ACUSON P500 Ultrasound System VB10 Security and MDS² Form

White paper ACUSON P500 ultrasound system, release VB10 Security and MDS2 Form Facts about security and privacy requirements siemens-healthineers.com/ultrasound SIEMENS Healthineers Product and solution security white paper · ACUSON P500 VB10 The Siemens Healthineers product and solution security program At Siemens Healthineers, we are committed to working • Formal threat and risk analysis for our medical devices. with you to address your cybersecurity and privacy • requirements. Secure architecture, design and coding methodologies in our software development process. Our Product and Solution Security Office is responsible • Static code analysis of medical device software. for our global program to ensure that cybersecurity • is addressed throughout the lifecycle of our medical Security testing of medical devices under development devices. as well as medical devices already in the field. • Patch management tailored to the medical device and Our product and solution security program addresses your requirements. state-of-the-art cybersecurity in our current and future • products. We support you to protect the privacy of Security vulnerability monitoring to track reported your data, at the same time providing measures that third-party component issues in our medical devices. strengthen the resiliency of our products from external • Work with suppliers to ensure security is addressed cybersecurity attackers. throughout the supply chain. • To help you meet your IT security and privacy obligations, Employee training to ensure their knowledge is we comply with security and privacy regulations of the consistent with the requirements that contribute to U.S. Department of Health and Human Services (HHS), protecting your data and device integrity. including the Food and Drug Administration (FDA) and Office for Civil Rights (OCR). Please contact us anytime to report product and solution security, cybersecurity or privacy incidents, by email to: Vulnerability and incident management productsecurity@siemens-healthineers.com Siemens Healthineers cooperates with government agencies and cybersecurity researchers concerning For all other communications with Siemens Healthineers reported potential vulnerabilities. about product and solution security: ProductTechnologyAssurance.dl@siemens-healthineers.com Our communications policy strives for coordinated disclosure. We work in this way with our customers and Yours sincerely, other parties, when appropriate, in response to potential vulnerabilities and incidents in our medical devices, no matter the source. Elements of our product and solution security program Jim Jacobson • Provide information about the secure configuration Chief Product and Solution Security Officer and use of Siemens Healthineers medical devices in Siemens Healthineers your IT environment. 2 siemens-healthineers.com/ultrasound ACUSON P500 VB10 · Product and solution security white paper Contents Basic Information ..................................................... 4 Network Information ............................................... 5 Security Controls ...................................................... 7 Software Bill of Materials ......................................... 8 Manufacturer Disclosure Statement According to IEC 60601-1 ........................................ 10 Manufacturer Disclosure Statement for Medical Device Security – MDS2 ......................... 14 Abbreviations .......................................................... 21 Disclaimer According to IEC 80001-1 ....................... 22 International Electrotechnical Commission Glossary (extract) .................................................... 22 Statement on FDA Cybersecurity Guidance ............. 23 siemens-healthineers.com/ultrasound 3 Product and solution security white paper · ACUSON P500 VB10 Basic Information Why is cybersecurity important? Operating systems Keeping patient data safe and secure should typically Please refer to the Software Bill of Material chapter. be one of the top priorities of healthcare institutes. It is estimated that the cost associated in the recovery User account information of each medical record in the United States can be as high as $380.1 According to the Ponemon Institute • ACUSON P500 VB10 software supports local research report,2 39% of medical devices were hacked, system accounts that can be managed by the with hackers being able to take control of the device. local administrator of the system. Moreover, 38% of healthcare organizations said that their patients received inappropriate medical treatment • The system provides preconfigured Password because of an insecure medical device. Policies that can be customized by administrators. The Siemens Healthineers Patching strategy product security program • Security patches will be provided as needed to Cybersecurity is essential for digitalizing healthcare. maintain clinical function of the medical device At Siemens Healthineers, we build secure products, after validation by Siemens Healthineers. keep them protected throughout their lifecycle, and • continuously refine our cybersecurity safeguards for If connected to Smart Remote Services (SRS), every product generation. We communicate proactively updates can be pushed to the system automatically. about the security controls of our equipment. We inform • about vulnerabilities and how we have addressed them. Technologies and software components are actively We deliver solutions that help keep the equipment as monitored for vulnerabilities and availability of secure as possible. We follow the FDA’s post-market security updates. guidance and are aligned with industry best practices to continuously monitor all security relevant components Handling of sensitive data for newly identified vulnerabilities. • This ultrasound system is designed for temporary data Our purpose is to help storage only. Siemens Healthineers recommends healthcare providers succeed storing data to a long-term archive, e.g., on a PACS and shall be deleted in a facility-defined procedure. The Siemens Healthineers ACUSON P500 VB10 • Protected Health Information (PHI) is temporarily ultrasound system is designed to provide clinicians with stored on the ultrasound system similar to DICOM an innovative and diverse range of applications and data, raw data, and meta data for DICOM creation. features at the point-of-care so they are able to see Note: The time for which PHI is stored is determined better, scan faster and go further. Also, ACUSON P500 by the facility. Ultrasound System, ICE Edition integrates the imaging • Personally Identifiable Information (PII) as part of capabilities of Siemens Healthineers AcuNav ultrasound the DICOM records also is stored temporarily on the catheter technologies with the ACUSON P500 ultrasound ultrasound system, e.g., patient’s name, birthday system to provide real-time visualization of cardiac or age, height and weight, personal identification anatomy. number, and referring physician’s name. Additional sensitive information might be present in user-editable input fields or in the images acquired. 1 https://healthitsecurity.com/news/how-much-do-healthcare-data-breaches-cost-organizations 2 Ponemon Institute research report, Medical Device Security: An Industry Under Attack and Unprepared to Defend; https://www.ajg.com/media/1699098/medical-devicecybersecuritywhitepaper.pdf 4 siemens-healthineers.com/ultrasound ACUSON P500 VB10 · Product and solution security white paper Network Information VPN IN, OUT: Smart Remote TCP, UDP, RDP SRS Router Services Access Server IN, OUT: TCP, UDP IN, OUT: DICOM, SRS IN, OUT: DICOM PACS/RIS OUT: TCP Network Share Ultrasound Machine Clinical Network Internet Figure 1: System Deployment overview with regard to network boundaries Siemens Healthineers recommends operating the ultrasound machine in a dedicated network segment (e.g., VLAN). To minimize the risk of unauthorized network access, Siemens Healthineers recommends operating the ultrasound machine behind a firewall and/or use access control lists on the network switches to limit traffic to identified peers. At minimum, the DICOM Port (see Used Port Table below) needs to be visible for customer DICOM network nodes (e.g., PACS, syngo®.via etc). Please contact the Siemens Healthineers Service organization for further information. siemens-healthineers.com/ultrasound 5 Product and solution security white paper · ACUSON P500 VB10 The following ports are used by the system. All of the ports are closed except for the ports listed in Table 1. Port number Service/function Direction Protocol 80 Administration Portal – Remote Service Inbound TCP 81 Diagnostics Inbound TCP 104 DICOM communication In/outbound TCP 383 Managed Node Package MNP Inbound TCP 443 Administration Portal – Remote Service Inbound TCP (encrypted) 445 MSFT network protocols Inbound TCP 515 Windows Printer Service Inbound TCP 11080 Remote Assist (Team Viewer) Inbound TCP 11081 Remote Assist (Team Viewer) Inbound TCP Table 1: Used Port Numbers 6 siemens-healthineers.com/ultrasound ACUSON P500 VB10 · Product and solution security white paper Security Controls Malware protection Physical protection Whitelisting (Microsoft Windows EWF (Enhanced Write • You are responsible for the physical protection of Filter) and EMET)). the ACUSON P500 system’s VB10 software, e.g., by installing it in a room with controlled access. Please Authentication authorization controls note that the computer contains patient data and should be protected against tampering and theft. • The ACUSON P500 VB10 software supports role-based privilege assignment (Admin and Non-Admin) and • It is possible to change the BIOS password. Please access control to patient data. contact Siemens Healthineers service for support. • The user interface of the ACUSON P500 VB10 software provides a screen lock functionality that can be Data protection controls engaged automatically after a certain inactivity time. • The system is not intended to be an archive (data For details, please refer to the User Manual. at rest). • Continuous vulnerability assessment and remediation PHI is protected by role-based privilege assignment and access control. Continuous Vulnerability Assessment is performed. • ACUSON P500 VB10 software provides local user Network controls accounts. • The system is designed to make limited use of network Remote connectivity ports and protocols. The Microsoft Windows firewall is configured to block unwanted inbound network traffic SRS is optionally used for proactive maintenance. The except for the ports listed in Table 1. connection is created using a secured channel (VPN- or IBC-based). It may be used to download security patches • Siemens Healthineers recommends operating the and updates. system in a secured network environment, e.g., a separate network segmented or a VLAN. Incident response and management • Connection to the Internet or private networks used The incident handling process is defined and executed by patients/guests is not recommended. on demand to deal with incidents as mandated by the In case of a denial-of-service (DoS) or malware attack, United States FDA Post-Market Guidance documents. • the system can be taken off the network and operated stand-alone. siemens-healthineers.com/ultrasound 7 Product and solution security white paper · ACUSON P500 VB10 Software Bill of Materials The following table lists the most relevant third-party technologies used (general drivers not included). Vendor name / Component Component Description / URL name version use Acrobat Professional 9.x Adobe Flash Player 15.0.0.223 Apache Software Formatting Objects Processor Foundation (FOP) 1.0 Azul Systems Zulu 8.11 Cirque GlidePoint Driver for Windows 3.x D R Commander libjpeg-turbo 1.4.0 Dino Chiesa DotNetZip 1.9.1.8 Independent JPEG Group libjpeg 8 Integrated Performance Primitives (IPP) 5.1 Integrated Performance Primitives (IPP) 7.1 Intel Intel Ethernet Connection I218-LM 12.13.17.7 Intel Graphics Drivers 15.40 Intel PROSet/Wireless Software 15.1 Lee Thomason TinyXML 2.0 Merge Healthcare Incorporated DICOM Toolkit 3.8.0.2 MetaGeek LLC inSSIDer 2.1.5 Michael Pall LuaJIT 2.0.2 .NET Framework 1.1 .NET Framework 2.0 SP2 .NET Framework 3.5 SP1 .NET Framework 3.0 SP1 .NET Framework 4.0 Microsoft .NET Framework 4.6 DirectX 11 Enhanced Mitigation Experience Toolkit (EMET) 5.52 Enhanced Write Filter Management 1.0 8 siemens-healthineers.com/ultrasound ACUSON P500 VB10 · Product and solution security white paper Vendor name / Component Component Description / URL name version use Internet Explorer 8.x Microsoft XML Core Services (MSXML) 4.0 SP2 Silverlight 5.1.x SQL Server 2008 Express Edition R2 SP2 Microsoft Visual C++ 2005 Redistributable Package (x86) SP1 Visual C++ 2008 Redistributable Package (x86) SP1 Visual C++ 2010 Redistributable Package (x86) SP1 (10.0.40219) Windows Embedded Standard 7 Service Pack 1 Mitsubishi Electric CP30DW Windows Printer Driver 2.4 Corporation P95DW Windows Printer Driver 1.2 Motorola Motorola Scanner SDK 1.2 for Windows Nicomsoft Ltd. Advanced WiFi-Manager 5.4 Nigel Stewart OpenGL Extension Wrangler Library (GLEW) 1.7.0 NVIDIA CUDA Toolkit 4.x Oleg Krivtsov CrashRpt 1.4.2 peter.dolkens NuGet Package: Ionic.Zip 1.9.1.8 Prism Prism 4.0 Python Software Foundation Python 2.7.2 Realtek Semiconductor Corp. High Definition Audio Driver 6.0 Riverbed Technology Wireshark 1.12.7 Silicon Laboratories Inc. USB Driver for CP210x 6.7 Snappy for .NET Snappy for .NET 1.x UP-D25MD Windows Printer Driver 1.1.0 Sony UP-D898MD Printer Driver for Windows 1.00 Stéphane Bidoul Libxml and Libxslt Python Bindings for Windows 2.7.7 Trillium Technology ShowCase CD Viewer 5.4 WinPcap WinPcap 4.1.3 Yann Ollivier Mathematical expression parser in C++ 2.0 siemens-healthineers.com/ultrasound 9 Product and solution security white paper · ACUSON P500 VB10 Manufacturer Disclosure Statement According to IEC 60601-1 Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13 1. Network properties required by the system and resulting risks 1-1 The device is connected via Ethernet cable or wireless protocol to the hospital using a TCP/IP network with 1Gb/s performance: • If the network is down, the network services (see below) are not available which can lead to the risks stated below. • If the network is unavailable, medical images cannot be transferred for remote consultation. • If the wireless network is incorrectly protected (for example, open Wi-Fi configuration), the attack surface of all the connected devices is much larger, which can lead to the risks stated below. • If the recommended network performance (1Gbit/s) is not provided, the transfer of images is extended, and availability of images at destinations (e.g., for consulting) is delayed. • Only the protocols shown in the table of used ports are needed for communication. 1-2 PACS system for archiving images/results • If the PACS is not available: images cannot be archived after the examination. In case of a system hardware failure, all non-archived – images can be lost. images cannot be archived after the examination. Examinations may no longer be possible because the – hard drive is full as non-archived images cannot be automatically removed. images cannot be archived after the examination. In case of manual deletion of images, unarchived images – can be lost. images are not available for remote consultation via PACS consoles. – prior images are not available. – • If the recommended network performance (1Gbit/s) is not provided, the transfer time to PACS is extended, and the wait for switching off the system consecutive to the last transfer operations is prolonged. 1-3 DICOM printer • If the DICOM printer is not available, film is not available for diagnosis/archive. 1-4 RIS system • If the RIS system is not available: the modality worklist is not available. This can lead to data inconsistencies as well as unavailability of – images when sent to the PACS until they are manually coerced with the RIS data in the PACS. In case of a Worklist Query time-out due to poor network transfer, there is a possibility that non-actual RIS – data is used when registering a patient from the list of schedules on the system. 1-5 Network connection to the SRS server • If the connection to the Smart Remote Services server is not available, then support from Siemens Healthineers service is limited. 1-6 Common medical protocol properties • Protocols used in medical environments are typically unsecure, with the exception of secure Smart Remote Services (using HTTPS). 10 siemens-healthineers.com/ultrasound ACUSON P500 VB10 · Product and solution security white paper 2. Instructions for the responsible organization 2-1 Connection of the system to a network that includes other equipment could result in previously unidentified risks to patients, operators or third parties. The RESPONSIBLE ORGANIZATION should identify, evaluate and control these risks. 2-2 Subsequent changes to the network could introduce new RISKS and require additional analysis. 2-3 Changes to the network include: • changes in network configuration • connection to additional items to the network • disconnecting items from the network • update of equipment connected to the network • upgrade of equipment connected to the network 2-4 The RESPONSIBLE ORGANIZATION is fully responsible for the security of the network to which the device is connected. 2-5 The RESPONSIBLE ORGANIZATION is fully responsible to ensure staff who have access to the device do not have the opportunity to provide any harm to the system. 2-6 The RESPONSIBLE ORGANIZATION has to ensure that the internal network cannot be accessed physically by non-authorized persons. 2-7 Staff of the RESPONSIBLE ORGANIZATION has to be trained in security. The RESPONSIBLE ORGANIZATION is responsible for providing this. 2-8 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that only authorized medical/administrative staff shall have access to the device. 2-9 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that visitors/patients do not have unsupervised physical access to the system. 2-10 The RESPONSIBLE ORGANIZATION shall provide access to the system for device administrators and device service engineers. 2-11 The RESPONSIBLE ORGANIZATION has at least one staff person with administrative rights who has access to the system. 2-12 The RESPONSIBLE ORGANIZATION shall ensure that neither access from the public internet or the organization’s intranet to the device is possible. 2-13 The RESPONSIBLE ORGANIZATION is responsible to ensure physical security for the device. 2-14 The RESPONSIBLE ORGANIZATION shall ensure that access to services for the device from other equipment is possible only on a need-to-do basis. An adequate network topology with appropriate firewall settings shall be used. 2-15 The RESPONSIBLE ORGANIZATION is responsible for a secure infrastructure that makes it impossible to change, prevent, or tamper with data in transit in any way. 2-16 RECOMMENDATION: It is highly recommended that the RESPONSIBLE ORGANIZATION monitors the network for unusual traffic. siemens-healthineers.com/ultrasound 11 Product and solution security white paper · ACUSON P500 VB10 Manufacturer Disclosure Statement According to IEC 60601-1 Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13 3. Intended purpose of integrating the device into an IT network 3-1 To integrate the system into the clinical workflow, the whole ultrasound system will interact as a DICOM node in the clinical network. 3-2 The system is DICOM-compliant, allowing it to be connected to a network with other compliant devices for the exchange of images. Networking allows the transmission of images acquired to other DICOM-compatible review stations or PACS. A list of all patients ever imaged can be kept on the Radiology PACS making future retrievals fast and easy. 3-3 The system connects to the network through an Ethernet cable or a wireless protocol. The network interfaces allow DICOM connections to specific clinical systems such as a Radiology PACS or printer. Patient demographic data will be received via DICOM; acquired images will be sent to the Radiology PACS or DICOM workstations for detailed viewing and long-term storage. 4. Network properties required by the system and resulting risks 4-1 Unsuccessful data transfer not recognized Function: Archiving and Networking Hazard: Wrong diagnosis / loss of acquisition data Caution: Data transfers between systems are not verified automatically. Loss of data, if data is deleted locally before it has been successfully transferred to another system. Measure: Since not all systems support automatic storage commitment, verify the correctness of the data transfer at the remote system before deleting the local data. Effect on: Patient 4-2 Incorrect or incomplete data transfer Function: Data Exchange – Network Hazard: Wrong diagnosis, wrong examination / loss of acquisition data, loss of post processing results, corrupted data, inconsistent data Cause: DICOM objects are sent/received/retrieved. While objects are being prepared or during transfer, not all DICOM objects that are not considered are deleted, corrupted or unintentionally manipulated. Data on the sender and receiver side is not consistent. Failure of transfer not recognized. Measure: It has to be verified by testing, that there is no object loss during sending, which means: • Verify that exception scenarios result in a failed job (and check for other exceptions in log files). • Verify that error cases, which result in data not complying with the DICOM standard, are covered by exception scenarios. Effect on: Patient 12 siemens-healthineers.com/ultrasound ACUSON P500 VB10 · Product and solution security white paper 4. Network properties required by the system and resulting risks 4-3 Insecure or incorrectly configured clinical network Function: Network Security Hazard: Incorrect diagnosis basis, wrong diagnosis, wrong treatment, delayed diagnosis, delayed therapy, wrong examination, repetition of examination / loss of acquisition data, corrupted data, system DoS Caution: Unauthorized access may affect system performance and data security. Cause: Any unauthorized access to the system may affect the system performance and data security and may lead to: • Lowered system performance and/or non-operational system • Loss of data security including loss of all patient data Measure: • Enable your system administrator to ensure network security and the security of the operational infrastructure • Consult manuals for secure setup • Perform system updates as required • Run your medical device only in protected network environments, and do not connect it directly to public networks • Set up firewalls • Prevent configuration files from being changed by users • Update and patch networked systems as required Effect on: Patient, System siemens-healthineers.com/ultrasound 13 Product and solution security white paper · ACUSON P500 VB10 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Manufacturer Disclosure Statement for Medical Device Security – MDS2 Device Description Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Medical Solutions USA, 11503987-FPD-001 10-May-19 Inc. Device Model Software Revision Software Release Date ACUSON P500 VB10 20-Mar-17 Manufacturer or Company Name Manufacturer Contact Information Representative Contact Siemens Medical Solutions USA, Inc. Siemens Medical Solutions – Ultrasound Information 685 E Middlefield Rd, Representative Name / Position Mountain View, CA 94043 YoungChul Kim / Senior Engineer Intended use of device in network-connected environment The Siemens Healthineers ACUSON P500 Ultrasound System is a portable diagnostic ultrasound system. The ACUSON P500 is intended for ultrasound imaging in the GI (General Imaging) and EM (Emergency Medicine) settings. Optionally, the ACUSON P500 can be configured to communicate to a hospital Picture Archive and Communications System (PACS). The following DICOM Services are supported: Store SCP / SCU, Modality Worklist SCU, Modality Performed Procedure Step SCU, Storage Commitment SCU and DICOM Structured Reporting SCU. Optionally, the ACUSON P500 can be configured to communicate with a Telexy Qview server to publish measurement results. 14 siemens-healthineers.com/ultrasound ACUSON P500 VB10 · Product and solution security white paper Management of Private Data Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information Yes, No, Note # requested in this form. N/A, or See Note A Can this device display, transmit, or maintain private data (including electronic Protected Health Yes Information [ePHI])? B Types of private data elements that can be maintained by the device: B.1 Demographic (e.g., name, address, location, unique identification number)? Yes – B.2 Medical record (e.g., medical record #, account #, test or treatment date, device identification number)? Yes – B.3 Diagnostic/therapeutic (e.g., photo/radiograph, test results, or physiologic data with identifying Yes – characteristics)? B.4 Open, unstructured text entered by device user/operator? Yes – B.5 Biometric data? No – B.6 Personal financial information? No – C Maintaining private data ‒ Can the device: C.1 Maintain private data temporarily in volatile memory (i.e., until cleared by power-off or reset)? Yes – C.2 Store private data persistently on local media? Yes – C.3 Import/export private data with other systems? Yes – C.4 Maintain private data during power service interruptions? Yes – D Mechanisms used for the transmitting, importing/exporting of private data – Can the device: D.1 Display private data (e.g., video display, etc.)? Yes – D.2 Generate hardcopy reports or images containing private data? Yes – D.3 Retrieve private data from or record private data to removable media (e.g., disk, DVD, CD-ROM, tape, Yes – CF/SD card, memory stick, etc.)? D.4 Transmit/receive or import/export private data via dedicated cable connection (e.g., IEEE 1073, Yes – serial port, USB, FireWire, etc.)? D.5 Transmit/receive private data via a wired network connection (e.g., LAN, WAN, VPN, intranet, Yes – Internet, etc.)? D.6 Transmit/receive private data via an integrated wireless network connection (e.g., WiFi, Bluetooth, Yes – infrared, etc.)? D.7 Import private data via scanning? Yes – D.8 Other? N/A – Management of private data notes: siemens-healthineers.com/ultrasound 15 Product and solution security white paper · ACUSON P500 VB10 Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Medical Solutions USA, 11503987-FPD-001 10-May-19 Inc. Device Model Software Revision Software Release Date ACUSON P500 VB10 20-Mar-17 Security capabilities Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 1 Automatic logoff (ALOF) The device’s ability to prevent access and misuse by unauthorized users if device is left idle for a period of time. 1-1 Can the device be configured to force reauthorization of logged-in user(s) after a predetermined No – length of inactivity (e.g., auto-logoff, session lock, password protected screen saver)? 1-1.1 Is the length of inactivity time before auto-logoff/screen lock user or administrator configurable? See Note 1 (Indicate time [fixed or configurable range] in notes.) 1-1.2 Can auto-logoff/screen lock be manually invoked (e.g., via a shortcut key or proximity sensor, etc.) No – by the user? ALOF notes: 1) The screen lock feature is accessible to the user and has a configuration setting from 1 to 60 minutes. This only works in Patient Study Browser screen and Network configuration screen. 2 Audit controls (AUDT) The ability to reliably audit activity on the device. 2-1 Can the medical device create an audit trail? Yes – 2-2 Indicate which of the following events are recorded in the audit log: 2-2.1 Login/logout Yes – 2-2.2 Display/presentation of data No – 2-2.3 Creation/modification/deletion of data Yes – 2-2.4 Import/export of data from removable media Yes – 2-2.5 Receipt/transmission of data from/to external (e.g., network) connection See Note 1 2-2.51 Remote service activity N/A – 2-2.6 Other events? (describe in the notes section) N/A – 2-3 Indicate what information is used to identify individual events recorded in the audit log: 2-3.1 User ID No – 2-3.2 Date/time Yes – AUTH notes: 1) The system leaves receipt/transmission of data from/to network connection but no user ID is included. 3 Authorization (AUTH) The ability of the device to determine the authorization of users. 3-1 Can the device prevent access to unauthorized users through user login requirements or other Yes – mechanism? 3-2 Can users be assigned different privilege levels within an application based on ‘roles’ (e.g., guests, Yes – regular users, power users, administrators, etc.)? 3-3 Can the device owner/operator obtain unrestricted administrative privileges (e.g., access operating No – system or application via local root or admin account)? AUTH notes: 16 siemens-healthineers.com/ultrasound ACUSON P500 VB10 · Product and solution security white paper Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Medical Solutions USA, 11503987-FPD-001 10-May-19 Inc. Device Model Software Revision Software Release Date ACUSON P500 VB10 20-Mar-17 Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 4 Configuration of security features (CNFS) The ability to configure/re-configure device security capabilities to meet user’s needs. 4-1 Can the device owner/operator reconfigure product security capabilities? See Note 1 CNFS notes: 1) User can configure the authorization settings. 5 Cyber security product upgrades (CSUP) The ability of on-site service staff, remote service staff, or authorized customer staff to install/upgrade device’s security patches. 5-1 Can relevant OS and device security patches be applied to the device as they become available? Yes 1 5-1.1 Can security patches or other software be installed remotely? Yes 2 CSUP notes: 1) Only security patches that become available through Siemens Healthineers are subject to be installed in the system. 2) Siemens Remote Service can push patches to system which are then installed once approved by the user. 6 Health data DE-identification (DIDT) The ability of the device to directly remove information that allows identification of a person. 6-1 Does the device provide an integral capability to de-identify private data? Yes 1 DIDT notes: 1) There is a feature in Patient Browser which will blank the DICOM tags identifying a particular patient. 7 Data backup and disaster recovery (DTBK) The ability to recover after damage or destruction of device data, hardware, or software. 7-1 Does the device have an integral data backup capability (i.e., backup to remote storage or Yes 1 removable media such as tape, disk)? DTBK notes: 1) Patient data and system preset settings can be backed up to CD/DVD or USB storage. 8 Emergency access (EMRG) The ability of device users to access private data in case of an emergency situation that requires immediate access to stored private data. 8-1 Does the device incorporate an emergency access (“break-glass”) feature? No – EMRG notes: 9 Health data integrity and authenticity (IGAU) How the device ensures that data processed by the device has not been altered or destroyed in an unauthorized manner and is from the originator. 9-1 Does the device ensure the integrity of stored data with implicit or explicit error detection/correction No – technology? IGAU notes: siemens-healthineers.com/ultrasound 17 Product and solution security white paper · ACUSON P500 VB10 Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Medical Solutions USA, 11503987-FPD-001 10-May-19 Inc. Device Model Software Revision Software Release Date ACUSON P500 VB10 20-Mar-17 Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 10 Malware detection/protection (MLDP) The ability of the device to effectively prevent, detect and remove malicious software (malware). 10-1 Does the device support the use of anti-malware software (or other anti-malware mechanism)? Yes 1 10-1.1 Can the user independently re-configure anti-malware settings? No – 10-1.2 Does notification of malware detection occur in the device user interface? N/A – 10-1.3 Can only manufacturer-authorized persons repair systems when malware has been detected? N/A – 10-2 Can the device owner install or update anti-virus software? See Note 2 10-3 Can the device owner/operator (technically/physically) update virus definitions on See Note 2 manufacturer-installed antivirus software? MLDP notes: 1) Microsoft Enhanced Write Filter (EWF) feature is used to protect the system partition. Microsoft Enhanced Mitigation Experience Toolkit (EMET) feature is used to prevent vulnerabilities by using security mitigation technologies. 2) Microsoft Windows security updates and EMET tool could be applied to the system by offline software update or online. 11 Node authentication (NAUT) The ability of the device to authenticate communication partners/nodes. 11-1 Does the device provide/support any means of node authentication that assures both the sender and No – the recipient of data are known to each other and are authorized to receive transferred information? NAUT notes: 12 Person authentication (PAUT) Ability of the device to authenticate users 12-1 Does the device support user/operator-specific username(s) and password(s) for at least one user? Yes 1 12-1.1 Does the device support unique user/operator-specific IDs and passwords for multiple users? Yes – 12-2 Can the device be configured to authenticate users through an external authentication service No – (e.g., MS Active Directory, NDS, LDAP, etc.)? 12-3 Can the device be configured to lock out a user after a certain number of unsuccessful logon Yes – attempts? 12-4 Can default passwords be changed at/prior to installation? N/A 2 12-5 Are any shared user IDs used in this system? N/A – 12-6 Can the device be configured to enforce creation of user account passwords that meet established Yes – complexity rules? 12-7 Can the device be configured so that account passwords expire periodically? See Note 3 PAUT notes: 1) Only for Patient Study Browser screen and Network configuration screen. 2) There is no default account and password. 3) Password expiration supported but not enforce change of user password periodically. 13 Physical locks (PLOK) Physical locks can prevent unauthorized users with physical access to the device from compromising the integrity and confidentiality of private data stored on the device or on removable media 13-1 Are all device components maintaining private data (other than removable media) physically See Note 1 secure (i.e., cannot remove without tools)? PLOK notes: 1) Phillips screw driver needed to remove. 18 siemens-healthineers.com/ultrasound ACUSON P500 VB10 · Product and solution security white paper Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Medical Solutions USA, 11503987-FPD-001 10-May-19 Inc. Device Model Software Revision Software Release Date ACUSON P500 VB10 20-Mar-17 Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 14 Roadmap for third party components in device life cycle (RDMP) Manufacturer’s plans for security support of 3rd party components within device life cycle. 14-1 In the notes section, list the provided or required (separately purchased and/or delivered) See Note 1 operating system(s) – including version number(s). 14-2 Is a list of other third party applications provided by the manufacturer available? N/A – RDMP notes: 1) MS Windows Embedded Standard 7 SP1 (x64) 15 System and application hardening (SAHD) The device’s resistance to cyber-attacks and malware. 15-1 Does the device employ any hardening measures? Please indicate in the notes the level of N/A – conformance to any industry-recognized hardening standards. 15-2 Does the device employ any mechanism (e.g., release-specific hash key, checksums, etc.) to ensure Yes – the installed program/update is the manufacturer-authorized program or software update? 15-3 Does the device have external communication capability (e.g., network, modem, etc.)? Yes – 15-4 Does the file system allow the implementation of file-level access controls (e.g., New Technology Yes – File System (NTFS) for MS Windows platforms)? 15-5 Are all accounts which are not required for the intended use of the device disabled or deleted, Yes – for both users and applications? 15-6 Are all shared resources (e.g., file shares) which are not required for the intended use of the device, disabled? Yes – 15-7 Are all communication ports which are not required for the intended use of the device closed/disabled? Yes – 15-8 Are all services (e.g., telnet, file transfer protocol [FTP], internet information server [IIS], etc.), which Yes – are not required for the intended use of the device deleted/disabled? 15-9 Are all applications (COTS applications as well as OS-included applications, e.g., MS Internet Explorer, Yes – etc.) which are not required for the intended use of the device deleted/disabled? 15-10 Can the device boot from uncontrolled or removable media (i.e., a source other than an internal Yes – drive or memory component)? 15-11 Can software or hardware not authorized by the device manufacturer be installed on the device No – without the use of tools? SAHD notes: 16 Security guidance (SGUD) The availability of security guidance for operator and administrator of the system and manufacturer sales and service. 16-1 Are security-related features documented for the device user? No – 16-2 Are instructions available for device/media sanitization (i.e., instructions for how to achieve No – the permanent deletion of personal or other sensitive data)? SGUD notes: siemens-healthineers.com/ultrasound 19 Product and solution security white paper · ACUSON P500 VB10 Device Category Manufacturer Document ID Document Release Date Diagnostic Ultrasound Siemens Medical Solutions USA, 11503987-FPD-001 10-May-19 Inc. Device Model Software Revision Software Release Date ACUSON P500 VB10 20-Mar-17 Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 17 Health data storage confidentiality (STCF) The ability of the device to ensure unauthorized access does not compromise the integrity and confidentiality of private data stored on device or removable media. 17-1 Can the device encrypt data at rest? No – STCF notes: 18 Transmission confidentiality (TXCF) The ability of the device to ensure the confidentiality of transmitted private data. 18-1 Can private data be transmitted only via a point-to-point dedicated cable? No – 18-2 Is private data encrypted prior to transmission via a network or removable media? See Note 1 (If yes, indicate in the notes which encryption standard is implemented.) 18-3 Is private data transmission restricted to a fixed list of network destinations? Yes – TXCF notes: 1) Encryption via industry standards is available with wireless networking. 19 Transmission integrity (TXIG) The ability of the device to ensure the integrity of transmitted private data. 19-1 Does the device support any mechanism intended to ensure data is not modified during transmission? No – (If yes, describe in the notes section how this is achieved.) TXIG notes: 20 Other security considerations (OTHR) Additional security considerations/notes regarding medical device security. 20-1 Can the device be serviced remotely? Yes – 20-2 Can the device restrict remote access to/from specified devices or users or network locations (e.g., Yes – specific IP addresses)? 20-2.1 Can the device be configured to require the local user to accept or initiate remote access? Yes – OTHR notes: 20 siemens-healthineers.com/ultrasound ACUSON P500 VB10 · Product and solution security white paper Abbreviations AD Active Directory MD5 Message Digest 5 AES Advanced Encryption Standard MDS2 Manufacturer Disclosure BIOS Basic Input Output System Statement DES Data Encryption Standard MSTS Microsoft Terminal Server DICOM Digital Imaging and NEMA National Electrical Communications in Medicine Manufacturers Association DISA Defense Information Systems NTP Network Time Protocol Agency OCR Office for Civil Rights DMZ Demilitarized Zone OU Organizational Unit DoS Denial of Service PACS Picture Archiving and ePHI Electronic Protected Health Communication System Information PHI Protected Health Information FDA Food and Drug Administration PII Personally Identifiable FIPS Federal Information Processing Information Standards RIS Radiology Information System GPO Group Policy Object RPC Remote Procedure Call HHS Health and Human Services RSA Random Sequential Adsorption HIPAA Health Insurance Portability SAM Security Accounts Manager and Accountability Act SHA Secure Hash Algorithm HIMSS Healthcare Information and Management Systems Society SQL Structured Query Language HTTP Hypertext Transfer Protocol SRS Smart Remote Services HTTPS HTTP Secure STIG Security Technical Implementation Guideline ICS Integrated Communication Services SW Software IEC International Electrotechnical TCP Transmission Control Protocol Commission UDP User Datagram Protocol IVM Intervention Module VPN Virtual Private Network LDAP Lightweight Directory Access Protocol siemens-healthineers.com/ultrasound 21 Product and solution security white paper · ACUSON P500 VB10 Disclaimer According to International Electrotechnical IEC 80001-1 Commission Glossary (extract) 1-1 The Device has the capability to be connected to Responsible organization: a medical IT-network which is managed under Entity accountable for the use and maintenance of a full responsibility of the operating legal entity medical IT network. (hereafter called “RESPONSIBLE ORGANIZATION”). It is assumed that the RESPONSIBLE ORGANIZATION ACUSON P500 is a trademark of Siemens Medical assigns a Medical IT-Network Risk Manager to Solutions USA, Inc. perform IT-Risk Management (see IEC 80001- 1:2010 / EN 80001-1:2011) for IT. syngo is a registered trademark of Siemens Healthcare GmbH. 1-2 This statement describes Device-specific IT- networking safety and security capabilities. It is Adobe is either a trademark or registered trademark of NOT a RESPONSIBILITY AGREEMENT according to Adobe Systems Incorporated in the United States and/or IEC 80001-1:2010 / EN 80001-1:2011. other countries. 1-3 Any modification of the platform, the software or Intel is a trademark of Intel Corporation in the United the interfaces of the Device – unless authorized and States and other countries. approved by Siemens Healthcare GmbH – voids all warranties, liabilities, assertions and contracts. McAfee is a registered trademark of McAfee, LLC or its subsidiaries in the US and other countries. 1-4 The RESPONSIBLE ORGANIZATION acknowledges that the Device’s underlying standard computer Microsoft and Windows are registered trademarks of with operating system is to some extent vulnerable Microsoft Corporation in the United States and other to typical attacks such as, e.g., malware or denial- countries. of-service. PowerScribe® 360 | Reporting is a registered trademark 1-5 Unintended consequences (such as, e.g., misuse/ of Nuance Communications, Inc. loss/corruption) of data not under control of the Device, e.g., after electronic communication from the Device to some IT-network or to some storage, are under the responsibility of the RESPONSIBLE ORGANIZATION. 1-6 Unauthorized use of the external connections or storage media of the Device can cause hazards regarding the availability and information security of all components of the medical IT-network. The RESPONSIBLE ORGANIZATION must ensure – through technical and/or organizational measures – that only authorized use of the external connections and storage media is permitted. . 22 siemens-healthineers.com/ultrasound ACUSON P500 VB10 · Product and solution security white paper Statement on FDA Cybersecurity Guidance Siemens Healthineers will follow cybersecurity guidance issued by the FDA as appropriate. Siemens Healthineers recognizes the principle described in FDA cybersecurity guidance that an effective cybersecurity framework is a shared responsibility among multiple stakeholders (e.g., medical device manufacturers, healthcare facilities, patients and providers), and is committed to drawing on its innovation, engineering and pioneering skills in collective efforts designed to prevent, detect and respond to new and emerging cybersecurity threats. While FDA cybersecurity guidance is informative as to adopting a risk-based approach to addressing potential patient harm, it is not binding and alternative approaches may be used to satisfy FDA regulatory requirements. The representations contained in this white paper are designed to describe Siemens Healthineers’ approach to cybersecurity of its medical devices and to disclose the security capabilities of the devices/systems described herein. Neither Siemens Healthineers nor any medical device manufacturer can warrant that its systems will be invulnerable to cyberattack. Siemens Healthineers makes no representation or warranty that its cyber-security efforts will ensure that its medical devices/systems will be error-free or secure against cyberattack. siemens-healthineers.com/ultrasound 23 Siemens Healthineers Headquarters Legal Manufacturers Siemens Healthcare GmbH Siemens Medical Solutions USA, Inc. Henkestr. 127 Ultrasound 91052 Erlangen, Germany 685 E. Middlefield Road Phone: +49 9131 84-0 Mountain View, CA 94043 siemens-healthineers.com USA Phone: 1-888-826-9702 siemens-healthineers.com/ultrasound Published by Siemens Medical Solutions USA, Inc. · 8731 0220 online · ©Siemens Medical Solutions USA, Inc., 2020