ACUSON Sequoia Ultrasound system, release VA20 Security and MDS² Form

White paper ACUSON Sequoia ultrasound system, release VA20 Security and MDS2 Form Facts about security and privacy requirements siemens-healthineers.com/cybersecurity SIEMENS Healthineers Product and security white paper · ACUSON Sequoia VA20 The Siemens Healthineers product and solution security program At Siemens Healthineers, we are committed to working • Performing static code analysis of our products with you to address cybersecurity and privacy • requirements. Our Product and Solution Security Office Conducting security testing of products under is responsible for our global program that focuses on development as well as products already in the field addressing cybersecurity throughout the product lifecycle • Tailoring patch management to the medical device and of our products. depth of coverage chosen by you • Our program targets incorporating state of the art Monitoring security vulnerability to track reported third cybersecurity into our current and future products. party components issues in our products We seek to protect the security of your data while, at • Working with suppliers to address security throughout the same time, providing measures to strengthen the the supply chain resiliency of our products from cyber threats. • Training of employees to provide knowledge consistent We comply with applicable security and privacy with their level of responsibilities regarding your data regulations from the US Department of Health and and device integrity Human Services (HHS), including the Food and Drug Administration (FDA) and Office for Civil Rights Contacting Siemens Healthineers about product (OCR), to help you meet your IT security and privacy and solution security obligations. Siemens Healthineers requests that any cybersecurity Vulnerability and incident management or privacy incidents are reported by email to: [email protected] Siemens Healthineers cooperates with government agencies and cybersecurity researchers concerning For all other communication with Siemens Healthineers reported potential vulnerabilities. about product and solution security: [email protected] Our communications policy strives for coordinated disclosure. We work in this way with our customers Thank you for making Siemens Healthineers your partner and other parties, when appropriate, in response to of choice! potential vulnerabilities and incidents in our products, no matter what the source. Yours sincerely, Elements of our product and solution security program • Providing information to facilitate secure configuration and use of our medical devices in your IT environment • Conducting formal threat and risk analysis for our products Jim Jacobson • Incorporating secure architecture, design and coding Chief Product and Solution Security Officer methodologies in our software development process Siemens Healthineers 2 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Contents Basic Information ..................................................... 4 Data Flow Diagram ................................................... 6 Network Information ............................................... 7 Security Controls ..................................................... 14 Software Bill of Materials ........................................ 16 Manufacturer Disclosure Statement for Medical Device Security – MDS2 ......................... 24 Manufacturer Disclosure Statement According to IEC 60601-1 ........................................ 45 Abbreviations .......................................................... 49 Disclaimer According to IEC 80001-1 ....................... 50 International Electrotechnical Commission Glossary (extract) .................................................... 50 Statement on FDA Cybersecurity Guidance ............. 51 siemens-healthineers.com/cybersecurity 3 Product and security white paper · ACUSON Sequoia VA20 Basic Information Why is cybersecurity important? User account information Keeping patient data safe and secure should typically • ACUSON Sequoia system VA20 software user accounts be one of the top priorities of healthcare institutes. can be local Windows accounts, managed by the It is estimated that the cost associated in the recovery administrator of the system, or LDAP-based accounts of each medical record in the United States can be as if the system is part of a Microsoft Windows Domain. high as $380.1 According to the Ponemon Institute A break-glass mechanism ensures access to the system research report,2 39% of medical devices were hacked, in emergency scenarios. with hackers being able to take control of the device. Moreover, 38% of healthcare organizations said that • The system provides preconfigured Password Policies their patients received inappropriate medical treatment that can be customized by administrators because of an insecure medical device. Domain integration Our purpose is to help healthcare providers succeed In case of domain integration, we recommend that you put the device in its own OU. No global policies The new ACUSON Sequoia ultrasound system is the result are allowed. More details will be provided in the of more than three decades of experience in ultrasound Administration Manual engineering. A general imaging ultrasound system, it was developed in response to one of the most prevalent Patching strategy challenges in ultrasound imaging today: the imaging of different-sized patients with consistency and clarity. • Security patches will be provided on regular basis after With its new Deep Abdominal Transducer (DAX), a new validation by Siemens Healthineers to maintain the high-powered architecture, and innovative updates to clinical function of the medical device. elastography and contrast-enhanced ultrasound, the • new ACUSON Sequoia system produces penetration up If connected to Smart Remote Services (SRS) formerly to 40 cm. Siemens Remote Service, updates will be pushed to the system automatically. They need to be confirmed/ With its powerful architecture and innovative features, executed by the actual user. the ACUSON Sequoia system expands precision medicine • Alternatively, you can manually install updates by by enabling high-resolution imaging that adapts to using the Siemens Healthineers ASU service provided patients’ size and personal characteristics, contributing in the LifeNet platform. to more confident diagnosis. • Technologies and software components are actively Operating systems monitored for vulnerabilities and availability of security updates. Please refer to the Software Bill of Material chapter. 1 https://healthitsecurity.com/news/how-much-do-healthcare-data-breaches-cost-organizations 2 https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/medical-device-security-ponemon-synopsys.pdf 4 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper --- Cryptography usage • Protected Health Information (PHI) is temporarily stored on the ultrasound system, similar to DICOM The ACUSON Sequoia system VA20 software uses ciphers data, raw data, and metadata for DICOM creation. and protocols built into Windows 10 for encryption and Note: The time for which PHI is stored is determined data protection. If needed, hardening measures limit by the facility. usage to those that are at least FIPS 140-2-compliant. • Personal Identifiable Information (PII) as part of the DICOM records is also temporarily stored on the Handling of sensitive data ultrasound system, e.g., patient’s name, birthday or age, height and weight, personal identification • This ultrasound system is designed for temporary data number, and referring physician’s name. Additional storage only. Siemens Healthineers recommends sensitive information might be present in user- storing patient data in a long-term archive, e.g., on a editable input fields or in the images acquired. PACS, and data must be deleted using a facility-defined • procedure. Protected Health Information (PHI) is transmitted via DICOM (encrypted/unencrypted). siemens-healthineers.com/cybersecurity 5 Product and security white paper · ACUSON Sequoia VA20 Data Flow Diagram Service Healthcare Scheduler SRS Manufacturing Professional System Engineer (Sonographer) (HIS) Operates System information Operates System information Internet DICOM (port 104) HTTP Siemens IBC Gateway (port 80) Healthineers VPN Concentrator Restricted IPs Patches Save config. worklist Local Network Local Network (wired or wireless) (wired or wireless) Status, logs, Get utilization performed procedures DICOM images Image Data data I/O External Media and Transducers OEMs (USB, Blu-ray, DICOM PACS printers, etc.) System Network X Y X calls Y HW/SW component External entity X Y Call-return (X calls Y) User System boundary X Y Data stream (complex connector) 00 6 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Network Information SRS Router Smart Remote Services ... VPN IN, OUT: TCP, UDP, RDP Remote Service Access Server ... IN, OUT: DICOM PACS/RIS ... IN, OUT: IN, OUT: DICOM, SRS LDAP, TCP/UDP Domain Controller ... OUT: TCP Network Share ... IN, OUT: TCP NUANCE Ultrasound Machine Clinical Network Internet Figure 1: Security boundaries for system deployment siemens-healthineers.com/cybersecurity 7 Product and security white paper · ACUSON Sequoia VA20 Network Information The following ports are used by the system: Port number Service/function Direction Protocol 80 Microsoft IIS1 Inbound TCP 104 DICOM Communication (unencrypted) In/outbound TCP 443 Administration Portal – Remote Service Inbound TCP (encrypted) 2762 Secure DICOM (optional) In/outbound TCP 8226 Managed Node Package MNP Inbound TCP 8227 Managed Node Package MNP Inbound TCP 8228 Managed Node Package MNP Inbound TCP 11080 Remote Assist (eSieLink) Inbound TCP 12061 Managed Node Package MNP Inbound TCP 13001 Managed Node Package MNP Inbound TCP Table 1: Used Port Numbers Services running on the device Service Description Startup type Log on as AppIDSvc Determines and verifies the identity of an NT Authority\ application Auto LocalService AudioEndpointBuilder Manages audio devices for the Windows Audio service Auto LocalSystem Audiosrv Manages audio for Windows-based programs Auto NT AUTHORITY\ LocalService Manages firewall and Internet Protocol BFE security (IPsec) policies Auto NT AUTHORITY\ LocalService Windows infrastructure service that controls BrokerInfrastructure which background tasks can run on the Auto LocalSystem system BrUnvPrnPortPCL Auto LocalSystem BuRe Burning Removable Media Service Manual LocalSystem CDPUserSvc_33aef1 Auto Copies user certificates and root certificates CertPropSvc from smart cards into the current user's Auto LocalSystem certificate store 8 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Service Description Startup type Log on as ControlPanelService Control Panel WCF Service Manual LocalSystem CoreMessagingRegistrar Manages communication between system Auto NT AUTHORITY\ components LocalService CryptSvc Provides management services: Catalog NT Authority\ Database Service, Protected Root Service Auto NetworkService CsaCompMgrInit Manual LocalSystem DcomLaunch The DCOMLAUNCH service launches COM and DCOM servers Auto LocalSystem DeviceAssociationService Enables pairing between the system and wired or wireless devices Auto LocalSystem Dhcp Registers and updates IP addresses and DNS NT Authority\ records for this computer Auto LocalService The Connected User Experiences and DiagTrack Telemetry service enables features that support in-application and connected user Auto LocalSystem experiences The DNS Client service (dnscache) caches Dnscache Domain Name System (DNS) names and Auto NT AUTHORITY\ registers the full computer name for this NetworkService computer DoSvc Performs content delivery optimization tasks Auto LocalSystem DPS Enables problem detection, troubleshooting and resolution for Windows components Auto NT AUTHORITY\ LocalService DsmSvc Enables the detection, download and installation of device-related software Manual LocalSystem DsSvc Provides data brokering between applications Manual LocalSystem EventLog This service manages events and event logs Auto NT AUTHORITY\ LocalService Supports System Event Notification Service EventSystem (SENS), which provides automatic distribution of events to subscribing Component Object Auto NT AUTHORITY\ LocalService Model (COM) components FontCache Optimizes performance of applications by caching commonly used font data Auto NT AUTHORITY\ LocalService IISADMIN Enables this server to administer the IIS metabase Auto localSystem Hosts the Internet Key Exchange (IKE) and IKEEXT Authenticated Internet Protocol (AuthIP) Auto LocalSystem keying modules siemens-healthineers.com/cybersecurity 9 Product and security white paper · ACUSON Sequoia VA20 Network Information Services running on the device Service Description Startup type Log on as IpOverUsbSvc Enables communication between the Windows SDK and a Windows Device Auto LocalSystem KeyIso The CNG key isolation service is hosted in the LSA process Manual LocalSystem LanmanServer Supports file, print, and named-pipe sharing over the network for this computer Auto LocalSystem Creates and maintains client network LanmanWorkstation connections to remote servers using the Auto NT AUTHORITY\ SMB protocol NetworkService Monitors the current location of the system lfsvc and manages geofences (a geographical Manual LocalSystem location with associated events) LicenseManager Provides infrastructure support for the Windows Store Manual NT Authority\ LocalService Provides support for the NetBIOS over TCP/IP lmhosts (NetBT) service and NetBIOS name resolution Manual NT AUTHORITY\ for clients on the network LocalService LSM Core Windows Service that manages local user sessions Auto LocalSystem Windows Firewall helps protect your MpsSvc computer by preventing unauthorized users NT Authority\ from gaining access to your computer Auto LocalService through the Internet or a network MSMQ Provides a messaging infrastructure NT Authority\ Auto NetworkService nsi This service delivers network notifications NT Authority\ Auto LocalService NVDisplay. ContainerLocalSystem Container service for NVIDIA root features Auto LocalSystem Provides WMI objects for managing NVIDIA NVWMI components of the system Auto LocalSystem OneSyncSvc_33aef1 This service synchronizes mail, contacts, calendar and various other user data Auto PcaSvc This service provides support for the Program Compatibility Assistant (PCA) Auto LocalSystem Performance Logs and Alerts Collects pla performance data from local or remote Manual NT AUTHORITY\ LocalService computers 10 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Service Description Startup type Log on as PlugPlay Enables a computer to recognize and adapt to hardware changes with little or no user input Manual LocalSystem PolicyAgent Internet Protocol security (IPsec) supports network-level peer authentication Manual NT Authority\ NetworkService Manages power policy and power policy Power notification delivery Auto LocalSystem ProfSvc This service is responsible for loading and unloading user profiles Auto LocalSystem RpcEptMapper Resolves RPC interfaces identifiers to Auto NT AUTHORITY\ transport endpoints NetworkService RpcSs The RPCSS service is the Service Control Manager for COM and DCOM servers Auto NT AUTHORITY\ NetworkService SAM SAM service Auto LocalSystem The startup of this service signals other SamSs services that the Security Accounts Manager Auto LocalSystem (SAM) is ready to accept requests Schedule Enables a user to configure and schedule automated tasks on this computer Auto LocalSystem SCPolicySvc Allows the system to be configured to lock the user desktop upon smart card removal Auto LocalSystem scsrvc McAfee Solidifier Service Auto LocalSystem SD_SERVER Auto LocalSystem seclogon Enables starting processes under alternate credentials Manual LocalSystem Monitors system events and notifies SENS subscribers to COM+ Event System of these Auto LocalSystem events Remote Desktop Configuration service (RDCS) is responsible for all Remote Desktop Services SessionEnv and Remote Desktop related configuration Manual localSystem and session maintenance activities that require SYSTEM ShellHWDetection Provides notifications for AutoPlay hardware Auto LocalSystem events Spooler This service spools print jobs and handles interaction with the printer Auto LocalSystem siemens-healthineers.com/cybersecurity 11 Product and security white paper · ACUSON Sequoia VA20 Network Information Services running on the device Service Description Startup type Log on as Provides the interface to backup/restore SQLWriter Microsoft SQL server through the Windows Auto LocalSystem VSS infrastructure StateRepository Provides required infrastructure support for the application model Manual LocalSystem StorSvc Provides enabling services for storage settings and external storage expansion Manual LocalSystem Manages software-based volume shadow swprv copies taken by the Volume Shadow Copy Manual LocalSystem service SysMgmt.WcfService Auto LocalSystem SystemEventsBroker Coordinates execution of background work for WinRT application Auto LocalSystem TabletInputService Enables Touch Keyboard and Handwriting Panel pen and ink functionality Auto LocalSystem TermService Allows users to connect interactively to a Manual NT Authority\ remote computer NetworkService Themes Provides user experience theme management Auto LocalSystem tiledatamodelsvc Tile Server for tile updates Auto LocalSystem TimeBrokerSvc Coordinates execution of background work Manual NT AUTHORITY\ for WinRT application LocalService TRANSFERMGR TransferMgr service Auto LocalSystem tvgateway.exe cRSP Teamviewer Moderator Gateway working as proxy for RTC's Auto LocalSystem UmRdpService Allows the redirection of Printers/Drives/Ports for RDP connections Manual localSystem User Manager provides the runtime UserManager components required for multi-user Auto LocalSystem interaction Provides secure storage and retrieval of VaultSvc credentials to users, applications and security Manual LocalSystem service packages vds Provides management services for disks, volumes, file systems, and storage arrays Manual LocalSystem VERSANTD Auto LocalSystem 12 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Service Description Startup type Log on as Enables VNC Viewer users to connect to and vncserver control this computer Auto LocalSystem W32Time Maintains date and time synchronization on all clients and servers in the network Manual NT AUTHORITY\ LocalService w3logsvc Provides W3C logging for Internet Information Services (IIS) Manual localSystem Provides Web connectivity and administration W3SVC through the Internet Information Services Auto localSystem Manager Provides process activation, resource WAS management and health management Manual localSystem services Makes automatic connect/disconnect Wcmsvc decisions based on the network connectivity NT Authority\ Auto options LocalService The Diagnostic Service Host is used by the WdiServiceHost Diagnostic Policy Service to host diagnostics Auto NT AUTHORITY\ that need to run in a Local Service context LocalService WinHttpAutoProxySvc WinHTTP implements the client HTTP stack Manual NT AUTHORITY\ LocalService Provides a common interface and object Winmgmt model to access management information about operating system, devices, applications Auto localSystem and services Provides the logic required to configure, WlanSvc discover, connect to, and disconnect from a wireless local area network (WLAN) as Auto LocalSystem defined by IEEE 802 Runs in session 0 and hosts the notification WpnService platform and connection provider which handles the connection between the device Auto LocalSystem and WNS server Monitors and reports security health settings wscsvc on the computer. Auto NT AUTHORITY\ LocalService wudfsvc Creates and manages user-mode driver processes. This service cannot be stopped Manual LocalSystem siemens-healthineers.com/cybersecurity 13 Product and security white paper · ACUSON Sequoia VA20 Security Controls Malware protection Hardening • Whitelisting (McAfee® Application Control) • ACUSON Sequoia system VA20 software hardening is implemented based on the Security Technical Controlled use of administrative privileges Implementation Guidelines developed by the Defense Information Systems Agency (DISA). • The system distinguishes between clinical and administrative roles. Clinical users do not require administrative privileges. Authorization as Network controls administrator is required for administrative tasks. • The system is designed to make limited use of network ports and protocols. Microsoft Windows firewall is Authentication configured to block unwanted inbound network traffic except for the ports listed in Table 1. • The ACUSON Sequoia system VA20 software supports Health Insurance Portability and Accountability • Siemens Healthineers recommends operating the Act (HIPAA) regulation with role-based privilege system in a secured network environment, e.g., a assignment and access control. separate network segmented or VLAN. • The ACUSON Sequoia system VA20 software supports • Connection to the Internet or private networks for both, machine local users and LDAP defined users. patients/guests is not recommended. • The user interface of the ACUSON Sequoia system • In case of a denial of service (DoS) or mal-ware attack, VA20 software provides a screen lock functionality the system can be taken off the network and operated that can be engaged manually or automatically after in a stand-alone state. a certain inactivity time. For details, please refer to the User Manual. Physical Safeguards • Security Scanning and Vulnerability Assessment You are responsible for the physical protection of the ACUSON Sequoia system VA20 software, e.g., by • Regular scanning with Tennable Nessus and monthly operating it in a room with access control. Please note assessment of identified vulnerabilities, as per the that the system contains patient data and should be FDA Post-Market Cybersecurity Guidance. protected against tampering and theft. • The system is protected by Secure Boot, which blocks unsigned boot media. • It is possible to change the BIOS password. Please contact Siemens Healthineers Service for support. 14 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Data protection controls Auditing/logging • The system is not intended to be an archive (data • The system provides HIPAA-compliant auditing at rest). of operations on PHI, PII, and user information • PHI is protected by both role-based access control as (i.e., login, read access to PHI, modification of PHI). well as hard drive encryption (optional). Remote connectivity • Hard drive encryption is an optional feature that is • implemented through Microsoft Bitlocker technology SRS is optionally used for proactive maintenance. and use of the TPM (Trusted Platform Module) chip The connection is created using a secured channel on the system’s motherboard. (VPN- or IBC-based connection). It is used, for example, to download security patches and updates. • The system provides auditing of PHI access control. • Alternatively, you can use the Siemens Healthineers • Optionally, confidentiality and integrity of PHI/PII LifeNet platform to download available hotfixes and data can be protected by encryption of DICOM install them in offline machines that are not connected communication with other DICOM nodes. to the SRS network. • The system supports Bitlocker to-go. Note: In the VA20 software release for the ACUSON Incident response and management Sequoia system, encrypted communication can be • The incident handling process is defined and executed used if all connected DICOM nodes support it. on demand to deal with incidents as mandated by the United States FDA Post-Market Guidance documents. siemens-healthineers.com/cybersecurity 15 Product and security white paper · ACUSON Sequoia VA20 Software Bill of Materials The following table lists the most relevant third-party technologies used (general drivers not included). Vendor name / Component Component Description / URL name version use Adobe Systems Inc. Adobe Acrobat Reader DC 19.010.20099 PDF file viewer Provides API to access COMe Advantech iManager 140718 board configuration and performance parameters. COMe BIOS Update Tool 5894XJ02 Provides inline COMe board AMI (AFU utility) firmware update capability. Apache Log4net 2.0.8 Logging library Ascension Technology 3D Guidance driveBAY2 Corp. (Rev E) Win7 Signed 35.00.2405 Fusion software drivers Brother Brother-UPD-PCL 0110 Device Driver for Brother printers Epson Epson-UPD 17455 Device Driver for Epson printers FreeBSD.org bspatch 4.3 Generates an updated binary based on a patch file. FFmpeg team FFMPEG 2.7.2 Used to convert H.264 file to MP4 file Future Technology Devices International Limited FtdiDriver2.12.00 2.12.00 Physio Driver Giacomo Stelluti Scala CommandLineParser 1.9.71 1.9.71 Command line data parser HP HP Universal Printer Driver 6.2.1 Device Driver for HP printers Intel® Network Connections 20.4.1 Network adapter support Intel Intel_HD4600_win64 154010.43 Video Configuration Software Kenneth Reitz Requests 2.10.0, 2.21.0 Allows to send organic, grass-fed HTTP/1.1 requests. Logilab logilab-common 1.2.2 Common component used by John D. Hunter matplotlib 1.5.1, 3.0.3 Plotting and graphing library for python. .NET Framework 4.5.50938, 4.6.1, 4.6.2, 4.7 Programming framework .NET Framework Client Profile 4.0.30319 Client Applications Microsoft Corporation Visual C++ Redistributable 2008, 2010, (x86, x64) 2012, 2013, Programming framework 2015 Windows ADK-10 10 Windows Deployment Toolkit 16 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Vendor name / Component Component Description / URL name version use WebPlatformInstaller-3.0 3.0 Prerequisite for application request routing WebDeploy-2.0 2.0 Prerequisite for application request routing WebFarm-2.2 2.2 Prerequisite for application request routing Microsoft Corporation ApplicationRequestRouting- 3.0 For application request routing 3.0 (in IIS) Microsoft SQL Server 2016 Used by SysCare System Health LocalDB 13.1 database for archiving utilization data. Windows 10 LTSB IOT 2016 Operating System CUDA toolkit 10.1.105 Provides API and runtime for CUDA code used in UIF and UBE NVIDIA Control Panel 419.67 Video Configuration Software NVIDIA Graphics Driver 419.67 Video Configuration Software NVIDIA Corporation NVIDIA HD Audio Driver 419.67 Audio Configuration Software NVIDIA Install Application 419.67 Video Configuration Software Nvidia library that provides Nvidia NVAPI.dll 419.67 access to configuration information. Nvidia WMI provider 419.67 Nvidia WMI provider service NumPy Developers numpy 1.11.1 Numerial library OFFIS e.V., R&D Division Health dcmtk version 3.6.0 3.6.0 Dan Blanchard chardet 2.3.0 Universal character encoding detection Thomas A Caswell cycler 0.10.0 Object that allows cycling through a preset lsit of values. OSS 7zip 16.04 Used for compressing service log files. siemens-healthineers.com/cybersecurity 17 Product and security white paper · ACUSON Sequoia VA20 Software Bill of Materials The following table lists the most relevant third-party technologies used (general drivers not included). Vendor name / Component Component Description / URL name version use TeamViewer VA10B Siemens adaptation of TeamViewer Siemens Medical Solutions Siemens adaptation of HP Radia Managed Node Package VI30B Notify, Radia Notify, and Event Management Sony Sony Thermal Printer UPD711MD 1.0.0.0 Device Driver for Sony onboard thermal printer sourceforge.net/projects/ jsoncpp json-cpp 1.8.4 Used in IPOD for parsing Json files in C++ Sparklan SparkLan_IS_Setup_IC S_011916 1.5.39.173 Wireless driver VVI 4.0 1.3.0.171 Velocity Vector Imaging TomTec Package Cardiac Calcs 1.0.0.15 Cardiac measurement package Wireshark developer community Wireshark 2.6.10 Network debugging tool YaccConstructor QuickGraph 3.6.61119.7 3.6 Used to compute order of acquisition modes Intel IPP 6.0.4, 7.1.1, 9.0 Signal processing Merge Healthcare MergeCom-3 4.5.0 DICOM toolkit used for creating SR files Siemens HC SV DS SRTK 20.0.0.1212 Siemens SR toolkit which uses MergeCom Framework for building loosely Brian Lagunas Prism coupled, maintainable, and 4.1 testable XAML applications in WPF National Geospatial- Intelligence Agency (NGA) six 1.10.0, 1.12.0 Python 2 and 3 compatibility library The pip developers pip 8.1.2, 19.1 Install and update python packages Riverbank Computing Limited PyQt5-sip 4.18 Required componenet of PyQT 18 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Vendor name / Component Component Description / URL name version use Web access library used by the Andrey Petrov urllib3 1.16, 1.25.3 Service and Manufacturing service pages. Used by requests. Future Technology Devices FTDI usb driver 2.12.18 USB Device driver to access International Limited Common Physio Module FTGL FTGL 2.1.2 Used by Clinical Apps BroadCom PLX SDK 7.25 7.25 Communicate over the PCIe bus QRCoder QRCoder 1.3.3.0 QRCode generation library ANTLR Antlr4.Runtime.Standard 4.7.1 Tool for Language Recognition Mark Otto, Jacob Thornton Bootstrap 3.0.1 Web framework nuget.org John Resig jQuery 1.10.2 Cross-platform JavaScript library jquery jQuery Validation 1.11.1 Set of validation methods Microsoft.AspNet.Cors 5.2.6 Enables the CORS in ASP.NET Microsoft.AspNet.Identity. Core 2.2.2 Provides core interfaces for ASP.NET identity Microsoft.AspNet.Identity. ASP.NET Identity providers that Entity.Famework 2.2.2 use Entity Framework Microsoft.AspNet.Identity. Owin 2.2.2 Owin implementation for ASP.NET identity Microsoft.AspNet.Mvc 5.2.6 Runtime assemblies for ASP.NET Microsoft Corporation MVC. ASP.NET MVC Microsoft.AspNet.Razor 3.2.6 Runtime assemblies for ASP.NET Web Pages Microsoft ASP.NET SignalR, Pulls in the server components SignalR Client, SignalR Core, Signal R JS, SignalR System 2.2.0 and JavaScript client required to use SignalR in an ASP.NET Web application Microsoft ASP.NET SignalR Owin 1.2.2 OWIN components for ASP.NET SignalR siemens-healthineers.com/cybersecurity 19 Product and security white paper · ACUSON Sequoia VA20 Software Bill of Materials The following table lists the most relevant third-party technologies used (general drivers not included). Vendor name / Component Component Description / URL name version use ASP.NET Optimization Microsoft ASP.NET Web Optimization 1.1.3 introduces a way to bundle and optimize CSS and JavaScript files Microsoft.AspNet.WebApi, ASP.NET Web API is a framework Client, Core, Cors, HelpPage, Owin, OwinSelfHost, 5.2.6 that makes it easy to build HTTP services that reach a broad SelfHost, WebHost range of clients Microsoft.AspNet.WebPages 3.2.6 Used for dynamic web content Microsoft Corporation Microsoft jQuery Unobtrusive Validation 3.2.2 jQuery.Validation Microsoft.Owin, Cors, Host SystemWeb, Host.HttpListener, Hosting, 4.0.0 For simplifying the creation of Security, Security.Cookies, OWIN components Security.Oauth, Testing Owin 1.0 OWIN IAppBuilder startup interface Microsoft Web Infrastructure 1.0.0.0 Dynamically registers HTTP modules at run time Math.NET Mathnet.Numerics Used in Physio Waveform 4.5.1 Diagnostic Test. Faruk Ateş Modernizr 2.6.2 JavaScript library Newtonsoft Newtonsoft.Json 6.0.4, 11.0.2 Serializing/ deserialzing .NET objects Web designs in browsers that Scott Jehl Respond JS 1.2.0 don't support CSS3 media queries (IE 8 and under) SimpleInjector, simpleinjector SimpleInjector.Integration. 4.3.0 .NET library WebApi A suite of tools used for Microsoft Corporation Web Grease 1.6.0 optimizing web script and style files 20 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Vendor name / Component Component Description / URL name version use Complete .NET Reporting Telerik Reporting 9.2.15.1105 Solution for Web, Mobile and Desktop Applications Telerik The main assembly from the Telerik.RAD 2016.3.1021.40 Telerik Document Processing libraries Trillium Technology, Inc. Showcase Viewer 5.4.0 DICOM Viewer for distribution on removable media Rafi RAFI Control Pannel Test This is used to test control software 1 pannel interactions the SZ development Homedale 1.76 To detects nearby wireless access points, get their details This Intel IPP is the latest Intel Intel IPP 2018.3.210 Image Processing library that is used for image processing luajit.org LuaJIT 2.0.5 Script language with Just-In- Time Compiler Simage v1.7.0 Library to load images (used by Kongsberg Oil & Gas (0d0c31d61201) Coin) Technologies Coin v4.0.0 OpenGL-based 3D graphics (6f54f1602475) library used by the renderer .NET Foundation System.Reactive 4.0.0 NET reactive extension library Microsoft corporation EntityFramework 6.2.0 Object-relational mapper Python Software Python 3.7.3 3.7.3 Provides Python runtime environment Foundation certifi 2019.3.9 Certificate Management Dan Blanchard chardet 3.0.4 Universal character encoding detector Matplotlib Developers cycler 0.10.0 Composable cycler objects. See matplotlib Gregory P. Ward. click 7.0 Composable command line interface toolkit Elias Rabel et-xmlfile 1.0.1 An implementation of lxml. xmlfile for the standard library siemens-healthineers.com/cybersecurity 21 Product and security white paper · ACUSON Sequoia VA20 Software Bill of Materials The following table lists the most relevant third-party technologies used (general drivers not included). Vendor name / Component Component Description / URL name version use Armin Ronacher flask 1.0.2 Framework for building web applications Kim Davies idna 2.8 Internationalized domain names in applications Helpers to pass data to Pallets Team itsdangerous 1.1.0 untruested environments and back Prasanth Nair jdcal Julian dates from proleptic 1.4.1 Gregorian and Julian calendars Armin Ronacher jinja2 2.10..1 To use stand-alone template engine written in pure python The Nucleic Development kiwisolver 1.0.1 A fast implementation of Team Cassowary constraint solver lxml dev team lxml 4.3.3 XML processing library The Pallets Team MarkupSafe Safely add untrusted strings to 1.1.1 HTML/XML markup NumPy Developers numpy 1.16.3 Array computing PHPExcel team openpyxl 2.6.2 Read/write excel xlsx, xlsm files Wes McKinney pandas 0.24.2 Data analysis, time series, statistics The pip developers pip 19.1 Tool for installing python packages Paul McGuire pyparsing 2.4.0 Python parsing module Riverbank Computing Limited. PyQt5-commercial 5.12.1 Python binding for Qt. Licensed from Riverbank Computing Riverbank Computing Python binding for C/C++. Limited. PyQt5-sip-commercial 4.19.15 Licensed from Riverbank Computing Python binding for C/C++. Gustavo Niemeyer python-dateutil 2.8.0 Licensed from Riverbank Computing The Python for .Net Developers. pythonnet 2.4.0 .NET integration with Python Stuart Bishop pytz 2019.1 World timezone definitions 22 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Vendor name / Component Component Description / URL name version use Mark Hammond (et al) pywin32 224 Python for Windows extensions Kirill Simonov pyyaml 5.1.0 YAML parser and emitter for Python SciPy developers scipy 1.2.1 Scientific Library for Python Easily download, build, install, Python Packaging Authority setuptools 41.0.1 upgrade, and uninstall Python packages HTTP library with thread-safe Andrey Petrov urllib3 1.25.3 connection pooling, file post, etc. Armin Ronacher Werkzeug 0.15.3 The comprehensive WSGI web application library Tim Golden Windows management WMI 1.4.9 instrumentation John Machin xlrd Extract data (fast read) from 1.2.0 Microsoft excel files siemens-healthineers.com/cybersecurity 23 Product and security white paper · ACUSON Sequoia VA20 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Question ID Question Answer See note DOC-1 Manufacturer Name Siemens Healthineers DOC-2 Device Description Sequoia DOC-3 Device Model Sequoia VA20 DOC-4 Document ID 11288831-FPD-021-01 Siemens Medical DOC-5 Manufacturer Contact Information Solutions – Ultrasound 22010 SE 51st St, Issaquah, WA 98029 DOC-6 Intended use of device in network- Ultrasound imaging connected environment: scanner DOC-7 Document Release Date Jan 1st, 2020 Coordinated Vulnerability Disclosure: Does DOC-8 the manufacturer have a vulnerability No disclosure program for this device? ISAO: Is the manufacturer part of an DOC-9 Information Sharing and Analysis Yes Organization? Diagram: Is a network or data flow diagram DOC-10 available that indicates connections to See Security other system components or expected Yes Whitepaper external resources? DOC-11 SaMD: Is the device Software as a Medical Device (i.e. software-only, no hardware)? No DOC-11.1 Does the SaMD contain an operating system? N/A DOC-11.2 Does the SaMD rely on an owner/operator provided operating system? N/A DOC-11.3 Is the SaMD hosted by the manufacturer? N/A DOC-11.4 Is the SaMD hosted by the customer? N/A MANAGEMENT OF PERSONALLY IDENTIFIABLE INFORMATION Can this device display, transmit, store, or modify personally identifiable information MPII-1 (e.g.,electronic Protected Health Yes Information (ePHI))? Does the device maintain personally MPII-2 identifiable information? Yes 24 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Question ID Question Answer See note Does the device maintain personally MPII-2.1 identifiable information temporarily in volatile memory (i.e., until cleared by Yes power-off or reset)? Does the device store personally MPII-2.2 identifiable information persistently on Yes internal media? Is personally identifiable information MPII-2.3 preserved in the device’s non-volatile Yes memory until explicitly erased? MPII-2.4 Does the device store personally identifiable information in a database? Yes Does the device allow configuration to MPII-2.5 automatically delete local personally identifiable information after it is stored Yes to a long term solution? Does the device import/export personally identifiable information with other systems MPII-2.6 (e.g., a wearable monitoring device might Yes export personally identifiable information to a server)? Does the device maintain personally MPII-2.7 identifiable information when powered off, Yes or during power service interruptions? Does the device allow the internal media to be removed by a service technician (e.g., MPII-2.8 for separate destruction or customer Yes retention)? Does the device allow personally identifiable information records be stored MPII-2.9 in a separate location from the device’s operating system (i.e. secondary internal Yes drive, alternate drive partition, or remote storage location)? Does the device have mechanisms used for MPII-3 the transmitting, importing/exporting of Yes personally identifiable information? Does the device display personally MPII-3.1 identifiable information (e.g., video display, Yes etc.)? siemens-healthineers.com/cybersecurity 25 Product and security white paper · ACUSON Sequoia VA20 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Question ID Question Answer See note Does the device generate hardcopy reports MPII-3.2 or images containing personally identifiable Yes information? Does the device retrieve personally identifiable information from or record MPII-3.3 personally identifiable information to removable media (e.g., removable-HDD, Yes USB memory, DVD-R/RW,CD-R/RW, tape, CF/SD card, memory stick, etc.)? Does the device transmit/receive or import/ MPII-3.4 export personally identifiable information via dedicated cable connection (e.g., Yes RS-232, RS-423, USB, FireWire, etc.)? Does the device transmit/receive personally MPII-3.5 identifiable information via a wired network Yes connection (e.g., RJ45, fiber optic, etc.)? Does the device transmit/receive personally MPII-3.6 identifiable information via a wireless network connection (e.g., WiFi, Bluetooth, Yes NFC, infrared, cellular, etc.)? Does the device transmit/receive personally Over VPN for MPII-3.7 identifiable information over an external Yes remote service network (e.g., Internet)? troubleshooting Does the device import personally MPII-3.8 identifiable information via scanning a No document? Does the device transmit/receive personally MPII-3.9 identifiable information via a proprietary No protocol? Does the device use any other mechanism MPII-3.10 to transmit, import or export personally No identifiable information? Management of Private Data notes: AUTOMATIC LOGOFF (ALOF) The device's ability to prevent access and misuse by unauthorized users if device is left idle for a period of time. 26 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Question ID Question Answer See note Can the device be configured to force reauthorization of logged-in user(s) after ALOF-1 a predetermined length of inactivity Yes (e.g., auto-logoff, session lock, password protected screen saver)? Is the length of inactivity time before auto- ALOF-2 logoff/screen lock user or administrator Yes configurable? AUDIT CONTROLS (AUDT) The ability to reliably audit activity on the device. Can the medical device create additional AUDT-1 audit logs or reports beyond standard Yes operating system logs? AUDT-1.1 Does the audit log record a USER ID? Yes AUDT-1.2 Does other personally identifiable information exist in the audit trail? Yes User Name Are events recorded in an audit log? AUDT-2 If yes, indicate which of the following Yes events are recorded in the audit log: AUDT-2.1 Successful login/logout attempts? Yes AUDT-2.2 Unsuccessful login/logout attempts? Yes AUDT-2.3 Modification of user privileges? Yes AUDT-2.4 Creation/modification/deletion of users? Yes AUDT-2.5 Presentation of clinical or PII data (e.g., display, print)? Yes AUDT-2.6 Creation/modification/deletion of data? Yes Import/export of data from removable AUDT-2.7 media (e.g., USB drive, external hard drive, Yes DVD)? Receipt/transmission of data or commands AUDT-2.8 over a network or point-to-point Yes connection? AUDT-2.8.1 Remote or on-site support? Yes Application Programming Interface (API) AUDT-2.8.2 and similar activity? No siemens-healthineers.com/cybersecurity 27 Product and security white paper · ACUSON Sequoia VA20 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Question ID Question Answer See note AUDT-2.9 Emergency access? Yes AUDT-2.10 Other events (e.g., software updates)? Yes AUDT-2.11 Is the audit capability documented in more detail? Yes AUDT-3 Can the owner/operator define or select which events are recorded in the audit log? Yes Is a list of data attributes that are captured AUDT-4 in the audit log for an event available? Yes AUDT-4.1 Does the audit log record date/time? Yes Can date and time be synchronized by AUDT-4.1.1 Network Time Protocol (NTP) or equivalent Yes time source? AUDT-5 Can audit log content be exported? Yes AUDT-5.1 Via physical media? Yes AUDT-5.2 Via IHE Audit Trail and Node Authentication (ATNA) profile to SIEM? No Via Other communications (e.g., external AUDT-5.3 service device, mobile applications)? Yes SysLog Server Yes on local storage. Are audit logs encrypted in transit or on See Notes In transit depends AUDT-5.4 storage media? on SysLog Server configuration AUDT-6 Can audit logs be monitored/reviewed by owner/operator? Yes AUDT-7 Are audit logs protected from modification? Yes AUDT-7.1 Are audit logs protected from access? Yes Not by the device, AUDT-8 Can audit logs be analyzed by the device? No but yes at the device. AUTHORIZATION (AUTH) The ability of the device to determine the authorization of users. Does the device prevent access to AUTH-1 unauthorized users through user login Yes Password requirements or other mechanism? 28 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Question ID Question Answer See note Can the device be configured to use AUTH-1.1 federated credentials management of users Yes for authorization (e.g., LDAP, OAuth)? AUTH-1.2 Can the customer push group policies to the device (e.g., Active Directory)? No AUTH-1.3 Are any special groups, organizational See Notes Syngo Roles when units, or group policies required? joining a domain Can users be assigned different privilege AUTH-2 levels based on ‘role’ (e.g., user, Yes administrator, and/or service, etc.)? Can the device owner/operator grant themselves unrestricted administrative AUTH-3 privileges (e.g., access operating system or No application via local root or administrator account)? Does the device authorize or control all Remotely accessible AUTH-4 API access requests? See Notes API’s require authentication Does the device run in a restricted access AUTH-5 mode, or ‘kiosk mode’, by default? Yes CYBER SECURITY PRODUCT UPGRADES (CSUP) The ability of on-site service staff, remote service staff, or authorized customer staff to install/upgrade device's security patches. Does the device contain any software or firmware which may require security updates during its operational life, either CSUP-1 from the device manufacturer or from a Yes third-party manufacturer of the software/ firmware? If no, answer “N/A” to questions in this section. CSUP-2 Does the device contain an Operating System? If yes, complete 2.1–2.4. Yes Does the device documentation provide Yes, for both self- install (ASU) and CSUP-2.1 instructions for owner/operator installation Yes of patches or software updates? SRS-based updates (RUH) siemens-healthineers.com/cybersecurity 29 Product and security white paper · ACUSON Sequoia VA20 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Question ID Question Answer See note No, if the installation happens Does the device require vendor or vendor- through self-install from LifeNet (ASU). CSUP-2.2 authorized service to install patches or See Notes software updates? Yes, for SRS-based updates (RUH) or onsite service updates Does the device have the capability to CSUP-2.3 receive remote installation of patches or Yes software updates? Does the medical device manufacturer allow security updates from any third-party CSUP-2.4 manufacturers (e.g., Microsoft) to be No installed without approval from the manufacturer? CSUP-3 Does the device contain Drivers and Firmware? If yes, complete 3.1–3.4. Yes Does the device documentation provide Yes, for both self- CSUP-3.1 instructions for owner/operator installation Yes install (ASU) and of patches or software updates? SRS-based updates. Not, if the installation happens Does the device require vendor or vendor- through self-install from LifeNet (ASU). CSUP-3.2 authorized service to install patches or See Notes software updates? Yes, for SRS-based updates (RUH) or onsite service updates. Does the device have the capability to CSUP-3.3 receive remote installation of patches or Yes software updates? Does the medical device manufacturer allow security updates from any third-party CSUP-3.4 manufacturers (e.g., Microsoft) to be No installed without approval from the manufacturer? CSUP-4 Does the device contain Anti-Malware Software? If yes, complete 4.1–4.4. Yes Does the device documentation provide Yes, for both self- CSUP-4.1 instructions for owner/operator installation Yes install (ASU) and of patches or software updates? SRS-based updates. 30 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Question ID Question Answer See note Not, if the installation happens Does the device require vendor or vendor- through self-install authorized service to install patches or from LifeNet (ASU). CSUP-4.2 See Notes software updates? Yes, for SRS-based updates (RUH) o r onsite service updates. Does the device have the capability to CSUP-4.3 receive remote installation of patches or Yes software updates? Does the medical device manufacturer allow security updates from any third-party CSUP-4.4 manufacturers (e.g., Microsoft) to be No installed without approval from the manufacturer? Does the device contain Non-Operating CSUP-5 System commercial off-the-shelf Yes components? If yes, complete 5.1–5.4. Does the device documentation provide Yes, for both self- CSUP-5.1 instructions for owner/operator installation Yes install (ASU) and of patches or software updates? SRS-based updates. Not, if the Does the device require vendor or vendor- installation happens CSUP-5.2 authorized service to install patches or See Notes through self-install software updates? from LifeNet (ASU). Yes, for SRS-based updates. Does the device have the capability to CSUP-5.3 receive remote installation of patches or Yes software updates? Does the medical device manufacturer allow security updates from any third-party CSUP-5.4 manufacturers (e.g., Microsoft) to be No installed without approval from the manufacturer? Does the device contain other software components (e.g., asset management CSUP-6 software, license management)? If yes, No please provide details or reference in notes and complete 6.1–6.4. siemens-healthineers.com/cybersecurity 31 Product and security white paper · ACUSON Sequoia VA20 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Question ID Question Answer See note Does the device documentation provide CSUP-6.1 instructions for owner/operator installation N/A of patches or software updates? Does the device require vendor or vendor- CSUP-6.2 authorized service to install patches or N/A software updates? Does the device have the capability to CSUP-6.3 receive remote installation of patches or N/A software updates? Does the medical device manufacturer allow security updates from any third-party CSUP-6.4 manufacturers (e.g., Microsoft) to be N/A installed without approval from the manufacturer? CSUP-7 Does the manufacturer notify the customer when updates are approved for installation? Yes CSUP-8 Does the device perform automatic installation of software updates? No Does the manufacturer have an approved CSUP-9 list of third-party software that can be No installed on the device? Can the owner/operator install CSUP-10 manufacturer-approved third-party No software on the device themselves? Does the system have mechanism in place CSUP-10.1 to prevent installation of unapproved Yes Whitelisting software? Does the manufacturer have a process in CSUP-11 place to assess device vulnerabilities and Yes updates? CSUP-11.1 Does the manufacturer provide customers with review and approval status of updates? Yes LifeNet CSUP-11.2 Is there an update review cycle for the device? Yes Monthly HEALTH DATA DE-IDENTIFICATION (DIDT) The ability of the device to directly remove information that allows identification of a person. 32 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Question ID Question Answer See note Does the device provide an integral DIDT-1 capability to de-identify personally Yes identifiable information? Does the device support de-identification DIDT-1.1 profiles that comply with the DICOM No standard for de-identification? DATA BACKUP AND DISASTER RECOVERY (DTBK) The ability to recover after damage or destruction of device data, hardware, software, or site configuration information. Does the device maintain long term primary storage of personally identifiable DTBK-1 information / patient information No (e.g., PACS)? Does the device have a “factory reset” Service data DTBK-2 function to restore the original device partition available Yes settings as provided by the manufacturer? on booting using F10 DTBK-3 Does the device have an integral data backup capability to removable media? No Does the device have an integral data DTBK-4 backup capability to remote storage? No Does the device have a backup capability Only for ultrasound DTBK-5 for system configuration information, patch Yes configuration restoration, and software restoration? presets. Does the device provide the capability to DTBK-6 check the integrity and authenticity of a See Notes Yes for integrity, no backup for authenticity EMERGENCY ACCESS (EMRG) The ability of the device user to access personally identifiable information in case of a medical emergency situation that requires immediate access to stored personally identifiable information. EMRG-1 Does the device incorporate an emergency access (i.e. “break-glass”) feature? Yes siemens-healthineers.com/cybersecurity 33 Product and security white paper · ACUSON Sequoia VA20 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Question ID Question Answer See note HEALTH DATA INTEGRITY AND AUTHENTICITY (IGAU) How the device ensures that the stored data on the device has not been altered or destroyed in a non-authorized manner and is from the originator. Does the device provide data integrity IGAU-1 checking mechanisms of stored health No data (e.g., hash or digital signature)? Does the device provide error/failure IGAU-2 protection and recovery mechanisms for No stored health data (e.g., RAID-5)? MALWARE DETECTION/PROTECTION (MLDP) The ability of the device to effectively prevent, detect and remove malicious software (malware). Is the device capable of hosting executable MLDP-1 software? Yes Does the device support the use of anti- malware software (or other anti-malware MLDP-2 mechanism)? Provide details or reference Yes Whitelisting in notes. MLDP-2.1 Does the device include anti-malware software by default? Yes MLDP-2.2 Does the device have anti-malware Always included and software available as an option? No running by default Does the device documentation allow MLDP-2.3 the owner/operator to install or update No anti-malware software? Can the device owner/operator MLDP-2.4 independently (re-)configure anti-malware No settings? MLDP-2.5 Does notification of malware detection occur in the device user interface? No Can only manufacturer-authorized persons MLDP-2.6 repair systems when malware has been Yes detected? MLDP-2.7 Are malware notifications written to a log? Yes 34 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Question ID Question Answer See note Are there any restrictions on anti-malware No additional anti- MLDP-2.8 (e.g., purchase, installation, configuration, Yes malware can be scheduling)? added to the system If the answer to MLDP-2 is NO, and anti- MLDP-3 malware cannot be installed on the device, are other compensating controls in place N/A or available? Does the device employ application whitelisting that restricts the software MLDP-4 and services that are permitted to be run Yes on the device? Does the device employ a host-based MLDP-5 intrusion detection/prevention system? No Can the host-based intrusion detection/ MLDP-5.1 prevention system be configured by the No customer? Can a host-based intrusion detection/ MLDP-5.2 prevention system be installed by the No customer? NODE AUTHENTICATION (NAUT) The ability of the device to authenticate communication partners/nodes. Does the device provide/support any means Certificate based of node authentication that assures both node authentication the sender and the recipient of data are is possible NAUT-1 known to each other and are authorized to See Notes only when receive transferred information (e.g., Web communicating APIs, SMTP, SNMP)? over DICOM-TLS. Are network access control mechanisms supported (E.g., does the device have NAUT-2 an internal firewall, or use a network Yes connection white list)? Ports and protocols NAUT-2.1 Is the firewall ruleset documented and available for review? See Notes are published. Firewall rules are not published Only wifi NAUT-3 Does the device use certificate-based network connection authentication? See Notes connections based on EAP-TLS-based connectivity siemens-healthineers.com/cybersecurity 35 Product and security white paper · ACUSON Sequoia VA20 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Question ID Question Answer See note CONNECTIVITY CAPABILITIES (CONN) All network and removable media connections must be considered in determining appropriate security controls. This section lists connectivity capabilities that may be present on the device. CONN-1 Does the device have hardware connectivity capabilities? Yes CONN-1.1 Does the device support wireless connections? Yes CONN-1.1.1 Does the device support Wi-Fi? Yes CONN-1.1.2 Does the device support Bluetooth? No Does the device support other wireless CONN-1.1.3 network connectivity (e.g., LTE, Zigbee, No proprietary)? Does the device support other wireless CONN-1.1.4 connections (e.g., custom RF controls, No wireless detectors)? CONN-1.2 Does the device support physical connections? Yes CONN-1.2.1 Does the device have available RJ45 Ethernet ports? Yes CONN-1.2.2 Does the device have available USB ports? Yes CONN-1.2.3 Does the device require, use, or support removable memory devices? Yes CONN-1.2.4 Does the device support other physical connectivity? No Does the manufacturer provide a list of CONN-2 network ports and protocols that are used Yes or may be used on the device? CONN-3 Can the device communicate with other systems within the customer environment? Yes Can the device communicate with CONN-4 other systems external to the customer Yes environment (e.g., a service host)? 36 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Question ID Question Answer See note The device receives API calls over the CONN-5 Does the device make or receive API calls? SRS network when Yes service interacts with it for trouble- shooting purposes. CONN-6 Does the device require an internet connection for its intended use? No CONN-7 Does the device support Transport Layer Only as encrypted Security (TLS)? Yes DICOM CONN-7.1 Is TLS configurable? No Does the device provide operator control CONN-8 functionality from a separate device No (e.g., telemedicine)? PERSON AUTHENTICATION (PAUT) The ability to configure the device to authenticate users. Does the device support and enforce PAUT-1 unique IDs and passwords for all users and Yes roles (including service accounts)? Does the device enforce authentication of There is no enforce- PAUT-1.1 unique IDs and passwords for all users and No ment if the user roles (including service accounts)? does not want to. Is the device configurable to authenticate PAUT-2 users through an external authentication service (e.g., MS Active Directory, NDS, Yes Active Directory. LDAP, OAuth, etc.)? Is the device configurable to lock out a PAUT-3 user after a certain number of unsuccessful Configurable by Yes logon attempts? System Admin. Are all default accounts (e.g., technician PAUT-4 service accounts, administrator accounts) Yes listed in the documentation? PAUT-5 Can all passwords be changed? Yes Is the device configurable to enforce Password PAUT-6 creation of user account passwords that Complexity is meet established (organization specific) Yes configurable by complexity rules? System Admin. siemens-healthineers.com/cybersecurity 37 Product and security white paper · ACUSON Sequoia VA20 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Question ID Question Answer See note Does the device support account Configurable by PAUT-7 passwords that expire periodically? Yes System Admin. PAUT-8 Does the device support multi-factor The device supports authentication? Yes PKI authentication PAUT-9 Does the device support single sign-on (SSO)? No PAUT-10 Can user accounts be disabled/locked on the device? Yes PAUT-11 Does the device support biometric controls? No PAUT-12 Does the device support physical tokens The device supports (e.g., badge access)? See Notes PKI authentication smart cards PAUT-13 Does the device support group authentication (e.g., hospital teams)? No Does the application or device store or PAUT-14 manage authentication credentials? Yes Are credentials stored using a secure PAUT-14.1 method? Yes PHYSICAL LOCKS (PLOK) Physical locks can prevent unauthorized users with physical access to the device from compromising the integrity and confidentiality of personally identifiable information stored on the device or on removable media. PLOK-1 Is the device software only? If yes, answer “N/A” to remaining questions in this section. No Are all device components maintaining personally identifiable information (other PLOK-2 than removable media) physically secure Yes (i.e., cannot remove without tools)? Are all device components maintaining personally identifiable information (other PLOK-3 than removable media) physically secured No behind an individually keyed locking device? 38 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Question ID Question Answer See note Does the device have an option for the PLOK-4 customer to attach a physical lock to No restrict access to removable media? ROADMAP FOR THIRD PARTY COMPONENTS IN DEVICE LIFE CYCLE (RDMP) Manufacturer’s plans for security support of third-party components within the device’s life cycle. Was a secure software development process, such as ISO/IEC 27034 or RDMP-1 IEC 62304, followed during product Yes development? Does the manufacturer evaluate third-party applications and software components RDMP-2 included in the device for secure Yes development practices? Does the manufacturer maintain a web RDMP-3 page or other source of information on Yes In LifeNet software support dates and updates? Does the manufacturer have a plan RDMP-4 for managing third-party component Yes end-of-life? SOFTWARE BILL OF MATERIALS (SBoM) A Software Bill of Material (SBoM) lists all the software components that are incorporated into the device being described for the purpose of operational security planning by the healthcare delivery organization. This section supports controls in the RDMP section. SBOM-1 Is the SBoM for this product available? Yes Does the SBoM follow a standard or SBOM-2 common method in describing software Yes components? SBOM-2.1 Are the software components identified? Yes SBOM-2.2 Are the developers/manufacturers of the software components identified? Yes siemens-healthineers.com/cybersecurity 39 Product and security white paper · ACUSON Sequoia VA20 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Question ID Question Answer See note SBOM-2.3 Are the major version numbers of the software components identified? Yes SBOM-2.4 Are any additional descriptive elements identified? Yes Does the device include a command or SBOM-3 process method available to generate a list of software components installed on the No device? SBOM-4 Is there an update process for the SBoM? Yes SYSTEM AND APPLICATION HARDENING (SAHD) The device's inherent resistance to cyber attacks and malware. SAHD-1 Is the device hardened in accordance with any industry standards? Yes SAHD-2 Has the device received any cybersecurity certifications? No SAHD-3 Does the device employ any mechanisms for software integrity checking See Notes Does the device employ any mechanism (e.g., release-specific hash key, checksums, SAHD-3.1 digital signature, etc.) to ensure the See Notes installed software is manufacturer- authorized? Does the device employ any mechanism (e.g., release-specific hash key, checksums, SAHD-3.2 digital signature, etc.) to ensure the See Notes software updates are the manufacturer- authorized updates? Can the owner/operator perform software SAHD-4 integrity checks (i.e., verify that the system No has not been modified or tampered with)? Is the system configurable to allow the SAHD-5 implementation of file-level, patient level, Yes or other types of access controls? SAHD-5.1 Does the device provide role-based access controls? Yes 40 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Question ID Question Answer See note Are any system or user accounts SAHD-6 Unrestricted or disabled by the No manufacturer at system delivery? Are any system or user accounts SAHD-6.1 configurable by the end user after initial Yes configuration? Does this include restricting certain SAHD-6.2 system or user accounts, such as service No technicians, to least privileged access? Are all shared resources (e.g., file shares) SAHD-7 which are not required for the intended use Yes of the device disabled? Are all communication ports and protocols SAHD-8 that are not required for the intended use Yes of the device disabled? Are all services (e.g., telnet, file transfer protocol [FTP], internet information server SAHD-9 [IIS], etc.), which are not required for Yes the intended use of the device deleted/ disabled? Are all applications (COTS applications as well as OS-included applications, e.g., SAHD-10 MS Internet Explorer, etc.) which are not No required for the intended use of the device deleted/disabled? Can the device prohibit boot from uncontrolled or removable media (i.e., SAHD-11 a source other than an internal drive or Yes memory component)? Can unauthorized software or hardware be SAHD-12 installed on the device without the use of No physical tools? Does the product documentation include SAHD-13 information on operational network No security scanning by users? SAHD-14 Can the device be hardened beyond the default provided state? No SAHD-14.1 Are instructions available from vendor for increased hardening? No SHAD-15 Can the system prevent access to BIOS or other bootloaders during boot? Yes siemens-healthineers.com/cybersecurity 41 Product and security white paper · ACUSON Sequoia VA20 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Question ID Question Answer See note Have additional hardening methods not SAHD-16 included in 2.3.19 been used to harden the No device? SECURITY GUIDANCE (SGUD) Availability of security guidance for operator and administrator of the device and manufacturer sales and service. SGUD-1 Does the device include security documentation for the owner/operator? Yes Does the device have the capability, and SGUD-2 provide instructions, for the permanent Yes deletion of data from the device or media? SGUD-3 Are all access accounts documented? Yes SGUD-3.1 Can the owner/operator manage password control for all accounts? Yes Does the product include documentation SGUD-4 on recommended compensating controls No for the device? HEALTH DATA STORAGE CONFIDENTIALITY (STCF) The ability of the device to ensure unauthorized access does not compromise the integrity and confidentiality of personally identifiable information stored on the device or removable media. STCF-1 Can the device encrypt data at rest? Available as Yes additional feature STCF-1.1 Is all data encrypted or otherwise protected? Yes STCF-1.2 Is the data encryption capability configured by default? No Service STCF-1.3 Are instructions available to the customer to configure encryption? No representative needed STCF-2 Can the encryption keys be changed or configured? No 42 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Question ID Question Answer See note STCF-3 Is the data stored in a database located on the device? Yes STCF-4 Is the data stored in a database external to the device? No TRANSMISSION CONFIDENTIALITY (TXCF) The ability of the device to ensure the confidentiality of transmitted personally identifiable information. Can personally identifiable information TXCF-1 be transmitted only via a point-to-point No dedicated cable? Is personally identifiable information Only available if TXCF-2 encrypted prior to transmission via a See Notes encrypted DICOM network or removable media? protocol used TXCF-2.1 If data is not encrypted by default, can the customer configure encryption options? No Is personally identifiable information TXCF-3 transmission Unrestricted to a fixed list No of network destinations? TXCF-4 Are connections limited to authenticated systems? No Are secure transmission methods TXCF-5 supported/implemented (DICOM, HL7, See Notes Encrypted DICOM IEEE 11073)? supported TRANSMISSION INTEGRITY (TXIG) The ability of the device to ensure the integrity of transmitted data. Does the device support any mechanism TXIG-1 (e.g., digital signatures) intended to ensure No data is not modified during transmission? TXIG-2 Does the device include multiple sub- components connected by external cables? No siemens-healthineers.com/cybersecurity 43 Product and security white paper · ACUSON Sequoia VA20 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Question ID Question Answer See note REMOTE SERVICE (RMOT) Remote service refers to all kinds of device maintenance activities performed by a service person via network or other remote connection. RMOT-1 Does the device permit remote service connections for device analysis or repair? Yes the owner/operator Does the device allow the owner/operator would need to put RMOT-1.1 to initiative remote service sessions for the system into full Yes device analysis or repair? access in order to allow a remote service session. Yes, there is a tele- phone answered icon that appears in RMOT-1.2 Is there an indicator for an enabled and the lower right hand active remote session? Yes of the main imaging screen when the system is accessed remotely. Only with owner/ RMOT-1.3 Can patient data be accessed or viewed from the device during the remote session? Yes operator consent provided to the remote requestor. Does the device permit or use remote RMOT-2 service connections for predictive Yes maintenance data? Does the device have any other remotely Remote updates, RMOT-3 accessible functionality (e.g., software Yes remote training, updates, remote training)? remote assistance OTHER SECURITY CONSIDERATIONS (OTHR) NONE 44 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Manufacturer Disclosure Statement According to IEC 60601-1 Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13 1. Network properties required by the system and resulting risks 1-1 The device is connected via Ethernet cable or wireless protocol to the hospital using a TCP/IP network with 1Gb/s performance: • If the network is down, the network services (see below) are not available which can lead to the risks stated below. • If the network is unavailable, medical images cannot be transferred for remote consultation. • If the wireless network is incorrectly protected (for example, open Wi-Fi configuration), the attack surface of all the connected devices is much larger, which can lead to the risks stated below. • If the recommended network performance (1Gbit/s) is not provided, the transfer of images is extended, and availability of images at destinations (e.g., for consulting) is delayed. • Only the protocols shown in the table of used ports are needed for communication. 1-2 PACS system for archiving images/results • If the PACS is not available: images cannot be archived after the examination. In case of a system hardware failure, all non-archived – images can be lost. images cannot be archived after the examination. Examinations may no longer be possible because the – hard drive is full as non-archived images cannot be automatically removed. images cannot be archived after the examination. In case of manual deletion of images, unarchived images – can be lost. images are not available for remote consultation via PACS consoles. – prior images are not available. – • If the recommended network performance (1Gbit/s) is not provided, the transfer time to PACS is extended, and the wait for switching off the system consecutive to the last transfer operations is prolonged. 1-3 DICOM printer • If the DICOM printer is not available, film is not available for diagnosis/archive. 1-4 RIS system • If the RIS system is not available: the modality worklist is not available. This can lead to data inconsistencies as well as unavailability of – images when sent to the PACS until they are manually coerced with the RIS data in the PACS. In case of a Worklist Query time-out due to poor network transfer, there is a possibility that non-actual RIS – data is used when registering a patient from the list of schedules on the system. 1-5 Network connection to the SRS server • If the connection to the Smart Remote Services server is not available, then support from Siemens Healthineers service is limited. 1-6 Common medical protocol properties • Protocols used in medical environments are typically unsecure, with the exception of secure Smart Remote Services (using HTTPS). siemens-healthineers.com/cybersecurity 45 Product and security white paper · ACUSON Sequoia VA20 Manufacturer Disclosure Statement According to IEC 60601-1 Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13 2. Instructions for the responsible organization 2-1 Connection of the system to a network that includes other equipment could result in previously unidentified risks to patients, operators or third parties. The RESPONSIBLE ORGANIZATION should identify, evaluate and control these risks. 2-2 Subsequent changes to the network could introduce new RISKS and require additional analysis. 2-3 Changes to the network include: • changes in network configuration • connection to additional items to the network • disconnecting items from the network • update of equipment connected to the network • upgrade of equipment connected to the network 2-4 The RESPONSIBLE ORGANIZATION is fully responsible for the security of the network to which the device is connected. 2-5 The RESPONSIBLE ORGANIZATION is fully responsible to ensure staff who have access to the device do not have the opportunity to provide any harm to the system. 2-6 The RESPONSIBLE ORGANIZATION has to ensure that the internal network cannot be accessed physically by non-authorized persons. 2-7 Staff of the RESPONSIBLE ORGANIZATION has to be trained in security. The RESPONSIBLE ORGANIZATION is responsible for providing this. 2-8 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that only authorized medical/administrative staff shall have access to the device. 2-9 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that visitors/patients do not have unsupervised physical access to the system. 2-10 The RESPONSIBLE ORGANIZATION shall provide access to the system for device administrators and device service engineers. 2-11 The RESPONSIBLE ORGANIZATION has at least one staff person with administrative rights who has access to the system. 2-12 The RESPONSIBLE ORGANIZATION shall ensure that neither access from the public internet or the organization’s intranet to the device is possible. 2-13 The RESPONSIBLE ORGANIZATION is responsible to ensure physical security for the device. 2-14 The RESPONSIBLE ORGANIZATION shall ensure that access to services for the device from other equipment is possible only on a need-to-do basis. An adequate network topology with appropriate firewall settings shall be used. 2-15 The RESPONSIBLE ORGANIZATION is responsible for a secure infrastructure that makes it impossible to change, prevent, or tamper with data in transit in any way. 2-16 RECOMMENDATION: It is highly recommended that the RESPONSIBLE ORGANIZATION monitors the network for unusual traffic. 2-17 The RESPONSIBLE ORGANIZATION is responsible for the hard drive encryption keys and for preventing the theft or loss of those keys. 46 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper 3. Intended purpose of integrating the device into an IT network 3-1 To integrate the system into the clinical workflow, the whole ultrasound system will interact as a DICOM node in the clinical network. 3-2 The system is DICOM-compliant, allowing it to be connected to a network with other compliant devices for the exchange of images. Networking allows the transmission of images acquired to other DICOM-compatible review stations or PACS. A list of all patients ever imaged can be kept on the Radiology PACS making future retrievals fast and easy. 3-3 The system connects to the network through an Ethernet cable or a wireless protocol. The network interfaces allow DICOM connections to specific clinical systems such as a Radiology PACS or printer. Patient demographic data will be received via DICOM; acquired images will be sent to the Radiology PACS or DICOM workstations for detailed viewing and long-term storage. 4. Network properties required by the system and resulting risks 4-1 Unsuccessful data transfer not recognized Function: Archiving and Networking Hazard: Wrong diagnosis / loss of acquisition data Caution: Data transfers between systems are not verified automatically. Loss of data, if data is deleted locally before it has been successfully transferred to another system. Measure: Since not all systems support automatic storage commitment, verify the correctness of the data transfer at the remote system before deleting the local data. Effect on: Patient 4-2 Incorrect or incomplete data transfer Function: Data Exchange – Network Hazard: Wrong diagnosis, wrong examination / loss of acquisition data, loss of post processing results, corrupted data, inconsistent data Cause: DICOM objects are sent/received/retrieved. While objects are being prepared or during transfer, not all DICOM objects that are not considered are deleted, corrupted or unintentionally manipulated. Data on the sender and receiver side is not consistent. Failure of transfer not recognized. Measure: It has to be verified by testing, that there is no object loss during sending, which means: • Verify that exception scenarios result in a failed job (and check for other exceptions in log files). • Verify that error cases, which result in data not complying with the DICOM standard, are covered by exception scenarios. Effect on: Patient siemens-healthineers.com/cybersecurity 47 Product and security white paper · ACUSON Sequoia VA20 Manufacturer Disclosure Statement According to IEC 60601-1 Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13 4. Network properties required by the system and resulting risks 4-3 Insecure or incorrectly configured clinical network Function: Network Security Hazard: Incorrect diagnosis basis, wrong diagnosis, wrong treatment, delayed diagnosis, delayed therapy, wrong examination, repetition of examination / loss of acquisition data, corrupted data, system DoS Caution: Unauthorized access may affect system performance and data security. Cause: Any unauthorized access to the system may affect the system performance and data security and may lead to: • Lowered system performance and/or non-operational system • Loss of data security including loss of all patient data Measure: • Enable your system administrator to ensure network security and the security of the operational infrastructure • Consult manuals for secure setup • Perform system updates as required • Run your medical device only in protected network environments, and do not connect it directly to public networks • Set up firewalls • Prevent configuration files from being changed by users • Update and patch networked systems as required Effect on: Patient 4-4 Bitlocker recovery keys not available when needed Function: Hard drive encryption Hazard: loss of patient data, system DoS Caution: Customer should keep Bitlocker recovery keys safe Cause: In the case the customer opted for hard drive encryption and if BitLocker fails to access the encrypted drive for whatever reason, then the recovery keys will be needed by Siemens Healthineers Service to pause encryption and have offline access to the hard drive and the patient data stored in it. Effect on: Patient, System 48 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Abbreviations AD Active Directory MD5 Message Digest 5 AES Advanced Encryption Standard MDS2 Manufacturer Disclosure BIOS Basic Input Output System Statement DES Data Encryption Standard MSTS Microsoft Terminal Server DICOM Digital Imaging and NEMA National Electrical Communications in Medicine Manufacturers Association DISA Defense Information Systems NTP Network Time Protocol Agency OCR Office for Civil Rights DMZ Demilitarized Zone OU Organizational Unit DoS Denial of Service PACS Picture Archiving and ePHI Electronic Protected Health Communication System Information PHI Protected Health Information FDA Food and Drug Administration PII Personally Identifiable FIPS Federal Information Processing Information Standards RIS Radiology Information System GPO Group Policy Object RPC Remote Procedure Call HHS Health and Human Services RSA Random Sequential Adsorption HIPAA Health Insurance Portability SAM Security Accounts Manager and Accountability Act SHA Secure Hash Algorithm HIMSS Healthcare Information and Management Systems Society SQL Structured Query Language Hypertext Transfer Protocol SRS Smart Remote Services HTTP HTTPS HTTP Secure STIG Security Technical Implementation Guideline ICS Integrated Communication Services SW Software IEC International Electrotechnical TCP Transmission Control Protocol Commission UltraVNC Ultra Virtual Network Computing IVM Intervention Module Lightweight Directory Access UDP User Datagram Protocol LDAP Protocol VPN Virtual Private Network siemens-healthineers.com/cybersecurity 49 Product and security white paper · ACUSON Sequoia VA20 Disclaimer According to International Electrotechnical IEC 80001-1 Commission Glossary (extract) 1-1 The Device has the capability to be connected Responsible organization: to a medical IT-network which is managed under Entity accountable for the use and maintenance of a full responsibility of the operating responsible medical IT network. organization. It is assumed that the responsible organization assigns a Medical IT-Network Risk ACUSON Sequoia is a trademark of Siemens Medical Manager to perform IT-Risk Management (see IEC Solutions USA, Inc. 80001-1:2010/EN 80001-1:2011) for IT-networks Adobe is either a trademark or registered trademark of incorporating medical devices Adobe Systems Incorporated in the United States and/or other countries. 1-2 This statement describes Device-specific IT- networking safety and security capabilities. Intel is a trademark of Intel Corporation in the United It is not a responsibility agreement according States and other countries. to IEC 80001-1:2010/EN 80001-1:2011. Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States and other 1-3 Any modification of the platform, the software or countries. the interfaces of the Device – unless authorized and approved by Siemens Healthcare GmbH Healthcare McAfee is a registered trademark of McAfee, LLC or its voids all warranties, liabilities, assertions and subsidiaries in the US and other countries. – contracts. NVIDIA is a registered trademark of NVIDIA Corporation. The responsible organization acknowledges that PowerScribe® 360 | Reporting is a registered trademark 1-4 the Device’s underlying standard computer with of Nuance Communications, Inc. operating system is to some extent vulnerable to typical attacks like, e.g., malware or denial-of- service. 1-5 Unintended consequences (like, e.g., misuse/loss/ corruption) of data not under control of the Device, e.g., after electronic communication from the Device to some IT-network or to some storage, are under the responsibility of the responsible organization. 1-6 Unauthorized use of the external connections or storage media of the Device can cause hazards regarding the availability and information security of all components of the medical IT-network. The responsible organization must ensure – through technical and/or organizational measures – that only authorized use of the external connections and storage media is permitted. 50 siemens-healthineers.com/cybersecurity ACUSON Sequoia VA20 · Product and security white paper Statement on FDA Cybersecurity Guidance Siemens Healthineers will follow cybersecurity guidance issued by the FDA as appropriate. Siemens Healthineers recognizes the principle described in FDA cybersecurity guidance that an effective cybersecurity framework is a shared responsibility among multiple stakeholders (e.g., medical device manufacturers, health care facilities, patients and providers), and is committed to drawing on its innovation, engineering and pioneering skills in collective efforts designed to prevent, detect and respond to new and emerging cybersecurity threats. While FDA cybersecurity guidance is informative as to adopting a risk-based approach to addressing potential patient harm, it is not binding and alternative approaches may be used to satisfy FDA regulatory requirements. The representations contained in this white paper are designed to describe Siemens Healthineers’ approach to cybersecurity of its medical devices and to disclose the security capabilities of the devices/systems described herein. Neither Siemens Healthineers nor any medical device manufacturer can warrant that its systems will be invulnerable to cyberattack. Siemens Healthineers makes no representation or warranty that its cyber- security efforts will ensure that its medical devices/ systems will be error-free or secure against cyberattack. siemens-healthineers.com/cybersecurity 51 Siemens Healthineers Headquarters Legal Manufacturers Siemens Healthcare GmbH Siemens Medical Solutions USA, Inc. Henkestr. 127 Ultrasound 91052 Erlangen, Germany 685 E. Middlefield Road Phone: +49 9131 84-0 Mountain View, CA 94043 siemens-healthineers.com USA Phone: 1-888-826-9702 siemens-healthineers.com/ultrasound Published by Siemens Medical Solutions USA, Inc. · 8536 0320 online · ©Siemens Medical Solutions USA, Inc., 2020