PEPconnect

ACUSON Sequoia Ultrasound system, release VA11 Security and MDS² Form

The reproduction, transmission or distribution of this training or its contents is not permitted without express written authority. Offenders will be liable for damages. 
 
All names and data of patients, parameters and configuration dependent designations are fictional and examples only. 
 
All rights, including rights created by patent grant or registration of a utility model or design, are reserved.
 
Please note that the learning material is for training purposes only! 
 
For the proper use of the software or hardware, please always use the Operator Manual or Instructions for Use (hereinafter collectively “Operator Manual”) issued by Siemens Healthineers. This material is to be used as training material only and shall by no means substitute the Operator Manual. Any material used in this training will not be updated on a regular basis and does not necessarily reflect the latest version of the software and hardware available at the time of the training. 
 
The Operator Manual shall be used as your main reference, in particular for relevant safety information like warnings and cautions.
 
Note: Some functions shown in this material are optional and might not be part of your system. The information in this material contains general technical descriptions of specifications and options as well as standard and optional features that do not always have to be present in individual cases.
 
Certain products, product related claims or functionalities described in the material (hereinafter collectively “Functionality”) may not (yet) be commercially available in your country. Due to regulatory requirements, the future availability of said Functionalities in any specific country is not guaranteed. Please contact your local Siemens Healthineers sales representative for the most current information.
 
ACUSON Sequoia is a trademark of Siemens Medical Solutions USA, Inc.  Copyright © Siemens Healthcare GmbH, 2020

White paper ACUSON Sequoia ultrasound system, release VA11 Security and MDS2 Form Facts about security and privacy requirements siemens-healthineers.com/sequoia SIEMENS Healthineers Product and solution security white paper · ACUSON Sequoia VA11 The Siemens Healthineers product and solution security program At Siemens Healthineers, we are committed to working • Static code analysis of medical device software with you to address your cybersecurity and privacy • requirements throughout the lifecycle of our medical Security testing of medical devices under development devices. as well as medical devices already in the field • Patch management tailored to the medical device and Our product and solution security program addresses your needs state-of-the-art cybersecurity in our current and future • products. We support you in protecting the privacy of Security vulnerability monitoring to track reported your data, while at the same time providing measures third-party component issues in our medical devices that strengthen the resiliency of your medical equipment • Working with suppliers to ensure security is addressed from external cybersecurity attackers. throughout the supply chain • To help you meet your IT security and privacy obligations, Employee training to ensure their knowledge is we comply with security and privacy regulations of the consistent with the requirements to contribute to U.S. Department of Health and Human Services (HHS), protecting your data and device integrity including the Food and Drug Administration (FDA) and Office for Civil Rights (OCR). Please contact us anytime to report product and solution security, cybersecurity, or privacy incidents at: Vulnerability and incident management [email protected] Siemens Healthineers cooperates with government agencies and cybersecurity researchers concerning For non-urgent communications or requests, please reported potential vulnerabilities. contact us at: [email protected] siemens-healthineers.com. Our communications policy strives for coordinated disclosure and to inform our customers and other Thank you for making Siemens Healthineers your partner parties, when appropriate, by responding to potential of choice! vulnerabilities and incidents in our medical devices, no matter the source. Yours sincerely, Elements of our product and solution security program • Providing information about the secure configuration and use of Siemens Healthineers medical devices in your IT environment Jim Jacobson • Formal threat and risk analysis for our medical devices Chief Product and Solution Security Officer Siemens Healthineers • Secure architecture, design, and coding methodologies in our software development process 2 siemens-healthineers.com/sequoia ACUSON Sequoia VA11 · Product and solution security white paper Contents Basic Information ..................................................... 4 Network Information ............................................... 6 Security Controls ...................................................... 8 Software Bill of Materials ........................................ 10 Manufacturer Disclosure Statement According to IEC 60601-1 ........................................ 12 Manufacturer Disclosure Statement for Medical Device Security – MDS2 ......................... 16 Abbreviations .......................................................... 23 Disclaimer According to IEC 80001-1 ....................... 24 International Electrotechnical Commission Glossary (extract) .................................................... 24 Statement on FDA Cybersecurity Guidance ............. 25 siemens-healthineers.com/sequoia 3 Product and solution security white paper · ACUSON Sequoia VA11 Basic Information Why is cybersecurity important? User account information Keeping patient data safe and secure should typically • ACUSON Sequoia system VA11 software user accounts be one of the top priorities of healthcare institutes. can be local Windows accounts, managed by the It is estimated that the cost associated in the recovery administrator of the system, or LDAP-based accounts of each medical record in the United States can be as if the system is part of a Microsoft Windows Domain. high as $380.1 According to the Ponemon Institute • research report,2 39% of medical devices were hacked, A break-glass mechanism ensures access to the system with hackers being able to take control of the device. in emergency scenarios. Moreover, 38% of healthcare organizations said that • The system provides preconfigured Password Policies their patients received inappropriate medical treatment that can be customized by administrators because of an insecure medical device. Domain integration Our purpose is to help healthcare providers succeed In case of domain integration, we recommend that you put the device in its own OU. No global policies The new ACUSON Sequoia™ ultrasound system is the are allowed. More details will be provided in the result of more than three decades of experience in Administration Manual. ultrasound engineering. A general imaging ultrasound system, it was developed in response to one of the most Patching strategy prevalent challenges in ultrasound imaging today: the imaging of different-sized patients with consistency • Security patches will be provided on regular basis after and clarity. With its new Deep Abdominal Transducer validation by Siemens Healthineers to maintain the (DAX), a new high-powered architecture, and innovative clinical function of the medical device. updates to elastography and contrast-enhanced • ultrasound, the new ACUSON Sequoia system produces If connected to Smart Remote Services (SRS) formerly penetration up to 40 cm. With its powerful architecture Siemens Remote Service, updates will be pushed to and innovative features, the ACUSON Sequoia system the system automatically. They need to be confirmed/ expands precision medicine by enabling high-resolution executed by the actual user. imaging that adapts to patients’ size and personal • Alternatively, you can manually install updates by characteristics, contributing to more confident diagnosis. using the Siemens Healthineers ASU service provided in the LifeNet platform. Operating systems • Technologies and software components are actively monitored for vulnerabilities and availability of Please refer to the Software Bill of Material chapter. security updates. 1 https://healthitsecurity.com/news/how-much-do-healthcare-data-breaches-cost-organizations 2 https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/medical-device-security-ponemon-synopsys.pdf 4 siemens-healthineers.com/sequoia ACUSON Sequoia VA11 · Product and solution security white paper Cryptography usage • Protected Health Information (PHI) is temporarily stored on the ultrasound system, similar to DICOM The ACUSON Sequoia system VA11 software uses ciphers data, raw data, and metadata for DICOM creation. and protocols built into Windows 10 for encryption and Note: The time for which PHI is stored is determined data protection. If needed, hardening measures limit by the facility. usage to those that are at least FIPS 140-2-compliant. • Personally Identifiable Information (PII) as part of the DICOM records is also temporarily stored on the Handling of sensitive data ultrasound system, e.g., patient’s name, birthday or age, height and weight, personal identification • This ultrasound system is designed for temporary data number, and referring physician’s name. Additional storage only. Siemens Healthineers recommends sensitive information might be present in user-editable storing patient data in a long-term archive, e.g., on a input fields or in the images acquired. PACS, and data must be deleted using a facility-defined • procedure. Protected Health Information (PHI) is transmitted via DICOM (encrypted/unencrypted). siemens-healthineers.com/sequoia 5 Product and solution security white paper · ACUSON Sequoia VA11 Network Information Smart VPN Remote IN, OUT: Services TCP, UDP, RDP SRS Router Remote Service Access Server IN, OUT: DICOM PACS/RIS IN, OUT: IN, OUT: DICOM, SRS LDAP, TCP/UDP Domain Controller = OUT: TCP Network Share IN, OUT: TCP NUANCE Ultrasound Machine Clinical Network Internet Figure 1: Security boundaries for system deployment Siemens Healthineers recommends control lists on the network switches to limit traffic operating the ultrasound machine in a to identified peers. At minimum, the DICOM port dedicated network segment (e.g., VLAN). (see Table 1) must be visible to your DICOM network nodes (e.g., PACS, syngo®.via, etc.). To minimize the risk of unauthorized network access, Siemens Healthineers recommends operating the Please contact the Siemens Healthineers Service ultrasound machine behind a firewall or using access organization for further information. 6 siemens-healthineers.com/sequoia ACUSON Sequoia VA11 · Product and solution security white paper The following ports are used by the system. You can modify the status of the ports (open/closed) through the main security UI. Port number Service/function Direction Protocol 80 Microsoft IIS1 Inbound TCP 104 DICOM Communication (unencrypted) In/outbound TCP 443 Administration Portal – Remote Service Inbound TCP (encrypted) 2762 Secure DICOM (optional) In/outbound TCP 8226 Managed Node Package MNP Inbound TCP 8227 Managed Node Package MNP Inbound TCP 8228 Managed Node Package MNP Inbound TCP 11080 Remote Assist (eSieLink) Inbound TCP 12061 Managed Node Package MNP Inbound TCP 13001 Managed Node Package MNP Inbound TCP Table 1: Used Port Numbers siemens-healthineers.com/sequoia 7 Product and solution security white paper · ACUSON Sequoia VA11 Security Controls Malware protection Hardening • Whitelisting (McAfee® Application Control) • ACUSON Sequoia system VA11 software hardening is implemented based on the Security Technical Controlled use of administrative privileges Implementation Guidelines developed by the Defense The system distinguishes between clinical and Information Systems Agency (DISA). • administrative roles. Clinical users do not require administrative privileges. Authorization as Network controls administrator is required for administrative tasks. • The system is designed to make limited use of network ports and protocols. Microsoft Windows firewall is Authentication authorization controls configured to block unwanted inbound network traffic except for the ports listed in Table 1. • The ACUSON Sequoia system VA11 software supports Health Insurance Portability and Accountability • Siemens Healthineers recommends operating the Act (HIPAA) regulation with role-based privilege system in a secured network environment, e.g., a assignment and access control. separate network segmented or VLAN. • The ACUSON Sequoia system VA11 software supports • Connection to the Internet or private networks for both, machine local users and LDAP defined users. patients/guests is not recommended. • The user interface of the ACUSON Sequoia system • In case of a denial of service (DoS) or mal-ware attack, VA11 software provides a screen lock functionality that the system can be taken off the network and operated can be engaged manually or automatically after a in a stand-alone state. certain inactivity time. For details, please refer to the User Manual. Physical protection • Continuous vulnerability assessment and remediation You are responsible for the physical protection of the ACUSON Sequoia system VA11 software, e.g., by • Continuous vulnerability assessment and remediation operating it in a room with access control. Please note is performed. that the system contains patient data and should be protected against tampering and theft. • The system is protected by Secure Boot, which blocks unsigned boot media. • It is possible to change the BIOS password. Please contact Siemens Healthineers Service for support. 8 siemens-healthineers.com/sequoia ACUSON Sequoia VA11 · Product and solution security white paper Data protection controls Incident response and management • The system is not intended to be an archive (data at rest). • The incident handling process is defined and executed PHI is protected by both role-based access control as on demand to deal with incidents as mandated by the • well as hard drive encryption (optional). United States FDA Post-Market Guidance documents. • Hard drive encryption is an optional feature that is implemented through Microsoft Bitlocker technology and use of the TPM (Trusted Platform Module) chip on the system’s motherboard. • The system provides auditing of PHI access control. • Optionally, confidentiality and integrity of PHI/PII data can be protected by encryption of DICOM communication with other DICOM nodes. Note: In the VA11 software release for the ACUSON Sequoia system, encrypted communication can be used if all connected DICOM nodes support it. Auditing/logging • The system provides HIPAA-compliant auditing of operations on PHI, PII, and user information (i.e., login, read access to PHI, modification of PHI). Remote connectivity • SRS is optionally used for proactive maintenance. The connection is created using a secured channel (VPN- or IBC-based connection). It is used, for example, to download security patches and updates. • Alternatively, you can use the Siemens Healthineers LifeNet platform to download available hotfixes and install them in offline machines that are not connected to the SRS network. siemens-healthineers.com/sequoia 9 Product and solution security white paper · ACUSON Sequoia VA11 Software Bill of Materials The following table lists the most relevant third-party technologies used (general drivers not included). Vendor name / Component name Component Description / URL version use 7-zip.org 7Zip 16.04 Compression of service log files Accusoft Pegasus PICTools Library 2.0 Image compression/ decompression Adobe Systems Acrobat Reader 11.0.17 PDF Files reading Advantech iManager 140718 API to COMe board Apache.org Log4net 1.2.11 Logging library bitbucket.org/Coin3D Coin (with simage 1.0) 4.0 Image rendering Boost.org Boost 1.46.1 Image rendering dicom.offis.de/dcmtk.php.en dcmtk 4.5 DICOM library github.com/codebude/ QRCoder 1.3.3 QR creation Intel IPP 9.0.4 Signal processing ijg.org Libjpeg 8.0 Image compression/ decompression Antlr 3.4.1 Language recognition tool nuget.org/packages/ Twitter Bootstrap 3.0 Website prototyping design jQuery 1.6, 1.10, 1.11 JavaScript library McAfee Application Control 7.0 Whitelisting Merge Healthcare Merge-Com 4.5 SR files creation Windows 10 Enterprise IoT – LTSB 2016 Operating system .NET Framework 4.5, 4.6, 4.7 Programming framework Visual C++ Redistributable 2008, 2010, Microsoft 2012, 2013, 2015 Programming framework Windows ADK 10 Deployment framework ApplicationRequestRouting (with WebDeploy 2.0, 3.0 Routing in IIS WebFarm 2.2, and WebPI 3.0) 10 siemens-healthineers.com/sequoia ACUSON Sequoia VA11 · Product and solution security white paper Vendor name / Component name Component Description / URL version use ASP .NET (Core, Indentity, MVC) 2.1 Web API controller Microsoft SQL Server 2016 LocalDB 13.1 Utilization data archiving Entity Framework 6.0, 6.1.1, 6.1.3 Object relational mapper P&P Enterprise Library 3.0 Logging application CUDA toolkit 8.0 Runtime for CUDA code NVIDIA Control Panel 386.11 Video/audio configuration software Newtonsoft Json format serialization Json .NET 6.0 and deserialization Python.org Python 3.5.1 Python runtime environment syngo® Classic Siemens Healthineers VA11A medical framework Siemens Healthineers Siemens Healthineers TeamViewer VA11B adaptation of TeamViewer Siemens Healthineers MNP VI30B adaptation of HP Radia Notify sourceforge.net Glew 1.7 OpenGL extentions Telerik Reporting and documents 2016.03 Libraries for document libraries processing VVI 1.3 Clinical apps TomTec Cardiac Calcs 5.0 Clinical apps X-Rite iProfiler 1.7.1 Monitor calibration siemens-healthineers.com/sequoia 11 Product and solution security white paper · ACUSON Sequoia VA11 Manufacturer Disclosure Statement According to IEC 60601-1 Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13 1. Network properties required by the system and resulting risks 1-1 The device is connected via Ethernet cable or wireless protocol to the hospital using a TCP/IP network with 1Gb/s performance: • If the network is down, the network services (see below) are not available which can lead to the risks stated below. • If the network is unavailable, medical images cannot be transferred for remote consultation. • If the wireless network is incorrectly protected (for example, open Wi-Fi configuration), the attack surface of all the connected devices is much larger, which can lead to the risks stated below. • If the recommended network performance (1Gbit/s) is not provided, the transfer of images is extended, and availability of images at destinations (e.g., for consulting) is delayed. • Only the protocols shown in the table of used ports are needed for communication. 1-2 PACS system for archiving images/results • If the PACS is not available: images cannot be archived after the examination. In case of a system hardware failure, all non-archived – images can be lost. images cannot be archived after the examination. Examinations may no longer be possible because the – hard drive is full as non-archived images cannot be automatically removed. images cannot be archived after the examination. In case of manual deletion of images, unarchived images – can be lost. images are not available for remote consultation via PACS consoles. – prior images are not available. – • If the recommended network performance (1Gbit/s) is not provided, the transfer time to PACS is extended, and the wait for switching off the system consecutive to the last transfer operations is prolonged. 1-3 DICOM printer • If the DICOM printer is not available, film is not available for diagnosis/archive. 1-4 RIS system • If the RIS system is not available: the modality worklist is not available. This can lead to data inconsistencies as well as unavailability of – images when sent to the PACS until they are manually coerced with the RIS data in the PACS. In case of a Worklist Query time-out due to poor network transfer, there is a possibility that non-actual RIS – data is used when registering a patient from the list of schedules on the system. 1-5 Network connection to the SRS server • If the connection to the Smart Remote Services server is not available, then support from Siemens Healthineers service is limited. 1-6 Common medical protocol properties • Protocols used in medical environments are typically unsecure, with the exception of secure Smart Remote Services (using HTTPS). 12 siemens-healthineers.com/sequoia ACUSON Sequoia VA11 · Product and solution security white paper 2. Instructions for the responsible organization 2-1 Connection of the system to a network that includes other equipment could result in previously unidentified risks to patients, operators or third parties. The RESPONSIBLE ORGANIZATION should identify, evaluate and control these risks. 2-2 Subsequent changes to the network could introduce new RISKS and require additional analysis. 2-3 Changes to the network include: • changes in network configuration • connection to additional items to the network • disconnecting items from the network • update of equipment connected to the network • upgrade of equipment connected to the network 2-4 The RESPONSIBLE ORGANIZATION is fully responsible for the security of the network to which the device is connected. 2-5 The RESPONSIBLE ORGANIZATION is fully responsible to ensure staff who have access to the device do not have the opportunity to provide any harm to the system. 2-6 The RESPONSIBLE ORGANIZATION has to ensure that the internal network cannot be accessed physically by non-authorized persons. 2-7 Staff of the RESPONSIBLE ORGANIZATION has to be trained in security. The RESPONSIBLE ORGANIZATION is responsible for providing this. 2-8 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that only authorized medical/administrative staff shall have access to the device. 2-9 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that visitors/patients do not have unsupervised physical access to the system. 2-10 The RESPONSIBLE ORGANIZATION shall provide access to the system for device administrators and device service engineers. 2-11 The RESPONSIBLE ORGANIZATION has at least one staff person with administrative rights who has access to the system. 2-12 The RESPONSIBLE ORGANIZATION shall ensure that neither access from the public internet or the organization’s intranet to the device is possible. 2-13 The RESPONSIBLE ORGANIZATION is responsible to ensure physical security for the device. 2-14 The RESPONSIBLE ORGANIZATION shall ensure that access to services for the device from other equipment is possible only on a need-to-do basis. An adequate network topology with appropriate firewall settings shall be used. 2-15 The RESPONSIBLE ORGANIZATION is responsible for a secure infrastructure that makes it impossible to change, prevent, or tamper with data in transit in any way. 2-16 RECOMMENDATION: It is highly recommended that the RESPONSIBLE ORGANIZATION monitors the network for unusual traffic. 2-17 The RESPONSIBLE ORGANIZATION is responsible for the hard drive encryption keys and for preventing the theft or loss of those keys. siemens-healthineers.com/sequoia 13 Product and solution security white paper · ACUSON Sequoia VA11 Manufacturer Disclosure Statement According to IEC 60601-1 Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13 3. Intended purpose of integrating the device into an IT network 3-1 To integrate the system into the clinical workflow, the whole ultrasound system will interact as a DICOM node in the clinical network. 3-2 The system is DICOM-compliant, allowing it to be connected to a network with other compliant devices for the exchange of images. Networking allows the transmission of images acquired to other DICOM-compatible review stations or PACS. A list of all patients ever imaged can be kept on the Radiology PACS making future retrievals fast and easy. 3-3 The system connects to the network through an Ethernet cable or a wireless protocol. The network interfaces allow DICOM connections to specific clinical systems such as a Radiology PACS or printer. Patient demographic data will be received via DICOM; acquired images will be sent to the Radiology PACS or DICOM workstations for detailed viewing and long-term storage. 4. Network properties required by the system and resulting risks 4-1 Unsuccessful data transfer not recognized Function: Archiving and Networking Hazard: Wrong diagnosis / loss of acquisition data Caution: Data transfers between systems are not verified automatically. Loss of data, if data is deleted locally before it has been successfully transferred to another system. Measure: Since not all systems support automatic storage commitment, verify the correctness of the data transfer at the remote system before deleting the local data. Effect on: Patient 4-2 Incorrect or incomplete data transfer Function: Data Exchange – Network Hazard: Wrong diagnosis, wrong examination / loss of acquisition data, loss of post processing results, corrupted data, inconsistent data Cause: DICOM objects are sent/received/retrieved. While objects are being prepared or during transfer, not all DICOM objects that are not considered are deleted, corrupted or unintentionally manipulated. Data on the sender and receiver side is not consistent. Failure of transfer not recognized. Measure: It has to be verified by testing, that there is no object loss during sending, which means: • Verify that exception scenarios result in a failed job (and check for other exceptions in log files). • Verify that error cases, which result in data not complying with the DICOM standard, are covered by exception scenarios. Effect on: Patient 14 siemens-healthineers.com/sequoia ACUSON Sequoia VA11 · Product and solution security white paper 4. Network properties required by the system and resulting risks 4-3 Insecure or incorrectly configured clinical network Function: Network Security Hazard: Incorrect diagnosis basis, wrong diagnosis, wrong treatment, delayed diagnosis, delayed therapy, wrong examination, repetition of examination / loss of acquisition data, corrupted data, system DoS Caution: Unauthorized access may affect system performance and data security. Cause: Any unauthorized access to the system may affect the system performance and data security and may lead to: • Lowered system performance and/or non-operational system • Loss of data security including loss of all patient data Measure: • Enable your system administrator to ensure network security and the security of the operational infrastructure • Consult manuals for secure setup • Perform system updates as required • Run your medical device only in protected network environments, and do not connect it directly to public networks • Set up firewalls • Prevent configuration files from being changed by users • Update and patch networked systems as required Effect on: Patient 4-4 Bitlocker recovery keys not available when needed Function: Hard drive encryption Hazard: loss of patient data, system DoS Caution: Customer should keep Bitlocker recovery keys safe Cause: In the case the customer opted for hard drive encryption and if BitLocker fails to access the encrypted drive for whatever reason, then the recovery keys will be needed by Siemens Healthineers Service to pause encryption and have offline access to the hard drive and the patient data stored in it. Effect on: Patient, System siemens-healthineers.com/sequoia 15 Product and solution security white paper · ACUSON Sequoia VA11 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Device Description Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Medical Solutions USA, 11147457 FPD 080 05 10/07/2019 Inc. Device Model Software Revision Software Release Date ACUSON Sequoia VA11 10/07/2019 Manufacturer or Company Name Manufacturer Contact Information Representative Contact Siemens Medical Solutions USA, Inc. Siemens Medical Solutions – Ultrasound Information 685 E Middlefield Rd, Representative Name / Position Mountain View, CA 94043 David Weibel / DirectorEngineering Intended use of device in network-connected environment Optionally, the ACUSON Sequoia system can be configured to communicate to a hospital Patient Archival Communications System (PACS). The following DICOM services are supported: Store SCP/SCU, Modality Worklist SCU, Query/Retrieve SCU, Storage Commitment SCU, Print SCU, and DICOM Structured Reporting SCU. Optionally, the ACUSON Sequoia system can be configured to write a generated structured report to a Windows shared folder. Optionally, the ACUSON Sequoia system can be configured to communicate with a Nuance PowerScribe® 360 | Reporting server to publish measurement results. 16 siemens-healthineers.com/sequoia ACUSON Sequoia VA11 · Product and solution security white paper Management of Private Data Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information Yes, No, Note # requested in this form. N/A, or See Note A Can this device display, transmit, or maintain private data (including electronic Protected Health Yes Information [ePHI])? B Types of private data elements that can be maintained by the device: B.1 Demographic (e.g., name, address, location, unique identification number)? Yes – B.2 Medical record (e.g., medical record #, account #, test or treatment date, device identification number)? Yes – B.3 Diagnostic/therapeutic (e.g., photo/radiograph, test results, or physiologic data with identifying Yes – characteristics)? B.4 Open, unstructured text entered by device user/operator? Yes – B.5 Biometric data? Yes – B.6 Personal financial information? No – C Maintaining private data ‒ Can the device: C.1 Maintain private data temporarily in volatile memory (i.e., until cleared by power-off or reset)? Yes – C.2 Store private data persistently on local media? Yes – C.3 Import/export private data with other systems? Yes – C.4 Maintain private data during power service interruptions? Yes – D Mechanisms used for the transmitting, importing/exporting of private data – Can the device: D.1 Display private data (e.g., video display, etc.)? Yes – D.2 Generate hardcopy reports or images containing private data? Yes – D.3 Retrieve private data from or record private data to removable media (e.g., disk, DVD, CD-ROM, tape, Yes – CF/SD card, memory stick, etc.)? D.4 Transmit/receive or import/export private data via dedicated cable connection (e.g., IEEE 1073, Yes 1 serial port, USB, FireWire, etc.)? D.5 Transmit/receive private data via a wired network connection (e.g., LAN, WAN, VPN, intranet, Yes 1 Internet, etc.)? D.6 Transmit/receive private data via an integrated wireless network connection (e.g., WiFi, Bluetooth, Yes – infrared, etc.)? D.7 Import private data via scanning? Yes – D.8 Other? N/A – Management 1) The system can store height, weight and BSA. of private data notes: siemens-healthineers.com/sequoia 17 Product and solution security white paper · ACUSON Sequoia VA11 Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Medical Solutions USA, 11147457 FPD 080 05 10/07/2019 Inc. Device Model Software Revision Software Release Date ACUSON Sequoia VA11 10/07/2019 Security capabilities Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 1 Automatic logoff (ALOF) The device’s ability to prevent access and misuse by unauthorized users if device is left idle for a period of time. 1-1 Can the device be configured to force reauthorization of logged-in user(s) after a predetermined Yes – length of inactivity (e.g., auto-logoff, session lock, password protected screen saver)? 1-1.1 Is the length of inactivity time before auto-logoff/screen lock user or administrator configurable? Yes 1 (Indicate time [fixed or configurable range] in notes.) 1-1.2 Can auto-logoff/screen lock be manually invoked (e.g., via a shortcut key or proximity sensor, etc.) Yes – by the user? ALOF notes: 1) The auto-logoff can be configured from 1 to 120 minutes. 2 Audit controls (AUDT) The ability to reliably audit activity on the device. 2-1 Can the medical device create an audit trail? Yes – 2-2 Indicate which of the following events are recorded in the audit log: 2-2.1 Login/logout Yes – 2-2.2 Display/presentation of data Yes – 2-2.3 Creation/modification/deletion of data Yes – 2-2.4 Import/export of data from removable media Yes – 2-2.5 Receipt/transmission of data from/to external (e.g., network) connection Yes – 2-2.51 Remote service activity Yes – 2-2.6 Other events? (describe in the notes section) No – 2-3 Indicate what information is used to identify individual events recorded in the audit log: 2-3.1 User ID Yes – 2-3.2 Date/time Yes – AUDT notes: 1) Log items are encrypted as they are added to the audit log. 3 Authorization (AUTH) The ability of the device to determine the authorization of users. 3-1 Can the device prevent access to unauthorized users through user login requirements or other Yes – mechanism? 3-2 Can users be assigned different privilege levels within an application based on ‘roles’ (e.g., guests, Yes – regular users, power users, administrators, etc.)? 3-3 Can the device owner/operator obtain unrestricted administrative privileges (e.g., access operating No – system or application via local root or admin account)? AUTH notes: N/A 18 siemens-healthineers.com/sequoia ACUSON Sequoia VA11 · Product and solution security white paper Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Medical Solutions USA, 11147457 FPD 080 05 10/07/2019 Inc. Device Model Software Revision Software Release Date ACUSON Sequoia VA11 10/07/2019 Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 4 Configuration of security features (CNFS) The ability to configure/re-configure device security capabilities to meet user’s needs. 4-1 Can the device owner/operator reconfigure product security capabilities? Yes 1 CNFS notes: 1) The admin, via the security health system configuration screen, can configure firewall, etc. In addition, only the admin can configure data export capabilities, including Nuance, Network Share, and DICOM. 5 Cyber security product upgrades (CSUP) The ability of on-site service staff, remote service staff, or authorized customer staff to install/upgrade device’s security patches. 5-1 Can relevant OS and device security patches be applied to the device as they become available? Yes 1 5-1.1 Can security patches or other software be installed remotely? Yes 2 CSUP notes: 1) Only security patches that become available through Siemens Healthineers are subject to installation in the system. 2) Siemens Remote Service can push patches to the system, which are then installed after approval by the user. 6 Health data DE-identification (DIDT) The ability of the device to directly remove information that allows identification of a person. 6-1 Does the device provide an integral capability to de-identify private data? Yes 1 DIDT notes: 1) There is a feature in Patient Browser which will blank the patient banner and blank the DICOM tags identifying a particular patient 7 Data backup and disaster recovery (DTBK) The ability to recover after damage or destruction of device data, hardware, or software. 7-1 Does the device have an integral data backup capability (i.e., backup to remote storage or Yes 1 removable media such as tape, disk)? DTBK notes: 1) Patient data is uploaded to PACS either during or after each exam. Patient data can be backed up to USB or DVD. System configuration can be backed up to USB. 8 Emergency access (EMRG) The ability of device users to access private data in case of an emergency situation that requires immediate access to stored private data. 8-1 Does the device incorporate an emergency access (“break-glass”) feature? Yes 1 EMRG notes: 1) The system will allow for an emergency exam to be performed. Access to main aspects of the system other than those required to perform the exam are restricted. 9 Health data integrity and authenticity (IGAU) How the device ensures that data processed by the device has not been altered or destroyed in an unauthorized manner and is from the originator. 9-1 Does the device ensure the integrity of stored data with implicit or explicit error detection/correction No – technology? IGAU notes: N/A siemens-healthineers.com/sequoia 19 Product and solution security white paper · ACUSON Sequoia VA11 Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Medical Solutions USA, 11147457 FPD 080 05 10/07/2019 Inc. Device Model Software Revision Software Release Date ACUSON Sequoia VA11 10/07/2019 Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 10 Malware detection/protection (MLDP) The ability of the device to effectively prevent, detect and remove malicious software (malware). 10-1 Does the device support the use of anti-malware software (or other anti-malware mechanism)? Yes 1 10-1.1 Can the user independently re-configure anti-malware settings? No – 10-1.2 Does notification of malware detection occur in the device user interface? N/A – 10-1.3 Can only manufacturer-authorized persons repair systems when malware has been detected? Yes – 10-2 Can the device owner install or update anti-virus software? No – 10-3 Can the device owner/operator (technically/physically) update virus definitions on N/A – manufacturer-installed antivirus software? MLDP notes: 1) McAfee Application Control is incorporated into the system. Only software signed by Siemens Healthineers can execute. 11 Node authentication (NAUT) The ability of the device to authenticate communication partners/nodes. 11-1 Does the device provide/support any means of node authentication that assures both the sender and Yes 1 the recipient of data are known to each other and are authorized to receive transferred information? NAUT notes: 1) Communication to a PACS can be configured to use TLS certificates only if encrypted DICOM functionality is being used. 12 Person authentication (PAUT) Ability of the device to authenticate users 12-1 Does the device support user/operator-specific username(s) and password(s) for at least one user? Yes – 12-1.1 Does the device support unique user/operator-specific IDs and passwords for multiple users? Yes – 12-2 Can the device be configured to authenticate users through an external authentication service Yes – (e.g., MS Active Directory, NDS, LDAP, etc.)? 12-3 Can the device be configured to lock out a user after a certain number of unsuccessful logon Yes – attempts? 12-4 Can default passwords be changed at/prior to installation? Yes – 12-5 Are any shared user IDs used in this system? No – 12-6 Can the device be configured to enforce creation of user account passwords that meet established Yes – complexity rules? 12-7 Can the device be configured so that account passwords expire periodically? Yes – PAUT notes: 1) Accounts and passwords for those accounts are configurable by the administrator of the system. The password aging can be configured from 0 (never expires) to 999 days. The default setting is 42 days. 13 Physical locks (PLOK) Physical locks can prevent unauthorized users with physical access to the device from compromising the integrity and confidentiality of private data stored on the device or on removable media 13-1 Are all device components maintaining private data (other than removable media) physically Yes – secure (i.e., cannot remove without tools)? PLOK notes: N/A 20 siemens-healthineers.com/sequoia ACUSON Sequoia VA11 · Product and solution security white paper Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Medical Solutions USA, 11147457 FPD 080 05 10/07/2019 Inc. Device Model Software Revision Software Release Date ACUSON Sequoia VA11 10/07/2019 Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 14 Roadmap for third party components in device life cycle (RDMP) Manufacturer’s plans for security support of 3rd party components within device life cycle. 14-1 In the notes section, list the provided or required (separately purchased and/or delivered) Yes 1 operating system(s) – including version number(s). 14-2 Is a list of other third party applications provided by the manufacturer available? Yes – RDMP notes: 1) Microsoft Windows 10 64 bit LTSB 2) Compass OTS PN 11148025-FPV-022 15 System and application hardening (SAHD) The device’s resistance to cyber-attacks and malware. 15-1 Does the device employ any hardening measures? Please indicate in the notes the level of Yes 1 conformance to any industry-recognized hardening standards. 15-2 Does the device employ any mechanism (e.g., release-specific hash key, checksums, etc.) to ensure Yes – the installed program/update is the manufacturer-authorized program or software update? 15-3 Does the device have external communication capability (e.g., network, modem, etc.)? Yes – 15-4 Does the file system allow the implementation of file-level access controls (e.g., New Technology Yes – File System (NTFS) for MS Windows platforms)? 15-5 Are all accounts which are not required for the intended use of the device disabled or deleted, Yes – for both users and applications? 15-6 Are all shared resources (e.g., file shares) which are not required for the intended use of the device, disabled? Yes – 15-7 Are all communication ports which are not required for the intended use of the device closed/disabled? Yes – 15-8 Are all services (e.g., telnet, file transfer protocol [FTP], internet information server [IIS], etc.), which Yes – are not required for the intended use of the device deleted/disabled? 15-9 Are all applications (COTS applications as well as OS-included applications, e.g., MS Internet Explorer, Yes 2 etc.) which are not required for the intended use of the device deleted/disabled? 15-10 Can the device boot from uncontrolled or removable media (i.e., a source other than an internal Yes – drive or memory component)? 15-11 Can software or hardware not authorized by the device manufacturer be installed on the device No – without the use of tools? SAHD notes: 1) DISA STIGS 2) Booting from uncontrolled removable media requires BIOS password. 16 Security guidance (SGUD) The availability of security guidance for operator and administrator of the system and manufacturer sales and service. 16-1 Are security-related features documented for the device user? Yes 1 16-2 Are instructions available for device/media sanitization (i.e., instructions for how to achieve Yes – the permanent deletion of personal or other sensitive data)? SGUD notes: 1) The user manual has a security chapter for hardening the system. siemens-healthineers.com/sequoia 21 Product and solution security white paper · ACUSON Sequoia VA11 Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Medical Solutions USA, 11147457 FPD 080 05 10/07/2019 Inc. Device Model Software Revision Software Release Date ACUSON Sequoia VA11 10/07/2019 Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 17 Health data storage confidentiality (STCF) The ability of the device to ensure unauthorized access does not compromise the integrity and confidentiality of private data stored on device or removable media. 17-1 Can the device encrypt data at rest? Yes 1 STCF notes: 1) Microsoft BitLocker can be enabled at the factory or after customer installation. 18 Transmission confidentiality (TXCF) The ability of the device to ensure the confidentiality of transmitted private data. 18-1 Can private data be transmitted only via a point-to-point dedicated cable? No – 18-2 Is private data encrypted prior to transmission via a network or removable media? See Note 1 (If yes, indicate in the notes which encryption standard is implemented.) 18-3 Is private data transmission restricted to a fixed list of network destinations? Yes – TXCF notes: 1) Encryption via industry standards is available with wireless networking. Application layer encryption is available only if encrypted DICOM functionality is being used. Secure DICOM can be configured to use TLS 1.0, 1.1, or 1.2. DICOM is encrypted using TLS_RSA_ WITH_128_CBC_SHA or TLS_RSA_ WITH_3DES_EDE_CBC_SHA 19 Transmission integrity (TXIG) The ability of the device to ensure the integrity of transmitted private data. 19-1 Does the device support any mechanism intended to ensure data is not modified during transmission? Yes 1 (If yes, describe in the notes section how this is achieved.) TXIG notes: 1) Industry-standard data encryption, TLS protocol. Use of these options enables transmission integrity and addresses man-in-the-middle scenarios. Secure DICOM uses TLS, which guarantees confidentiality and integrity of data. 20 Other security considerations (OTHR) Additional security considerations/notes regarding medical device security. 20-1 Can the device be serviced remotely? Yes – 20-2 Can the device restrict remote access to/from specified devices or users or network locations (e.g., Yes – specific IP addresses)? 20-2.1 Can the device be configured to require the local user to accept or initiate remote access? Yes – OTHR notes: N/A 22 siemens-healthineers.com/sequoia ACUSON Sequoia VA11 · Product and solution security white paper Abbreviations AD Active Directory MD5 Message Digest 5 AES Advanced Encryption Standard MDS2 Manufacturer Disclosure BIOS Basic Input Output System Statement DES Data Encryption Standard MSTS Microsoft Terminal Server DICOM Digital Imaging and NEMA National Electrical Communications in Medicine Manufacturers Association DISA Defense Information Systems NTP Network Time Protocol Agency OCR Office for Civil Rights DMZ Demilitarized Zone OU Organizational Unit DoS Denial of Service PACS Picture Archiving and ePHI Electronic Protected Health Communication System Information PHI Protected Health Information FDA Food and Drug Administration PII Personally Identifiable FIPS Federal Information Processing Information Standards RIS Radiology Information System GPO Group Policy Object RPC Remote Procedure Call HHS Health and Human Services RSA Random Sequential Adsorption HIPAA Health Insurance Portability SAM Security Accounts Manager and Accountability Act SHA Secure Hash Algorithm HIMSS Healthcare Information and Management Systems Society SQL Structured Query Language Hypertext Transfer Protocol SRS Smart Remote Services HTTP HTTPS HTTP Secure STIG Security Technical Implementation Guideline ICS Integrated Communication Services SW Software IEC International Electrotechnical TCP Transmission Control Protocol Commission UltraVNC Ultra Virtual Network Computing IVM Intervention Module Lightweight Directory Access UDP User Datagram Protocol LDAP Protocol VPN Virtual Private Network siemens-healthineers.com/sequoia 23 Product and solution security white paper · ACUSON Sequoia VA11 Disclaimer According to International Electrotechnical IEC 80001-1 Commission Glossary (extract) 1-1 The Device has the capability to be connected to Responsible organization: a medical IT-network which is managed under Entity accountable for the use and maintenance of a full responsibility of the operating legal entity medical IT network. (hereafter called “RESPONSIBLE ORGANIZATION”). It is assumed that the RESPONSIBLE ORGANIZATION ACUSON Sequoia is a trademark of Siemens Medical assigns a Medical IT-Network Risk Manager to Solutions USA, Inc. perform IT-Risk Management (see IEC 80001- syngo is a registered trademark of Siemens Healthcare 1:2010 / EN 80001-1:2011) for IT. GmbH. 1-2 This statement describes Device-specific IT- Adobe is either a trademark or registered trademark of networking safety and security capabilities. It is Adobe Systems Incorporated in the United States and/or NOT a RESPONSIBILITY AGREEMENT according to other countries. IEC 80001-1:2010 / EN 80001-1:2011. Intel is a trademark of Intel Corporation in the United States and other countries. 1-3 Any modification of the platform, the software or the interfaces of the Device – unless authorized and Microsoft and Windows are registered trademarks of approved by Siemens Healthcare GmbH – voids all Microsoft Corporation in the United States and other warranties, liabilities, assertions and contracts. countries. McAfee is a registered trademark of McAfee, LLC or its 1-4 The RESPONSIBLE ORGANIZATION acknowledges subsidiaries in the US and other countries. that the Device’s underlying standard computer with operating system is to some extent vulnerable NVIDIA is a registered trademark of NVIDIA Corporation. to typical attacks such as, e.g., malware or denial- PowerScribe® 360 | Reporting is a registered trademark of-service. of Nuance Communications, Inc. 1-5 Unintended consequences (such as, e.g., misuse/ loss/corruption) of data not under control of the Device, e.g., after electronic communication from the Device to some IT-network or to some storage, are under the responsibility of the RESPONSIBLE ORGANIZATION. 1-6 Unauthorized use of the external connections or storage media of the Device can cause hazards regarding the availability and information security of all components of the medical IT-network. The RESPONSIBLE ORGANIZATION must ensure – through technical and/or organizational measures – that only authorized use of the external connections and storage media is permitted. . 24 siemens-healthineers.com/sequoia ACUSON Sequoia VA11 · Product and solution security white paper Statement on FDA Cybersecurity Guidance Siemens Healthineers will follow cybersecurity guidance issued by the FDA as appropriate. Siemens Healthineers recognizes the principle described in FDA cybersecurity guidance that an effective cybersecurity framework is a shared responsibility among multiple stakeholders (e.g., medical device manufacturers, healthcare facilities, patients and providers), and is committed to drawing on its innovation, engineering and pioneering skills in collective efforts designed to prevent, detect and respond to new and emerging cybersecurity threats. While FDA cybersecurity guidance is informative as to adopting a risk-based approach to addressing potential patient harm, it is not binding and alternative approaches may be used to satisfy FDA regulatory requirements. The representations contained in this white paper are designed to describe Siemens Healthineers’ approach to cybersecurity of its medical devices and to disclose the security capabilities of the devices/systems described herein. Neither Siemens Healthineers nor any medical device manufacturer can warrant that its systems will be invulnerable to cyberattack. Siemens Healthineers makes no representation or warranty that its cyber-security efforts will ensure that its medical devices/systems will be error-free or secure against cyberattack. siemens-healthineers.com/sequoia 25 Siemens Healthineers Headquarters Legal Manufacturers Siemens Healthcare GmbH Siemens Medical Solutions USA, Inc. Henkestr. 127 Ultrasound 91052 Erlangen, Germany 685 E. Middlefield Road Phone: +49 9131 84-0 Mountain View, CA 94043 siemens-healthineers.com USA Phone: 1-888-826-9702 siemens-healthineers.com/ultrasound Published by Siemens Medical Solutions USA, Inc. · 8535 0120 online · ©Siemens Medical Solutions USA, Inc., 2020