LifeNet platform to download available hotfixes and • Connection to the Internet or private networks for install them in offline machines that are not connected patients/guests is not recommended. to the SRS network. • In case of a denial of service (DoS) or malware attack, Incident response and management the system can be taken off the network and operated • in a stand-alone state. The incident handling process is defined and executed on demand to deal with incidents as mandated by the United States FDA Post-Market Guidance documents. 8 siemens-healthineers.com/redwood ACUSON Redwood VA10 · Product and solution security white paper Software Bill of Materials The following table comprises the most relevant third-party technologies used (general drivers not included). Vendor name /URL Component Component Description / use name version Open Source http://libjpeg-turbo. libjpeg-turbo 1.5.2 Jpeg image codec used by RendererVOB and virtualgl.org PIMS to encode/decode image data. Open Source To compress overlay image when https://snappy4net.co Snappy transferring from Orchid to UBE renderer. 1.1.1.7 deplex.com/ Snappy is designed to do both fast compression and decompression. Microsoft DirectX is a group of technologies designed to make Windows-based computers Microsoft Corporation DirectX an ideal platform for running and displaying 11 applications rich in multimedia elements such as full-color graphics, video, 3D animation, and rich audio. Library for Open Inventor™ implementation. This library is used as creating Open Inventor Visualization Science Group www.vsg3d.com Coin Inventor 4.0 objects framework for running Open Inventor graphs which aid and rendering and organizing the Renderer application Comes with Singapore. Open Source http://glew.sourceforge.net/ GLEW 1.7.0 Library for setting OpenGL Extension Pointers. Open Source Library used in RendererVOB for parsing XML http://sourceforge.net/ tinyXML.lib 2.0 files and load scenegraph. In xsg scenegraph projects/tinyxml/ parsing. Source code is imported and built with msbuild by USD. Open Source Library used in RendererVOB for interpreting http://luajit.org/luajit.html LuaJIT 2.0.0 and executing Lua script languages (.lua). Source code is imported and built by SCR. Intel An extensive library of performance profiler Intel Performance 9.0.4 tools and software functions for multimedia Primitives processing and data processing applications. khronos.org OpenCL 2.0 Parallel programming of heterogeneous systems. Open Source Library used by the UDV for clip www.ijg.org Jpeg.lib 8.0 decompression from jpeg to rgb in Review application. siemens-healthineers.com/redwood 9 Product and solution security white paper · ACUSON Redwood VA10 Software Bill of Materials The following table comprises the most relevant third-party technologies used (general drivers not included). Vendor name /URL Component Component Description / use name version Open Source (Apache Software Log4net 2.0.8.0 Logging library Foundation) Microsoft's Enhanced Mitigation Experience Toolkit (EMET) is a free Windows-based EMET 5.52 security tool that adds supplemental security Microsoft Corporation defenses to defend potentially vulnerable legacy and third-party applications. Internet Explorer (x86/x64) 11.0 Used as a web browser to display Service screen. Siemens AG Healthcare Sector MNP VI40B Providing remote software installation and support. WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets Riverbed Technology, Inc. WinPcap 4.1.3 bypassing the protocol stack, and has additional useful features, including kernel- level packet filtering, a network statistics engine and support for remote packet capture. WireShare.org Wireshark 2.6.5.0 Network protocol analyzer. It is needed to isolate nework-related problems. Ultrasound Siemens Ultrasound TeamViewer USA Core VA10B 1.0.0.17 Remote service tool (ver 1.0.0.15) Siemens Healthcare GmbH syngo – Typical 09.01.0001.0001 Siemens base medical layer: providing Developer 9.1 service related features Scan for Wi-Fi / WLAN Access Points and monitor their signal strength. Use the detected access points with Google Geolocation, Mozilla Location Service and The SZ development Homedale 1.75 Open WLAN Map Service to locate yourself. It works with 802.11a/b/g/n/ac wireless networks in the 2.4 GHz and 5 GHz frequency bands using 20, 40, 80 and 160 MHz width channels. 10 siemens-healthineers.com/redwood ACUSON Redwood VA10 · Product and solution security white paper Vendor name /URL Component Component Description / use name version NumPy is the fundamental package for scientific computing with Python. It contains among other things: a powerful Open Source https://numpy.org/ numpy 1.14.3 N-dimensional array object, sophisticated (broadcasting) functions, tools for inte- grating C/C++ and Fortran code, useful linear algebra, Fourier transform, and random number capabilities. Open Source https://matplotlib.org/cycler/ cycler 0.10.0 A data processing framework. The pyparsing module is an alternative approach to creating and executing simple Open Source grammars, vs. the traditional lex/yacc https://github.com/ pyparsing 2.1.4 approach, or the use of regular expressions. pyparsing/pyparsing/ The pyparsing module provides a library of classes that client code uses to construct the grammar directly in Python code. Open Source The dateutil module provides powerful https://dateutil.readthe python-dateutil 2.5.3 extensions to the standard datetime module, docs.io/en/stable/ available in Python. pytz brings the Olson tz database into Python. This library allows accurate and cross platform timezone calculations using Python Open Source 2.4 or higher. It also solves the issue of https://pypi.org/project/pytz/ pytz 2016.4 ambiguous times at the end of daylight saving time, which you can read more about in the Python Library Reference (datetime. tzinfo). Almost all of the Olson timezones are supported. Open Source https://www. riverbankcomputing.com/ sip 4.19.8 SIP2 Python Client: Simple Interchange Protocol Client for Python software/sip/download Matplotlib strives to produce publication quality 2D graphics for interactive graphing, Open Source https://matplotlib.org/ matplotlib 2.2.2 scientific publishing, user interface develop- ment and web application servers targeting multiple user interfaces and hardcopy output formats. Open Source https://www.logilab.org/ logilab-common 1.2.0 This package contains some modules used project/logilab-common by different Logilab projects. siemens-healthineers.com/redwood 11 Product and solution security white paper · ACUSON Redwood VA10 Software Bill of Materials The following table comprises the most relevant third-party technologies used (general drivers not included). Vendor name /URL Component Component Description / use name version Open Source https://chardet.readthe chardet 2.3.0 Character encoding auto-detection in docs.io/en/latest/ Python. As smart as your browser. rllib3 is a powerful, sanity-friendly HTTP Open Source client for Python. Much of the Python https://urllib3.readthedocs. urllib3 1.15.1 ecosystem already uses urllib3 and you io/en/latest/ should too. urllib3 brings many critical features that are missing from the Python standard libraries . Windows Management Instrumentation Open Source (WMI) is Microsoft’s implementation of http://timgolden.me.uk/ wmi 1.4.9 Web-Based Enterprise Management (WBEM), python/wmi/index.html an industry initiative to provide a Common Information Model (CIM) for pretty much any information about a computer system. Open Source https://github.com/ Python requests 2.10.0 Requests is the only Non-GMO HTTP library kennethreitz/requests for Python, safe for human consumption. Open Source Python extensions for Microsoft Windows https://github.com/ Pywin32 version 223 Provides access to much of the Win32 API, mhammond/pywin32 the ability to create and use COM objects, and the Pythonwin environment. Open Source Pip is the package installer for Python. You https://pip.pypa.io/en/ Pip 10.0.1 can use pip to install packages from the stable/ Python Package Index and other indexes. Qt is set of cross-platform C++ libraries that implement high-level APIs for accessing many aspects of modern desktop and mobile Riverbank Computing PyQt 5.10.1 systems. These include location and positioning services, multimedia, NFC and Bluetooth connectivity, a Chromium based web browser, as well as traditional UI development. Open Source https://sourceforge.net/ adodbapi 2.0 Installed automatically when pywin32 (220) projects/adodbapi/files/ is installed. Open Source https://matplotlib.org/ mpl_toolkits N/A Installed automatically when matplotlib 1.5.1/users/license.html (1.5.1) is installed. 12 siemens-healthineers.com/redwood ACUSON Redwood VA10 · Product and solution security white paper Vendor name /URL Component Component Description / use name version Open Source isapi N/A Installed automatically when pywin32 (220) is installed. CFFI, the Common Foreign Function Interface, Open Source purports to be a portable foreign function https://github.com/ cffi 1.11.5 interface for Common Lisp. The CFFI library cffi/cffi is composed of a Lisp-implementation- specific backend in the CFFI-SYS package, and a portable frontend in the CFFI package. Kiwi is an efficient C++ implementation of the Cassowary constraint solving algorithm. Kiwi is an implementation of the algorithm based on the seminal Cassowary paper. It is Open Source not a refactoring of the original C++ solver. https://github.com/ kiwisolver 1.0.1 Kiwi has been designed from the ground nucleic/kiwi up to be lightweight and fast. Kiwi ranges from 10x to 500x faster than the original Cassowary solver with typical use cases gaining a 40x improvement. Memory savings are consistently > 5x. Open Source Makes ANSI escape character sequences (for https://pypi.org/ colorama 0.3.7 producing colored terminal text and cursor project/colorama/ positioning) work under MS Windows. gevent is a coroutine-based Python Open Source http://www.gevent.org/ gevent 1.3.2.post0 networking library that uses greenlet to provide a high-level synchronous API on top of the libev or libuv event loop. The greenlet package is a spin-off of Open Source Stackless, a version of CPython that supports https://github.com/ greenlet 0.4.13 micro-threads called “tasklets”. Tasklets run python-greenlet/greenlet pseudo-concurrently (typically in a single or a few OS-level threads) and are synchronized with data exchanges on “channels”. pycparser is a complete parser of the C Open Source language, written in pure Python using the https://github.com/ pycparser 2.18 PLY parsing library. It parses C code into an eliben/pycparser AST and can serve as a front-end for C compilers or analysis tools. Open Source https://github.com/ setuptools 39.2.0 Easily download, build, install, upgrade, and pypa/setuptools uninstall Python packages. siemens-healthineers.com/redwood 13 Product and solution security white paper · ACUSON Redwood VA10 Software Bill of Materials The following table comprises the most relevant third-party technologies used (general drivers not included). Vendor name /URL Component Component Description / use name version Six is a Python 2 and 3 compatibility library. It provides utility functions for smoothing Open Source over the differences between the Python https://github.com/ six 1.10.0 versions with the goal of writing Python benjaminp/six code that is compatible on both Python versions. See the documentation for more information on what is provided. This is a Python client library for iterating over http Server Sent Event (SSE) streams Open Source (also known as EventSource, after the name https://github.com/ sseclient 0.0.14 of the Javascript interface inside browsers). btubbs/sseclient The SSEClient class accepts a url on init, and is then an iterator over messages coming from the server. Open Source websocket-client module is WebSocket client https://github.com/ websocket_client 0.37.0 for Python. This provides the low-level APIs val-labs/websocket-client2 for WebSocket. All APIs are the synchronous functions. Microsoft Visual Microsoft Corporation C++ 2015 2015 The Microsoft Visual C++ 2012 Redistributable Redistributable Open Source Nunit 2.6.2 Unit-testing framework Microsoft Corporation Microsoft SQL Server 12.0.4232.1 PIMS Database Engine Trillium Technology, Inc. ShowCase A DICOM viewer. ShowCase viewer is for Onboard Viewer 5.4.0.0 displaying full color, still and cineloop ultrasound studies. Merge Healthcare DICOM Toolkit 5.6.0 A comprehensive API that conforms to the Incorporated latest DICOM standards. Tomtec Cariac SR (DicomConverter) 5.0.0.9 TLS Toolkit OpenSSL 1.0.2k Library for Secure Connection 64 Bit HP CIO HP Inc. Components 20.2.1 HP Print Driver Installer 14 siemens-healthineers.com/redwood ACUSON Redwood VA10 · Product and solution security white paper Vendor name /URL Component Component Description / use name version Igor Pavlov 7-Zip 18.05 (x64edition) 18.05.00.0 7-Zip is a file archiver with a high compression ratio. Adobe Reader software is the global standard for electronic document sharing. It is the Adobe Systems Adobe Reader XI only PDF file viewer that can open and Incorporated (11.0.21) MUI 11.0.21 interact with all PDF documents. Use Adobe Reader to view, search, digitally sign, verify, print, and collaborate on Adobe PDF files. Camtasia is a software suite, created and published by TechSmith, for creating video TechSmith Corporation Camtasia Studio 1.1 tutorials and presentations directly via screencast, or via a direct recording plug-in to Microsoft PowerPoint. Congatec congatec CGOS API 07.28.2012 congatec Operating System Application Program Interface. URL Rewrite Module 2.0 provides a rule- IIS URL Rewrite based rewriting mechanism for changing Microsoft Corporation Module 2 7.2.1952 requested URLs before they get processed by the web server and for modifying response content before it gets served to HTTP clients. Intel® Chipset Device Software 10.1.1.38 Chipset Intel Corporation Intel® Processor Graphics 1.20.16.4599 Graphic driver Microsoft Application Request Routing (ARR) Microsoft for IIS 7 and above is a proxy-based routing Application 3.0.1952 module that forwards HTTP requests to Request Routing content servers based on HTTP headers, 3.0 server variables, and load balance algorithms. Microsoft ODBC Driver 11 for SQL 12.1.4232.0 SQL Server Microsoft Corporation Server Microsoft SQL Server 2008 Setup Support 10.3.5500.0 SQL Server Files Microsoft SQL Server 2012 11.0.2100.60 SQL Server Native Client siemens-healthineers.com/redwood 15 Product and solution security white paper · ACUSON Redwood VA10 Software Bill of Materials The following table comprises the most relevant third-party technologies used (general drivers not included). Vendor name /URL Component Component Description / use name version Microsoft SQL Server 2014 12.1.4232.0 SQL Server Express LocalDB Microsoft SQL Server 2014 RsFx 12.1.4100.1 SQL Server Driver Microsoft SQL Server 2014 12.1.4232.0 SQL Server Setup (English) Microsoft SQL Server 2014 Transact-SQL 12.1.4100.1 SQL Server ScriptDom A security issue has been identified that Microsoft Visual could allow an attacker to compromise your C++ 2005 8.0.61001 Windows-based system with Microsoft Visual Redistributable C++ 2005 Service Pack 1 Redistributable Package. Microsoft Corporation Microsoft Visual A security issue has been identified that C++ 2005 could allow an attacker to compromise your Redistributable 8.0.61000 Windows-based system with Microsoft Visual (x64) C++ 2005 Service Pack 1 Redistributable Package. Microsoft Visual A security issue has been identified that C++ 2008 9.0.30729.4148 could allow an attacker to compromise your Redistributable Windows-based system with Microsoft Visual (x86) C++ 2008 Service Pack 1 Redistributable Package. Microsoft Visual A security issue has been identified leading C++ 2008 to a vulnerability in MFC applications that Redistributable 9.0.30729.6161 are built with Visual Studio 2008 and ship (x86) the Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package. The Microsoft Visual C++ 2008 SP1 Microsoft Visual Redistributable Package (x86) installs C++ 2008 SP1 Redistributable 9.0.30729.17 runtime components of Visual C++ Libraries required to run applications developed with Package (x86) Visual C++ SP1 on a computer that does not have Visual C++ 2008 SP1 installed. 16 siemens-healthineers.com/redwood ACUSON Redwood VA10 · Product and solution security white paper Vendor name /URL Component Component Description / use name version Microsoft Visual The Microsoft Visual C++ 2008 SP1 Redistributable Package (x86) installs C++ 2008 Redistributable 9.0.30729.4148 runtime components of Visual C++ Libraries -x86 required to run applications developed with 9.0.30729.4148 Visual C++ SP1 on a computer that does not have Visual C++ 2008 SP1 installed. Microsoft Visual The Microsoft Visual C++ 2008 SP1 Redistributable Package (x86) installs C++ 2008 Redistributable 9.0.30729.6161 runtime components of Visual C++ Libraries -x86 required to run applications developed with 9.0.30729.6161 Visual C++ SP1 on a computer that does not have Visual C++ 2008 SP1 installed. Microsoft Visual The Microsoft Visual C++ 2010 SP1 Redistributable Package (x86) installs C++ 2010 SP1 Redistributable 10.0.40219 runtime components of Visual C++ Libraries Package required to run applications developed with (x86/x64) Visual C++ 2010 SP1 on a computer that does not have Visual C++ 2010 SP1 installed. Microsoft Corporation Microsoft Visual C++ 2012 Redistributable 11.0.61030.0 The Microsoft Visual C++ 2012 (x64) – Redistributable 11.0.61030 Microsoft Visual C++ 2012 x64 Additional 11.0.61030 The Microsoft Visual C++ 2012 Runtime – Redistributable 11.0.61030 Microsoft Visual C++ 2012 x64 Minimum 11.0.61030 The Microsoft Visual C++ 2012 Runtime – Redistributable 11.0.61030 Microsoft Visual C++ 2013 Redistributable 12.0.30501.0 The Microsoft Visual C++ 2013 (x64) – Redistributable 12.0.30501 siemens-healthineers.com/redwood 17 Product and solution security white paper · ACUSON Redwood VA10 Software Bill of Materials The following table comprises the most relevant third-party technologies used (general drivers not included). Vendor name /URL Component Component Description / use name version Microsoft Visual C++ 2013 x64 Additional 12.0.21005 The Microsoft Visual C++ 2013 Runtime – Redistributable 12.0.21005 Microsoft Visual C++ 2013 x64 Minimum 12.0.21005 The Microsoft Visual C++ 2013 Runtime – Redistributable 12.0.21005 Microsoft Visual C++ 2015 Redistributable 14.0.24215.1 The Microsoft Visual C++ 2015 (x64/x64) – Redistributable 14.0.24215 Microsoft Visual C++ 2015 x64 Additional 14.0.24215 The Microsoft Visual C++ 2015 Redistributable Microsoft Corporation Runtime – 14.0.24215 Microsoft Visual C++ 2015 x64 Minimum 14.0.24215 The Microsoft Visual C++ 2015 Runtime – Redistributable 14.0.24215 Microsoft VSS Writer for SQL 12.1.4100.1 Database Engine Server 2014 Microsoft Web Deploy 2.0 2.0.1070 WebDriver Microsoft Web Farm Framework 2.2.1341 WebDriver Version 2.2 Microsoft Web Platform Installer 3.0.5 WebDriver 3.0 NVIDIA Corporation NVIDIA Graphics Driver 425.31 425.31 Graphics Driver 18 siemens-healthineers.com/redwood ACUSON Redwood VA10 · Product and solution security white paper Vendor name /URL Component Component Description / use name version Open Source Python Software Python 3.6.5 Python Script Foundation The .NET Framework 2.0 Service Pack 2 provides cumulative roll-up updates for .NET Framework customer reported issues found after the 2.0 Service 2.0.50727.8745 release of the .NET Framework 2.0. In Pack 2 addition, this release provides performance improvements, and prerequisite feature support for the .NET Framework 3.5 Service Pack 1. Microsoft .NET Framework 3.5 Service Pack 1 Microsoft Corporation is a full cumulative update that contains .NET Framework many new features building incrementally 3.5 Service 3.5.30729.8763 upon .NET Framework 2.0, 3.0, 3.5, and Pack 1 includes cumulative servicing updates to the .NET Framework 2.0 and .NET Framework 3.0 subcomponents. The Microsoft .NET Framework 4.6 Server .NET Framework Core installer package downloads the .NET 4.6.1 4.6.1586.0 Framework 4.6 components required to run on Windows Server 2008 R2 SP1 and higher for Server Core role installation. Blue Elephant Systems The IT Machine GmbH with correlation 1.2.5 module Windows 10 Microsoft Corporation Enterprise 2016 2016 LTSB Operation System lTSB Realtek Realtek High Definition Audio 6.0.1.8036 HD audio driver Open Source (Ingo Berg) muParser 2.2.5 Math expression parser library Windows Driver This package contains a Virtual COM Port Silicon Laboratories Inc. Package – Silicon 10.1.7.2399 Universal driver for Microsoft Windows 10 Laboratories Inc. for use with Silicon Labs VCP USB Serial (silabser) Ports Bridges. NVIDIA CUDA 9.1 A development environment for creating high performance GPU-accelerated applications. siemens-healthineers.com/redwood 19 Product and solution security white paper · ACUSON Redwood VA10 Software Bill of Materials The following table comprises the most relevant third-party technologies used (general drivers not included). Vendor name /URL Component Component Description / use name version ftdchip FTDI drivers (VCP and D3XX) 2.12.28.0 FTDI chip driver to communicate with CPM (Core Physio Module) CrashRpt is a free open-source library Open Source designed for intercepting exceptions in your https://code.google.com/p/ CrashRpt 1.4.3 C++ program, collecting technical crashrpt/ information about the crash and sending error reports over the Internet to software vendor. Intel® Compilers The compiler runtime libraries to dynamically Redistributable 17.0 Update 4 link applications built with the Intel® C++ Libraries Compiler. Intel® Integrated An extensive library of performance profiler Performance 9.0 Update 4 tools and software functions for multimedia Primitives processing and data processing applications. Intel Intel® Math A library of optimized math routines for Kernel Library 11.3 Update 4 science, engineering, and financial applications. Intel® Threading A C++ template library developed by Intel for Building Blocks 4.4 Update 4 parallel programming on multi-core processors. A PC tool for programming flash based Embedded Systems Flash Magic 10.50 microcontrollers from NXP using a serial or Academy Ethernet protocol while in the target hardware. Microsoft Corporation MSXML Parser and SDK 4 SP2 4.20.9849.0 Microsoft XML Parser 4.0 Moq is the most popular and friendly Open Source mocking framework for .NET. https://www.nuget.org/ Moq packages/moq/ 4.2 Moq is the most popular and friendly mocking framework for .NET. Apache log4cxx is a logging framework for C++ patterned after Apache log4j, which uses Apache Portable Runtime for most Open Source Log4cxx 0.10.0.1 platform-specific code and should be usable on any platform supported by APR. Apache log4cxx is licensed under the Apache License, an open source license certified by the Open Source Initiative. 20 siemens-healthineers.com/redwood ACUSON Redwood VA10 · Product and solution security white paper Vendor name /URL Component Component Description / use name version Open Source http://cristobaldobranco. Multimedia framework, able to decode, github.io/blog/2015/01/20/ ffmpeg 2.7.2 encode, transcode, mux, demux, stream, compiling-ffmpeg-with- filter and play pretty much anything that windows-tools/ humans and machines have created. SQLite SQLite 1.0.99.0 Lightweight database engine for managing i18n strings. Application framework for building rich internet applications. Provides frameworks Microsoft Corporation Prism framework 4.0 implemented using proven software design and development best practices. Used as common presentation layer framework to build vertical applications in Frosk. Sony Sony UP-D711MD BW 1.0.0.0 Black and white thermal printer driver Printer Driver Intel® Ethernet Intel Connection 22.2.4.0 Gigabit ethernet adapter driver I218-LM siemens-healthineers.com/redwood 21 Product and solution security white paper · ACUSON Redwood VA10 Manufacturer Disclosure Statement According to IEC 60601-1 Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13 1. Network properties required by the system and resulting risks 1-1 The device is connected via Ethernet cable or wireless protocol to the hospital using a TCP/IP network with 1Gb/s performance: • If the network is down, the network services (see below) are not available which can lead to the risks stated below. • If the network is unavailable, medical images cannot be transferred for remote consultation. • If the wireless network is incorrectly protected (for example, open Wi-Fi configuration), the attack surface of all the connected devices is much larger, which can lead to the risks stated below. • If the recommended network performance (1Gbit/s) is not provided, the transfer of images is extended, and availability of images at destinations (e.g., for consulting) is delayed. • Only the protocols shown in the table of used ports are needed for communication. 1-2 PACS system for archiving images/results • If the PACS is not available: images cannot be archived after the examination. In case of a system hardware failure, all non-archived – images can be lost. images cannot be archived after the examination. Examinations may no longer be possible because the – hard drive is full as non-archived images cannot be automatically removed. images cannot be archived after the examination. In case of manual deletion of images, unarchived images – can be lost. images are not available for remote consultation via PACS consoles. – prior images are not available. – • If the recommended network performance (1Gbit/s) is not provided, the transfer time to PACS is extended, and the wait for switching off the system consecutive to the last transfer operations is prolonged. 1-3 DICOM printer • If the DICOM printer is not available, film is not available for diagnosis/archive. 1-4 RIS system • If the RIS system is not available: the modality worklist is not available. This can lead to data inconsistencies as well as unavailability of – images when sent to the PACS until they are manually coerced with the RIS data in the PACS. In case of a Worklist Query time-out due to poor network transfer, there is a possibility that non-actual RIS – data is used when registering a patient from the list of schedules on the system. 1-5 Network connection to the SRS server • If the connection to the Smart Remote Services server is not available, then support from Siemens Healthineers service is limited. 1-6 Common medical protocol properties • Protocols used in medical environments are typically unsecure, with the exception of secure Smart Remote Services (using HTTPS). 22 siemens-healthineers.com/redwood ACUSON Redwood VA10 · Product and solution security white paper 2. Instructions for the responsible organization 2-1 Connection of the system to a network that includes other equipment could result in previously unidentified risks to patients, operators or third parties. The RESPONSIBLE ORGANIZATION should identify, evaluate and control these risks. 2-2 Subsequent changes to the network could introduce new RISKS and require additional analysis. 2-3 Changes to the network include: • changes in network configuration • connection to additional items to the network • disconnecting items from the network • update of equipment connected to the network • upgrade of equipment connected to the network 2-4 The RESPONSIBLE ORGANIZATION is fully responsible for the security of the network to which the device is connected. 2-5 The RESPONSIBLE ORGANIZATION is fully responsible to ensure staff who have access to the device do not have the opportunity to provide any harm to the system. 2-6 The RESPONSIBLE ORGANIZATION has to ensure that the internal network cannot be accessed physically by non-authorized persons. 2-7 Staff of the RESPONSIBLE ORGANIZATION has to be trained in security. The RESPONSIBLE ORGANIZATION is responsible for providing this. 2-8 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that only authorized medical/administrative staff shall have access to the device. 2-9 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that visitors/patients do not have unsupervised physical access to the system. 2-10 The RESPONSIBLE ORGANIZATION shall provide access to the system for device administrators and device service engineers. 2-11 The RESPONSIBLE ORGANIZATION has at least one staff person with administrative rights who has access to the system. 2-12 The RESPONSIBLE ORGANIZATION shall ensure that neither access from the public internet or the organization’s intranet to the device is possible. 2-13 The RESPONSIBLE ORGANIZATION is responsible to ensure physical security for the device. 2-14 The RESPONSIBLE ORGANIZATION shall ensure that access to services for the device from other equipment is possible only on a need-to-do basis. An adequate network topology with appropriate firewall settings shall be used. 2-15 The RESPONSIBLE ORGANIZATION is responsible for a secure infrastructure that makes it impossible to change, prevent, or tamper with data in transit in any way. 2-16 RECOMMENDATION: It is highly recommended that the RESPONSIBLE ORGANIZATION monitors the network for unusual traffic. 2-17 The RESPONSIBLE ORGANIZATION is responsible for the hard drive encryption keys and for preventing the theft or loss of those keys. siemens-healthineers.com/redwood 23 Product and solution security white paper · ACUSON Redwood VA10 Manufacturer Disclosure Statement According to IEC 60601-1 Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13 3. Intended purpose of integrating the device into an IT network 3-1 To integrate the system into the clinical workflow, the whole ultrasound system will interact as a DICOM node in the clinical network. 3-2 The system is DICOM-compliant, allowing it to be connected to a network with other compliant devices for the exchange of images. Networking allows the transmission of images acquired to other DICOM-compatible review stations or PACS. A list of all patients ever imaged can be kept on the Radiology PACS making future retrievals fast and easy. 3-3 The system connects to the network through an Ethernet cable or a wireless protocol. The network interfaces allow DICOM connections to specific clinical systems such as a Radiology PACS or printer. Patient demographic data will be received via DICOM; acquired images will be sent to the Radiology PACS or DICOM workstations for detailed viewing and long-term storage. 4. Network properties required by the system and resulting risks 4-1 Unsuccessful data transfer not recognized Function: Archiving and Networking Hazard: Wrong diagnosis / loss of acquisition data Caution: Data transfers between systems are not verified automatically. Loss of data, if data is deleted locally before it has been successfully transferred to another system. Measure: Since not all systems support automatic storage commitment, verify the correctness of the data transfer at the remote system before deleting the local data. Effect on: Patient 4-2 Incorrect or incomplete data transfer Function: Data Exchange – Network Hazard: Wrong diagnosis, wrong examination / loss of acquisition data, loss of post processing results, corrupted data, inconsistent data Cause: DICOM objects are sent/received/retrieved. While objects are being prepared or during transfer, not all DICOM objects that are not considered are deleted, corrupted or unintentionally manipulated. Data on the sender and receiver side is not consistent. Failure of transfer not recognized. Measure: It has to be verified by testing, that there is no object loss during sending, which means: • Verify that exception scenarios result in a failed job (and check for other exceptions in log files). • Verify that error cases, which result in data not complying with the DICOM standard, are covered by exception scenarios. Effect on: Patient 24 siemens-healthineers.com/redwood ACUSON Redwood VA10 · Product and solution security white paper 4. Network properties required by the system and resulting risks 4-3 Insecure or incorrectly configured clinical network Function: Network Security Hazard: Incorrect diagnosis basis, wrong diagnosis, wrong treatment, delayed diagnosis, delayed therapy, wrong examination, repetition of examination / loss of acquisition data, corrupted data, system DoS Caution: Unauthorized access may affect system performance and data security. Cause: Any unauthorized access to the system may affect the system performance and data security and may lead to: • Lowered system performance and/or non-operational system • Loss of data security including loss of all patient data Measure: • Enable your system administrator to ensure network security and the security of the operational infrastructure • Consult manuals for secure setup • Perform system updates as required • Run your medical device only in protected network environments, and do not connect it directly to public networks • Set up firewalls • Prevent configuration files from being changed by users • Update and patch networked systems as required Effect on: Patient 4-4 Bitlocker recovery keys not available when needed Function: Hard drive encryption Hazard: loss of patient data, system DoS Caution: Customer should keep Bitlocker recovery keys safe Cause: In the case the customer opted for hard drive encryption and if BitLocker fails to access the encrypted drive for whatever reason, then the recovery keys will be needed by Siemens Healthineers Service to pause encryption and have offline access to the hard drive and the patient data stored in it. Effect on: Patient, System siemens-healthineers.com/redwood 25 Product and solution security white paper · ACUSON Redwood VA10 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Device Description Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions 502955-FPD-001 Release Date USA, Inc. 18-Sep-19 Device Model Software Revision Software Release Date ACUSON Redwood r1.0 21-Aug-19 Manufacturer or Company Name Manufacturer Contact Information Representative Contact Siemens Medical Solutions USA, Inc. Siemens Medical Solutions – Ultrasound Information 685 E Middlefield Rd, Mountain View, CA 94043 Representative Name / Position YoungChul Kim/Senior Engineer Intended use of device in network-connected environment Optionally, the ACUSO Redwood Ultrasound System can be configured to communicate to a hospital Patient Archival Communication System (PACS). The following DICOM Services are supported: Store SCP/SCU, Modality Worklist SCU, Query/Retrieve SCU, Storage Commitment SCU, Print SCU and DICOM Structured Reporting SCU. 26 siemens-healthineers.com/redwood ACUSON Redwood VA10 · Product and solution security white paper Management of Private Data Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information Yes, No, Note # requested in this form. N/A, or See Note A Can this device display, transmit, or maintain private data (including electronic Protected Health Yes Information [ePHI])? B Types of private data elements that can be maintained by the device: B.1 Demographic (e.g., name, address, location, unique identification number)? Yes – B.2 Medical record (e.g., medical record #, account #, test or treatment date, device identification number)? Yes – B.3 Diagnostic/therapeutic (e.g., photo/radiograph, test results, or physiologic data with identifying Yes – characteristics)? B.4 Open, unstructured text entered by device user/operator? Yes – B.5 Biometric data? Yes – B.6 Personal financial information? No – C Maintaining private data ‒ Can the device: C.1 Maintain private data temporarily in volatile memory (i.e., until cleared by power-off or reset)? Yes – C.2 Store private data persistently on local media? Yes – C.3 Import/export private data with other systems? Yes – C.4 Maintain private data during power service interruptions? Yes – D Mechanisms used for the transmitting, importing/exporting of private data – Can the device: D.1 Display private data (e.g., video display, etc.)? Yes – D.2 Generate hardcopy reports or images containing private data? Yes – D.3 Retrieve private data from or record private data to removable media (e.g., disk, DVD, CD-ROM, tape, Yes – CF/SD card, memory stick, etc.)? D.4 Transmit/receive or import/export private data via dedicated cable connection (e.g., IEEE 1073, Yes – serial port, USB, FireWire, etc.)? D.5 Transmit/receive private data via a wired network connection (e.g., LAN, WAN, VPN, intranet, Yes – Internet, etc.)? D.6 Transmit/receive private data via an integrated wireless network connection (e.g., WiFi, Bluetooth, Yes – infrared, etc.)? D.7 Import private data via scanning? No – D.8 Other? N/A – Management The system can store height, weight and BSA. of private data notes: siemens-healthineers.com/redwood 27 Product and solution security white paper · ACUSON Redwood VA10 Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions 11502955-FPD-001 18-Sep-19 USA, Inc. Device Model Software Revision Software Release Date ACUSON Redwood r1.0 21-Aug-19 Security capabilities Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 1 Automatic logoff (ALOF) The device’s ability to prevent access and misuse by unauthorized users if device is left idle for a period of time. 1-1 Can the device be configured to force reauthorization of logged-in user(s) after a predetermined Yes – length of inactivity (e.g., auto-logoff, session lock, password protected screen saver)? 1-1.1 Is the length of inactivity time before auto-logoff/screen lock user or administrator configurable? Yes 1 (Indicate time [fixed or configurable range] in notes.) 1-1.2 Can auto-logoff/screen lock be manually invoked (e.g., via a shortcut key or proximity sensor, etc.) Yes – by the user? ALOF notes: The auto-logoff can be configured from 1 to 60 minutes. 2 Audit controls (AUDT) The ability to reliably audit activity on the device. 2-1 Can the medical device create an audit trail? Yes – 2-2 Indicate which of the following events are recorded in the audit log: 2-2.1 Login/logout Yes – 2-2.2 Display/presentation of data Yes – 2-2.3 Creation/modification/deletion of data Yes – 2-2.4 Import/export of data from removable media Yes – 2-2.5 Receipt/transmission of data from/to external (e.g., network) connection Yes – 2-2.51 Remote service activity Yes – 2-2.6 Other events? (describe in the notes section) No – 2-3 Indicate what information is used to identify individual events recorded in the audit log: 2-3.1 User ID Yes – 2-3.2 Date/time Yes – AUTH notes: Log items are encrypted as they are added to the audit log. 3 Authorization (AUTH) The ability of the device to determine the authorization of users. 3-1 Can the device prevent access to unauthorized users through user login requirements or other Yes – mechanism? 3-2 Can users be assigned different privilege levels within an application based on ‘roles’ (e.g., guests, Yes – regular users, power users, administrators, etc.)? 3-3 Can the device owner/operator obtain unrestricted administrative privileges (e.g., access operating No – system or application via local root or admin account)? AUTH notes: N/A 28 siemens-healthineers.com/redwood ACUSON Redwood VA10 · Product and solution security white paper Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions 11502955-FPD-001 18-Sep-19 USA, Inc. Device Model Software Revision Software Release Date ACUSON Redwood r1.0 21-Aug-19 Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 4 Configuration of security features (CNFS) The ability to configure/re-configure device security capabilities to meet user’s needs. 4-1 Can the device owner/operator reconfigure product security capabilities? Yes – CNFS notes: The admin via the security system configuration screen can configure the security system such as firewall. In addition, only the admin can configure data export capabilities including: DICOM and Network Share 5 Cyber security product upgrades (CSUP) The ability of on-site service staff, remote service staff, or authorized customer staff to install/upgrade device’s security patches. 5-1 Can relevant OS and device security patches be applied to the device as they become available? Yes 1 5-1.1 Can security patches or other software be installed remotely? Yes 2 CSUP notes: 1. Only security patches that become available through Siemens are subject to be installed in the system. 2. Siemens Remote Service can push patches to system which are then installed once approved by the user. 6 Health data DE-identification (DIDT) The ability of the device to directly remove information that allows identification of a person. 6-1 Does the device provide an integral capability to de-identify private data? Yes – DIDT notes: There is a feature in Patient Browser which will clear the patient banner and clear the DICOM tags identifying a specific patient. 7 Data backup and disaster recovery (DTBK) The ability to recover after damage or destruction of device data, hardware, or software. 7-1 Does the device have an integral data backup capability (i.e., backup to remote storage or Yes – removable media such as tape, disk)? DTBK notes: A patient data is uploaded to PACS either during or after each exam. A patient data can be backed up to USB or DVD. The system configuration can be backed up to USB. 8 Emergency access (EMRG) The ability of device users to access private data in case of an emergency situation that requires immediate access to stored private data. 8-1 Does the device incorporate an emergency access (“break-glass”) feature? Yes – EMRG notes: The system will allow for an emergency exam to be performed. Access to main aspects of the system other than that required to perform the exam are restricted. 9 Health data integrity and authenticity (IGAU) How the device ensures that data processed by the device has not been altered or destroyed in an unauthorized manner and is from the originator. 9-1 Does the device ensure the integrity of stored data with implicit or explicit error detection/correction No – technology? IGAU notes: N/A siemens-healthineers.com/redwood 29 Product and solution security white paper · ACUSON Redwood VA10 Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions 11502955-FPD-001 18-Sep-19 USA, Inc. Device Model Software Revision Software Release Date ACUSON Redwood r1.0 21-Aug-19 Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 10 Malware detection/protection (MLDP) The ability of the device to effectively prevent, detect and remove malicious software (malware). 10-1 Does the device support the use of anti-malware software (or other anti-malware mechanism)? Yes – 10-1.1 Can the user independently re-configure anti-malware settings? No – 10-1.2 Does notification of malware detection occur in the device user interface? Yes – 10-1.3 Can only manufacturer-authorized persons repair systems when malware has been detected? Yes – 10-2 Can the device owner install or update anti-virus software? No – 10-3 Can the device owner/operator (technically/physically) update virus definitions on N/A – manufacturer-installed antivirus software? MLDP notes: DeviceGuard is incorporated into the system. Only software signed by Siemens can execute. 11 Node authentication (NAUT) The ability of the device to authenticate communication partners/nodes. 11-1 Does the device provide/support any means of node authentication that assures both the sender and Yes – the recipient of data are known to each other and are authorized to receive transferred information? NAUT notes: Communication to a PACS can be configured to use TLS certificates. Only if encrypted DICOM functionality is being used. 12 Person authentication (PAUT) Ability of the device to authenticate users 12-1 Does the device support user/operator-specific username(s) and password(s) for at least one user? Yes – 12-1.1 Does the device support unique user/operator-specific IDs and passwords for multiple users? Yes – 12-2 Can the device be configured to authenticate users through an external authentication service No – (e.g., MS Active Directory, NDS, LDAP, etc.)? 12-3 Can the device be configured to lock out a user after a certain number of unsuccessful logon Yes – attempts? 12-4 Can default passwords be changed at/prior to installation? Yes – 12-5 Are any shared user IDs used in this system? No – 12-6 Can the device be configured to enforce creation of user account passwords that meet established Yes – complexity rules? 12-7 Can the device be configured so that account passwords expire periodically? Yes – PAUT notes: Accounts and passwords for those accounts are configured by the administrator of the system. The password aging can be configured from 0 (never expires) to 999 days. The default setting is 42 days. 13 Physical locks (PLOK) Physical locks can prevent unauthorized users with physical access to the device from compromising the integrity and confidentiality of private data stored on the device or on removable media 13-1 Are all device components maintaining private data (other than removable media) physically Yes – secure (i.e., cannot remove without tools)? PLOK notes: N/A 30 siemens-healthineers.com/redwood ACUSON Redwood VA10 · Product and solution security white paper Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions 11502955-FPD-001 18-Sep-19 USA, Inc. Device Model Software Revision Software Release Date ACUSON Redwood r1.0 21-Aug-19 Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 14 Roadmap for third party components in device life cycle (RDMP) Manufacturer’s plans for security support of 3rd party components within device life cycle. 14-1 In the notes section, list the provided or required (separately purchased and/or delivered) See Note – operating system(s) – including version number(s). 14-2 Is a list of other third party applications provided by the manufacturer available? Yes – RDMP notes: Microsoft Windows 10 64 bit 15 System and application hardening (SAHD) The device’s resistance to cyber-attacks and malware. 15-1 Does the device employ any hardening measures? Please indicate in the notes the level of Yes 1 conformance to any industry-recognized hardening standards. 15-2 Does the device employ any mechanism (e.g., release-specific hash key, checksums, etc.) to ensure Yes – the installed program/update is the manufacturer-authorized program or software update? 15-3 Does the device have external communication capability (e.g., network, modem, etc.)? Yes – 15-4 Does the file system allow the implementation of file-level access controls (e.g., New Technology Yes – File System (NTFS) for MS Windows platforms)? 15-5 Are all accounts which are not required for the intended use of the device disabled or deleted, Yes – for both users and applications? 15-6 Are all shared resources (e.g., file shares) which are not required for the intended use of the device, disabled? Yes – 15-7 Are all communication ports which are not required for the intended use of the device closed/disabled? Yes – 15-8 Are all services (e.g., telnet, file transfer protocol [FTP], internet information server [IIS], etc.), which Yes – are not required for the intended use of the device deleted/disabled? 15-9 Are all applications (COTS applications as well as OS-included applications, e.g., MS Internet Explorer, Yes – etc.) which are not required for the intended use of the device deleted/disabled? 15-10 Can the device boot from uncontrolled or removable media (i.e., a source other than an internal Yes 2 drive or memory component)? 15-11 Can software or hardware not authorized by the device manufacturer be installed on the device No – without the use of tools? SAHD notes: 1. DISA STIGS 2. Booting from uncontrolled removable media requires BIOS password 16 Security guidance (SGUD) The availability of security guidance for operator and administrator of the system and manufacturer sales and service. 16-1 Are security-related features documented for the device user? Yes – 16-2 Are instructions available for device/media sanitization (i.e., instructions for how to achieve Yes – the permanent deletion of personal or other sensitive data)? SGUD notes: The manual of Service Configuration explains how to delete study data siemens-healthineers.com/redwood 31 Product and solution security white paper · ACUSON Redwood VA10 Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions 11502955-FPD-001 18-Sep-19 USA, Inc. Device Model Software Revision Software Release Date ACUSON Redwood r1.0 21-Aug-19 Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 17 Health data storage confidentiality (STCF) The ability of the device to ensure unauthorized access does not compromise the integrity and confidentiality of private data stored on device or removable media. 17-1 Can the device encrypt data at rest? Yes – STCF notes: Microsoft BitLocker can be enabled at the factory or after customer installation 18 Transmission confidentiality (TXCF) The ability of the device to ensure the confidentiality of transmitted private data. 18-1 Can private data be transmitted only via a point-to-point dedicated cable? No – 18-2 Is private data encrypted prior to transmission via a network or removable media? See Note – (If yes, indicate in the notes which encryption standard is implemented.) 18-3 Is private data transmission restricted to a fixed list of network destinations? Yes – TXCF notes: Encryption via industry standards is available with wireless networking. Application layer encryption is available only if encrypted DICOM functionality is being used. Secure DICOM can be configured to use TLS 1.0, 1.1 or 1.2. DICOM is encrypted by TLS_RSA_WITH_128_CBC_SHA or TLS_RSA_WITH_3DES_ EDE_CBC_SHA. 19 Transmission integrity (TXIG) The ability of the device to ensure the integrity of transmitted private data. 19-1 Does the device support any mechanism intended to ensure data is not modified during transmission? No – (If yes, describe in the notes section how this is achieved.) TXIG notes: N/A 20 Other security considerations (OTHR) Additional security considerations/notes regarding medical device security. 20-1 Can the device be serviced remotely? Yes – 20-2 Can the device restrict remote access to/from specified devices or users or network locations (e.g., Yes – specific IP addresses)? 20-2.1 Can the device be configured to require the local user to accept or initiate remote access? Yes – OTHR notes: N/A 32 siemens-healthineers.com/redwood ACUSON Redwood VA10 · Product and solution security white paper Abbreviations AD Active Directory MD5 Message Digest 5 AES Advanced Encryption Standard MDS2 Manufacturer Disclosure BIOS Basic Input Output System Statement DES Data Encryption Standard MSTS Microsoft Terminal Server DISA Defense Information Systems NEMA National Electrical Agency Manufacturers Association DMZ Demilitarized Zone NTP Network Time Protocol DoS Denial of Service OCR Office for Civil Rights Electronic Protected Health OU Organizational Unit ePHI Information PHI Protected Health Information FDA Food and Drug Administration PII Personally Identifiable FIPS Federal Information Processing Information Standards RPC Remote Procedure Call HHS Health and Human Services SAM Security Accounts Manager HIPAA Health Insurance Portability SHA Secure Hash Algorithm and Accountability Act SQL Structured Query Language HIMSS Healthcare Information and Management Systems Society SRS Smart Remote Services HTTP Hypertext Transfer Protocol SW Software HTTPS HTTP Secure TCP Transmission Control Protocol ICS Integrated Communication UltraVNC Ultra Virtual Network Services Computing IEC International Electrotechnical UDP User Datagram Protocol Commission VPN Virtual Private Network LDAP Lightweight Directory Access Protocol siemens-healthineers.com/redwood 33 Product and solution security white paper · ACUSON Redwood VA10 Disclaimer According to International Electrotechnical IEC 80001-1 Commission Glossary (extract) 1-1 The Device has the capability to be connected Responsible organization: to a medical IT network, which is managed under Entity accountable for the use and maintenance of a full responsibility of the operating legal entity medical IT network (hereafter called “RESPONSIBLE ORGANIZATION”). It is assumed that the RESPONSIBLE ORGANIZATION ACUSON Redwood is a trademark of Siemens Medical assigns a Medical IT Network Risk Manager to Solutions USA, Inc. perform IT Risk Management (see IEC 80001- syngo is a registered trademark of Siemens Healthcare 1:2010 / EN 80001-1:2011) for IT. GmbH. Adobe is either a trademark or registered trademark of 1-2 This statement describes Device-specific IT networking safety and security capabilities. It is Adobe Systems Incorporated in the United States and/or NOT a RESPONSIBILITY AGREEMENT according to other countries. IEC 80001-1:2010 / EN 80001-1:2011. Intel is a trademark of Intel Corporation in the United States and other countries. 1-3 Any modification of the platform, the software or the interfaces of the Device – unless authorized and Microsoft and Windows are registered trademarks of approved by Siemens Healthcare GmbH – voids all Microsoft Corporation in the United States and other warranties, liabilities, assertions and contracts. countries. 1-4 The RESPONSIBLE ORGANIZATION acknowledges that the Device’s underlying standard computer with operating system is to some extent vulnerable to typical attacks such as malware or denial-of- service. 1-5 Unintended consequences (e.g., misuse/loss/ corruption) of data not under control of the Device (e.g., after electronic communication from the Device to an IT network or to a storage media), are under the responsibility of the RESPONSIBLE ORGANIZATION. 1-6 Unauthorized use of the external connections or storage media of the Device can cause hazards regarding the availability and information security of all components of the medical IT network. The RESPONSIBLE ORGANIZATION must ensure – through technical and/or organizational measures – that only authorized use of the external connections and storage media is permitted. 34 siemens-healthineers.com/redwood ACUSON Redwood VA10 · Product and solution security white paper Statement on FDA Cybersecurity Guidance Siemens Healthineers will follow cybersecurity guidance issued by the FDA as appropriate. Siemens Healthineers recognizes the principle described in FDA cybersecurity guidance that an effective cybersecurity framework is a shared responsibility among multiple stakeholders (e.g., medical device manufacturers, healthcare facilities, patients and providers), and is committed to drawing on its innovation, engineering and pioneering skills in collective efforts designed to prevent, detect and respond to new and emerging cybersecurity threats. While FDA cybersecurity guidance is informative as to adopting a risk-based approach to addressing potential patient harm, it is not binding and alternative approaches may be used to satisfy FDA regulatory requirements. The representations contained in this whitepaper are designed to describe Siemens Healthineers’ approach to cybersecurity of its medical devices and to disclose the security capabilities of the devices/systems described herein. Neither Siemens Healthineers nor any medical device manufacturer can warrant that its systems will be invulnerable to cyberattack. Siemens Healthineers makes no representation or warranty that its cyber-security efforts will ensure that its medical devices/systems will be error-free or secure against cyberattack. siemens-healthineers.com/redwood 35 Please note that the learning material is for training purposes only! For the proper use of the software or hardware, please always use the Operator Manual or Instructions for Use (hereinafter collectively “Operator Manual”) issued by Siemens Healthineers. This material is to be used as training material only and shall by no means substitute the Operator Manual. Any material used in this training will not be updated on a regular basis and does not necessarily reflect the latest version of the software and hardware available at the time of the training. The Operator's Manual shall be used as your main reference, in particular for relevant safety information like warnings and cautions. Note: Some functions shown in this material are optional and might not be part of your system. Certain products, product related claims or functionalities (hereinafter collectively “Functionality”) may not (yet) be commercially available in your country. Due to regulatory requirements, the future availability of said Functionalities in any specific country is not guaranteed. Please contact your local Siemens Healthineers sales representative for the most current information. The reproduction, transmission or distribution of this training or its contents is not permitted without express written authority. Offenders will be liable for damages. ACUSON Redwood and UltraArt universal image processing are trademarks of Siemens Medical Solutions USA, Inc. All names and data of patients, parameters and configuration dependent designations are fictional and examples only. All rights, including rights created by patent grant or registration of a utility model or design, are reserved. Copyright © Siemens Healthcare GmbH 2020 Siemens Healthineers Headquarters\Siemens Healthcare GmbH\Henkestr. 127\ 91052 Erlangen, Germany\Telephone: +49 9131 84-0\siemens-healthineers.com Siemens Healthineers Headquarters Legal Manufacturers Siemens Healthcare GmbH Siemens Medical Solutions USA, Inc. Henkestr. 127 Ultrasound 91052 Erlangen, Germany 22010 S.E. 51st Street Phone: +49 9131 84-0 Issaquah, WA 98029, USA siemens-healthineers.com Phone: 1-888-826-9702 siemens-healthineers.com/ultrasound Published by Siemens Medical Solutions USA, Inc. · 8392 1219 online · ©Siemens Medical Solutions USA, Inc., 2019

  • MDS
  • Safety
  • Priacy
  • patient privacy
  • security