ACUSON P500 Ultrasound System VC10 Security and MDS² Form

White paper ACUSON P500 VC10 Security and MDS2 Form The facts about the security of our products and solutions. siemens-healthineers.com/cybersecurity SIEMENS Healthineers Product and Solution Security White Paper · ACUSON P500 VC10 Foreword Jim Jacobson Chief Product and Solution Security Officer Siemens Healthineers The Siemens Healthineers Product & Solution Elements of our product and solution security Security (PSS) program program At Siemens Healthineers, we are committed to • Providing information to facilitate secure configuration working with you to address cybersecurity and privacy and use of our medical devices in your IT environment requirements. Our Product and Solution Security Office • is responsible for our global program that focuses Conducting formal threat and risk analysis for our on addressing cybersecurity throughout the product products lifecycle of our products. • Incorporating secure architecture, design and coding Our program targets incorporating state-of-the-art methodologies in our software development process cybersecurity into our current and future products. • Performing static code analysis of our products We seek to protect the security of your data while, • at the same time, providing measures to strengthen Conducting security testing of products under the resiliency of our products from cyber threats. development as well as products already in the field • We comply with applicable security and privacy Providing a patch management strategy for the regulations from the US Department of Health and medical device Human Services (HHS), including the Food and Drug • Monitoring security vulnerability to track reported Administration (FDA) and Office for Civil Rights third party components issues in our products (OCR), to help you meet your IT security and privacy • obligations. Working with suppliers to address security throughout the supply chain • Vulnerability and incident management Training of employees to provide knowledge consistent with their level of responsibilities regarding your data Siemens Healthineers cooperates with government and device integrity. agencies and cybersecurity researchers concerning reported potential vulnerabilities. Our communications policy strives for coordinated disclosure. We work in Contacting Siemens Healthineers about product this way with our customers and other parties, when and solution security appropriate, in response to potential vulnerabilities and Siemens Healthineers requests that any cybersecurity incidents in our products, no matter what the source. or privacy incidents are reported by email to: productsecurity@siemens-healthineers.com 2 ACUSON P500 VC10 · Product and Solution Security White Paper Contents Basic Information ............................................................4 Network Information .......................................................6 Security Controls ...........................................................17 Shared Responsibilities .................................................18 Software Bill of Materials ..............................................18 Manufacturer Disclosure Statement (MDS2) ..................24 Manufacturer Disclosure Statement (IEC60601-1) .........47 Abbreviations ................................................................52 Disclaimer According to IEC 80001-1 .............................53 Statement on FDA Cybersecurity Guidance ...................53 3 Product and Solution Security White Paper · ACUSON P500 VC10 Basic Information Operating Systems Please refer to the Software Bill of Materials chapter. Hardware Specifications Please refer to the corresponding datasheets for more information. Hardware configuration may vary depending on customer requirements. User Account Information • ACUSON P500 system VC10 software user accounts can be local Windows accounts, managed by the administrator of the system. A break the glass Why is cybersecurity important? mechanism ensures access to the system in emergency scenarios. Keeping patient data safe and secure should typically be • one of the top priorities of healthcare institutes. The The system provides preconfigured password policies estimated cost associated in the recovery of each medical that can be customized by administrators. record in the United States can be as high as $499.1 According to the Ponemon Institute research report,2 Patching Strategy 39% of medical devices were hacked, with hackers being • able to take control of the device. Moreover, 38% of Security patches will be provided on a regular basis healthcare organizations said that their patients received after validation by Siemens Healthineers to maintain inappropriate medical treatment because of an insecure the clinical function of the medical device. medical device. • If connected to Smart Remote Services (SRS) formerly Siemens Remote Service, updates will be pushed to Our Purpose is to help healthcare providers succeed the system automatically. The updates need to be confirmed/executed by the practitioners. The new ACUSON P500 ultrasound system is the result of • more than three decades of experience in ultrasound Alternatively, you can manually install updates by engineering. The ACUSON P500 VC10 ultrasound system using the Siemens Healthineers Anytime Software is designed to provide clinicians with an innovative and Update (ASU) service provided in the teamplay Fleet diverse range of applications and features at the point- platform. of-care so they are able to see better, scan faster and go • Technologies and software components are actively further. Also, the ACUSON P500 ultrasound system, ICE monitored for vulnerabilities and availability of security Edition integrates the imaging capabilities of updates. Siemens Healthineers AcuNav ultrasound catheter technologies with the ACUSON P500 ultrasound system to provide real-time visualization of cardiac anatomy. With its powerful architecture and innovative features, the ACUSON P500 system expands precision medicine by enabling high-resolution imaging that adapts to patients’ size and personal characteristics, contributing to more confident diagnosis. 1 https://www.itgovernanceusa.com/blog/what-is-the-cost-of-a-health-care-data-breach-in-the-us 2 www.synopsys.com/content/dam/synopsys/sig-assets/reports/medical-device-security-ponemon-synopsys.pdf 4 ACUSON P500 VC10 · Product and Solution Security White Paper Cryptography Usage Data Recovery The ACUSON P500 system VC10 software uses ciphers ACUSON P500 system VC10 software uses local data and protocols built into Windows 10 for encryption and storage for storing application data as configured during data protection. If needed, hardening measures limit installation. There are several scenarios which require usage to those that are at least FIPS 140-2-compliant. a recovery of the system or the database. In case of software errors, the following recovery strategies are Handling of Sensitive Data available: • The ACUSON P500 system VC10 is designed for Recovery of corrupted files temporary data storage only. Siemens Healthineers • Recovery of partition in case of corrupt Operating recommends storing patient data in a long-term System (OS) or application archive, e.g., on a PACS, and data must be deleted using a facility-defined procedure. A secure data backup, including offline backup and restrictive access, is in the responsibility of the customer. • Protected Health Information (PHI) is temporarily stored on the ultrasound system, similar to DICOM data, raw data, and metadata for DICOM creation. Boundary Defense Note: The time for which PHI is stored is determined Built in firewall has an effect to minimize the network by the facility. attack surface. • Personal Identifiable Information (PII) as part of the For optimized protection of sensitive data and operation DICOM records is also temporarily stored on the of the system it must be deployed in a secure network ultrasound system, e.g., patient’s name, birthday environment, utilizing e.g., network segmentation, client or age, height and weight, personal identification access control and protection against access from public number, and referring physician’s name. Additional networks. Please see the related Secure Configuration sensitive information might be present in user-editable and Hardening Guide. input fields or in the images acquired. Boundary defense in the hospital should be multilayered • PHI is transmitted via DICOM in encryption relaying on firewalls, proxies, DMZ and network-based or unencryption. IDS and IPS, as well as physical protections. Terms and Conditions Please see local terms and conditions for purchasing and operating this device within your area. 5 Product and Solution Security White Paper · ACUSON P500 VC10 Network Information Smart Remote IN, OUT: IN, OUT: VPN Services TCP SRS Router TCP Remote Service Access Server = IN, OUT: OUT: DICOM DICOM, Smart Remote Services PACS/RIS IN, OUT: TCP Network Share Ultrasound Machine Clinical Network Internet Figure 1: Security boundaries for system deployment Siemens Healthineers recommends operating the ultrasound machine in a dedicated network segment (e.g., VLAN) To minimize the risk of unauthorized network access, Siemens Healthineers recommends operating the ultrasound machine behind a firewall and/or use access control lists on the network switches to limit traffic to identified peers. At minimum, the DICOM port (see Table 1) needs to be visible for customer DICOM network nodes (e.g., PACS, syngo®.via etc). The following ports are used by the system. All the ports are closed except for the ports listed in Table 1. 6 ACUSON P500 VC10 · Product and Solution Security White Paper The following ports are used by the system. All the ports are closed except for the ports listed in Table 1. Port number Service/function Direction (in/out) Protocol 80 Administration Portal – Smart Remote Service In/out TCP 81 Hardware diagnostics In/out TCP 104 DICOM Communication Out TCP 123 CARTO Communication In/out TCP 443 Administration Portal – Smart Remote Service In/out TCP (encrypted) 8226 Managed Node Package MNP In/out TCP 8227 Managed Node Package MNP In/out TCP 8228 Managed Node Package MNP In/out TCP 11080 Remote Assist (eSieLink) In/out TCP 12061 Managed Node Package MNP In/out TCP 13001 Managed Node Package MNP In/out TCP 13241 CARTO Communication In/out TCP 13242 CARTO Communication In/out TCP Table 1: Used port numbers Allowed services accessible through network running on the device: Service Description Startup type Log on as Application This service determines and verifies the identity of an Identity application. Disabling this service will prevent AppLocker Automatic from being enforced. (Trigger Start) Local Service Autoreport This service serves Autoreport. Automatic Local System Background Tasks Windows infrastructure service that controls which Infrastructure background tasks can run on the system. Automatic Local System Service The Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and Base Filtering implements user mode filtering. Stopping or disabling the Engine BFE service will significantly reduce the security of the Automatic Local Service system. It will also result in unpredictable behavior in IPsec management and firewall applications. 7 Product and Solution Security White Paper · ACUSON P500 VC10 Service Description Startup type Log on as The Bluetooth service supports discovery and association of Bluetooth remote Bluetooth devices. Stopping or disabling this service Support Service may cause already installed Bluetooth devices to fail to Manual Local Service operate properly and prevent new devices from being (Trigger Start) discovered or associated. Client License This service provides infrastructure support for the Microsoft Service Store. This service is started on demand and if disabled Manual applications bought using Windows Store will not behave (Trigger Start) Local System (ClipSVC) correctly. The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys CNG Key and associated cryptographic operations as required by the Manual Isolation Common Criteria. The service stores and uses long-lived (Trigger Start) Local System keys in a secure process complying with Common Criteria requirements. This service supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. COM+ Event System If the service is stopped, SENS will close and will not be able Automatic Local Service to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start. This service manages the configuration and tracking of COM+ System Component Object Model (COM)+-based components. Application If the service is stopped, most COM+-based components Manual Local System will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. CoreMessaging This service manages communication between system Automatic Local Service components. CoreScanner This service serves CoreScanner in Syngo. Automatic Local System cRSP- Teamviewer- cRSP Teamviewer Moderator Gateway working as proxy Moderator- for RTC's. Automatic Local System Gateway This service provides three management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Cryptographic Authority certificates from this computer; and Automatic Services Root Certificate Update Service, which retrieves root Automatic Network Service certificates from Windows Update and enable scenarios such as SSL. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. 8 ACUSON P500 VC10 · Product and Solution Security White Paper Service Description Startup type Log on as CsaComp MgrInit This service serves CsaCompMgrInit in Syngo. Automatic Local System The DCOMLAUNCH service launches COM and DCOM servers DCOM Server in response to object activation requests. If this service is Process stopped or disabled, programs using COM or DCOM will not Automatic Local System Launcher function properly. It is strongly recommended that you have the DCOMLAUNCH service running. Device Install This service enables a computer to recognize and adapt to Service hardware changes with little or no user input. Stopping or Manual disabling this service will result in system instability. (Trigger Start) Local System This service registers and updates IP addresses and DNS records for this computer. If this service is stopped, this DHCP Client computer will not receive dynamic IP addresses and DNS Automatic Local Service updates. If this service is disabled, any services that explicitly depend on it will fail to start. Diagnostic The Diagnostic Policy Service enables problem detection, Policy Service troubleshooting and resolution for Windows components. Automatic Local Service If this service is stopped, diagnostics will no longer function. The Diagnostic Service Host is used by the Diagnostic Policy Diagnostic Service to host diagnostics that need to run in a Local Service Host Service context. If this service is stopped, any diagnostics Automatic Local Service that depend on it will no longer function. The Diagnostic System Host is used by the Diagnostic Policy Diagnostic Service to host diagnostics that need to run in a Local System Host System context. If this service is stopped, any diagnostics Manual Local System that depend on it will no longer function. Distributed Link Tracking This service maintains links between NTFS files within a computer or across computers in a network. Automatic Local System Client This service coordinates transactions that span multiple Distributed resource managers, such as databases, message queues, Transaction and file systems. If this service is stopped, these transactions Manual Network Coordinator will fail. If this service is disabled, any services that explicitly Service depend on it will fail to start. The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will DNS Client continue to be resolved. However, the results of DNS name Automatic Network queries will not be cached and the computer's name will not (Trigger Start) Service be registered. If the service is disabled, any services that explicitly depend on it will fail to start. 9 Product and Solution Security White Paper · ACUSON P500 VC10 Service Description Startup type Log on as This service coordinates transactions that span multiple Distributed resource managers, such as databases, message queues, Transaction and file systems. If this service is stopped, these transactions Manual Network Coordinator will fail. If this service is disabled, any services that explicitly Service depend on it will fail to start. The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will DNS Client continue to be resolved. However, the results of DNS name Automatic Network queries will not be cached and the computer's name will (Trigger Start) Service not be registered. If the service is disabled, any services that explicitly depend on it will fail to start. The Extensible Authentication Protocol (EAP) service provides network authentication in such scenarios as 802.1x Extensible wired and wireless, VPN, and Network Access Protection Authentication (NAP). EAP also provides application programming interfaces (APIs) that are used by network access clients, including Manual Local System Protocol wireless and VPN clients, during the authentication process. If you disable this service, this computer is prevented from accessing networks that require EAP authentication. This service enables this server to administer the IIS metabase. The IIS metabase stores configuration for the IIS Admin SMTP and FTP services. If this service is stopped, the server Service will be unable to configure SMTP or FTP. If this service is Automatic Local System disabled, any services that explicitly depend on it will fail to start. The IKEEXT service hosts the Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) keying modules. These keying modules are used for authentication and key exchange in Internet Protocol security (IPsec). IKE and AuthIP Stopping or disabling the IKEEXT service will disable IKE and IPsec Keying AuthIP key exchange with peer computers. IPsec is typically Automatic Local System Modules configured to use IKE or AuthIP; therefore, stopping or (Trigger Start) disabling the IKEEXT service might result in an IPsec failure and might compromise the security of the system. It is strongly recommended that you have the IKEEXT service running. Intel® Content Protection Intel® Content Protection HDCP Service enables Local System HDCP Service communication with Content Protection HDCP HW. Automatic Intel® HD Graphics Control Panel This Service serves for Intel® HD Graphics Control Panel. Automatic Local System Service 10 ACUSON P500 VC10 · Product and Solution Security White Paper Service Description Startup type Log on as The Intel® PROSet Monitoring Service actively monitors Intel® PROSet changes to the system and updates affected network devices Monitoring to keep them running in optimal condition. Stopping this Automatic Local System Service service may negatively affect the performance of the network devices on the system. Internet Protocol security (IPsec) supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. IPsec Policy This service enforces IPsec policies created through the IP Agent Security Policies snap-in or the command-line tool "netsh Manual Network ipsec". If you stop this service, you may experience network (Trigger Start) Service connectivity issues if your policy requires that connections use IPsec. Also, remote management of Windows Firewall is not available when this service is stopped. Local Session Core Windows Service that manages local user sessions. Manager Stopping or disabling this service will result in system Automatic Local System instability. McAfee Service Controller This service manages McAfee Services. Automatic (Trigger Start) Local System McAfee Solidifier This service serves for McAfee Solidifier. Automatic Local System McAfee Validation Trust Protection This service provides validation trust protection services Manual Local System Service Net.Tcp Port This service provides ability to share TCP ports over the net. Sharing Service tcp protocol. Automatic Local Service Network Connection This service brokers connections that allow Windows Store Manual Apps to receive notifications from the internet. (Trigger Start) Local System Broker This service identifies the networks to which the computer Network List has connected, collects and stores properties for these Service networks, and notifies applications when these properties Automatic Local Service change. This service collects and stores configuration information Network for the network and notifies programs when this information Location is modified. If this service is stopped, configuration Automatic Network Service Awareness information might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. The Network Setup Service manages the installation of Network Setup network drivers and permits the configuration of low-level Manual Service network settings. If this service is stopped, any driver (Trigger Start) Local System installations that are in-progress may be cancelled. 11 Product and Solution Security White Paper · ACUSON P500 VC10 Service Description Startup type Log on as This service delivers network notifications (e.g., interface Network Store addition/deleting etc.) to user mode clients. Stopping this Interface service will cause loss of network connectivity. If this service Automatic Local Service Service is disabled, any other services that explicitly depend on this service will fail to start. This service enables a computer to recognize and adapt to Plug and Play hardware changes with little or no user input. Stopping or Manual Local System disabling this service will result in system instability. This service manages power policy and power policy Power notification delivery. Automatic Local System This service spools print jobs and handles interaction with Print Spooler the printer. If you turn off this service, you won't be able to Automatic Local System print or see your printers. Program This service provides support for the Program Compatibility Compatibility Assistant (PCA). PCA monitors programs installed and run by Assistant the user and detects known compatibility problems. If this Automatic Local System Service service is stopped, PCA will not function properly. The RPCSS service is the Service Control Manager for COM and DCOM servers. It performs object activations requests, Remote object exporter resolutions and distributed garbage Procedure Call collection for COM and DCOM servers. If this service is Automatic Network (RPC) stopped or disabled, programs using COM or DCOM will not Service function properly. It is strongly recommended that you have the RPCSS service running. This service resolves RPC interfaces identifiers to transport RPC Endpoint endpoints. If this service is stopped or disabled, programs Mapper using Remote Procedure Call (RPC) services will not function Automatic Network Service properly. SAM This service serves for SAM. Automatic Local System The startup of this service signals other services that the Security Security Accounts Manager (SAM) is ready to accept requests. Disabling this service will prevent other services Accounts Automatic Manager in the system from being notified when the SAM is ready, Local System which may in turn cause those services to fail to start correctly. This service should not be disabled. This service supports file, print, and named-pipe sharing Server over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, Automatic Local System any services that explicitly depend on it will fail to start. Shell Hardware This service provides notifications for AutoPlay hardware Detection Automatic Local System events. 12 ACUSON P500 VC10 · Product and Solution Security White Paper Service Description Startup type Log on as SQL Server (PIMS_ This service provides storage, processing and controlled Network DATABASE) access of data, and rapid transaction processing. Automatic Service SQL Server VSS This service provides the interface to backup/restore Writer Microsoft SQL server through the Windows VSS Automatic Local System infrastructure. State Repository This service provides required infrastructure support for the Service application model. Manual Local System SysMgmt. WcfService This service serves for SysMgmt.WcfService in Syngo. Automatic Local System System Event Notification This service monitors system events and notifies subscribers Service to COM+ Event System of these events. Automatic Local System System Events This service coordinates execution of background work for WinRT application. If this service is stopped or disabled, then Automatic Broker (Trigger Start) Local System background work might not be triggered. This service enables a user to configure and schedule automated tasks on this computer. The service also hosts Task Scheduler multiple Windows system-critical tasks. If this service is stopped or disabled, these tasks will not be run at their Automatic Local System scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. This service provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients on TCP/IP NetBIOS the network, therefore enabling users to share files, print, Manual Helper and log on to the network. If this service is stopped, these (Trigger Start) Local Service functions might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Tile Data model Tile Server for tile updates. Automatic Local System server This service coordinates execution of background work for Time Broker WinRT application. If this service is stopped or disabled, then Manual (Trigger Start) Local Service background work might not be triggered. TouchMateEx This service serves for TouchMateEx. Automatic Local System TRANSFERMGR This service serves for TransferMgr in Syngo. Automatic Local System User Manager provides the runtime components required User Manager for multi-user interaction. If this service is stopped, some Automatic (Trigger Start) Local System applications may not operate correctly. 13 Product and Solution Security White Paper · ACUSON P500 VC10 Service Description Startup type Log on as This service is responsible for loading and unloading user profiles. If this service is stopped or disabled, users will no User Profile longer be able to successfully sign in or sign out, apps might Service have problems getting to users' data, and components Automatic Local System registered to receive profile event notifications won't receive them. VERSANTD This service serves the daemon for VERSANT in Syngo. Automatic Local System This service manages and implements Volume Shadow Volume Copies used for backup and other purposes. If this service is Shadow Copy stopped, shadow copies will be unavailable for backup and Manual Local System the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start. This service manages audio for Windows-based programs. Windows Audio If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that Automatic Local Service explicitly depend on it will fail to start. Windows Audio This manages audio devices for the Windows Audio service. Endpoint If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that Automatic Local System Builder explicitly depend on it will fail to start. The Windows biometric service gives client applications the Windows ability to capture, compare, manipulate, and store biometric Biometric data without gaining direct access to any biometric hardware Automatic Local System Service or samples. The service is hosted in a privileged SVCHOST (Trigger Start) process. Windows This service makes automatic connect/disconnect decisions Connection based on the network connectivity options currently Automatic available to the PC and enables management of network (Trigger Start) Local Service Manager connectivity based on Group Policy settings. Windows Driver Foundation – User-mode This service creates and manages user-mode driver Manual Driver processes. This service cannot be stopped. (Trigger Start) Local System Framework This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. Windows Event This includes Windows Vista event logs, hardware and IPMI- Collector enabled event sources. The service stores forwarded events Automatic Network in a local Event Log. If this service is stopped or disabled Service event subscriptions cannot be created and forwarded events cannot be accepted. 14 ACUSON P500 VC10 · Product and Solution Security White Paper Service Description Startup type Log on as This service manages events and event logs. It supports logging events, querying events, subscribing to events, Windows Event archiving event logs, and managing event metadata. It can Log display events in both XML and plain text format. Stopping Automatic Local Service this service may compromise security and reliability of the system. Windows Windows Firewall helps protect your computer by preventing Firewall unauthorized users from gaining access to your computer Automatic Local Service through the Internet or a network. This service optimizes performance of applications by Windows Font caching commonly used font data. Applications will start this Cache Service service if it is not already running. It can be disabled, though Automatic Local Service doing so will degrade application performance. Windows This service provides infrastructure support for the Windows License Store. This service is started on demand and if disabled then Manual Manager content acquired through the Windows Store will not (Trigger Start) Local Service Service function properly. This service provides a common interface and object model Windows to access management information about operating system, Management devices, applications and services. If this service is stopped, Automatic Local System Instrumen- most Windows-based software will not function properly. tation If this service is disabled, any services that explicitly depend on it will fail to start. Windows This service enables installation, modification, and removal Modules of Windows updates and optional components. If this service Installer is disabled, install or uninstall of Windows updates might fail Manual Local System for this computer. Windows This service optimizes performance of Windows Presentation Presentation Foundation (WPF) applications by caching commonly used Foundation font data. WPF applications will start this service if it is not Manual Local Service Font Cache already running. It can be disabled, though doing so will 3.0.0.0 degrade the performance of WPF applications. Windows The Windows Process Activation Service (WAS) provides Process Activation process activation, resource management and health Manual Local System Service management services for message-activated applications. Windows Push This service runs in session 0 and hosts the notification Notifications platform and connection provider which handles the Automatic Local System System Service connection between the device and WNS server. 15 Product and Solution Security White Paper · ACUSON P500 VC10 Service Description Startup type Log on as WinHTTP implements the client HTTP stack and provides WinHTTP Web developers with a Win32 API and COM Automation Proxy Auto- component for sending HTTP requests and receiving Discovery responses. In addition, WinHTTP provides support for auto- Manual Local Service Service discovering a proxy configuration via its implementation of the Web Proxy Auto-Discovery (WPAD) protocol. The Wired AutoConfig (DOT3SVC) service is responsible for performing IEEE 802.1X authentication on Ethernet interfaces. If your current wired network deployment Wired enforces 802.1X authentication, the DOT3SVC service should AutoConfig be configured to run for establishing Layer 2 connectivity Automatic Local System and/or providing access to network resources. Wired networks that do not enforce 802.1X authentication are unaffected by the DOT3SVC service. The WLANSVC service provides the logic required to configure, discover, connect to, and disconnect from a wireless local area network (WLAN) as defined by IEEE 802.11 standards. It also contains the logic to turn your computer into a software access point so that other WLAN devices or computers can connect to your computer AutoConfig wirelessly using a WLAN adapter that can support this. Automatic Local System Stopping or disabling the WLANSVC service will make all WLAN adapters on your computer inaccessible from the Windows networking UI. It is strongly recommended that you have the WLANSVC service running if your computer has a WLAN adapter. This service creates and maintains client network connections to remote servers using the SMB protocol. Workstation If this service is stopped, these connections will be Automatic Network unavailable. If this service is disabled, any services that Service explicitly depend on it will fail to start. World Wide Web Publishing This service provides Web connectivity and administration through the Internet Information Services Manager Automatic Local System Service 16 ACUSON P500 VC10 · Product and Solution Security White Paper Security Controls Malware Protection Network Controls • Whitelisting (McAfee Solidcore) • The system is designed to make limited use of network ports and protocols. Microsoft Windows Firewall is configured to block unwanted inbound network traffic Controlled Use of Administrative Privileges except for the ports listed in the table of used port The system distinguishes between clinical and numbers on the section Network Information. • administrative roles. Clinical users do not require • Siemens Healthineers recommends operating administrative privileges. the system in a secured network environment, e.g., a separate network segmented or VLAN. • Authorization as administrator is required for administrative tasks. • Connection to the internet or private networks for patients/guests is not recommended. • Authentication In case of a denial of service (DoS) or malware attack, the system can be taken off the network and operated • The ACUSON P500 system VC10 software supports in a stand-alone state. Health Insurance Portability and Accountability Act (HIPAA) regulation with role-based privilege assignment and access control. Physical Safeguards • The user interface of the ACUSON P500 system VC10 • Customers are responsible for the physical protection software provides a screen lock functionality that can of the ACUSON P500 system VC10 software, e.g., by be engaged manually or automatically after a certain operating it in a room with access control. Please note inactivity time. For details, please refer to the User that the system contains patient data and should be Manual. protected against tampering and theft. • The recommendation is to change the BIOS password Security Scanning from default. Please contact Siemens Healthineers Service for support. • Security scans are performed during development and release phase. The product is scanned for vulnerabilities by using Nessus. Penetration testing is Data Protection Controls also the part of software development life cycle. • The system is not intended to be a data archive i.e., prevention of data at rest. Continuous Vulnerability Monitoring • PHI is protected by both role-based access control as Continuous vulnerability assessment and remediation well as optional hard drive encryption. • is performed. • Hard drive encryption is implemented through Microsoft Bitlocker technology and use of the Trusted Platform Module (TPM) chip on the motherboard. Hardening • The system provides auditing of PHI access control. • ACUSON P500 system VC10 software hardening is • implemented based on the Security Technical The system supports Bitlocker to-go. implementation Guidelines developed by the Defense Information Systems Agency (DISA). 17 Product and Solution Security White Paper · ACUSON P500 VC10 Auditing/Logging • The system provides HIPAA-compliant auditing of operations of PHI, PII, and user information (i.e., login, read access to PHI, modification of PHI). Remote Connectivity • SRS is optionally used for proactive maintenance. The connection is created using a secured channel (VPN- or IBC-based connection). It is used, for example, to download security patches and updates. • Alternatively, customers can use the Siemens Healthineers teamplay Fleet platform to download available hotfixes and install them in offline machines that are not connected to the SRS network. Incident Response and Management • The incident handling process is defined and executed on demand to deal with incidents as mandated by the United States FDA Post-Market Guidance documents. Shared Responsibilities A cyber-security of the ACUSON P500 ultrasound system is shared responsibility covered by the vendor responsibility (e.g., system hardening) as well as the customer responsibility (e.g., network configuration). For detailed description of vendor responsibility – RESPONSIBLE ORGANIZATION obligations see chapter Manufacturer Disclosure Statement – Instructions for the responsible organization. 18 ACUSON P500 VC10 · Product and Solution Security White Paper Software Bill of Materials The following table lists relevant third-party technologies used. A comprehensive list is maintained teamplay Fleet.1 https://fleet.siemens-healthineers.com/welcome Vendor name Component name Component version Description/use .NET Framework 2.0 Service Pack 2 2.0.50727.4927 Operating System .NET Framework 3.0 Service Pack 1 3.0.30729.4926 Operating System Microsoft Corporation .NET Framework 3.5 Service Pack 1 3.5.30729.4926 Operating System .NET Framework 4.6 4.6.01586 Operating System Igor Pavlov 7-Zip 19.00 (x64 edition) 19.00.00.0 Operating System Adobe Systems Incorporated Adobe Reader DC 21.007.20099 Operating System Tomtec Cariac SR (DicomConverter) 5.0.0.9 PIMS Visualization Science Group – www.vsg3d.com Mercury Inventor 7.0.1 UBE OpenSource (https://code.google.com/p/ CrashRpt 1.4.0.2 Operating System crashrpt/) NVIDIA CUDA 6.14 Imaging Merge Healthcare Incorporated DICOM Toolkit 5.6.0 PIMS DirectX 11 Operating System Microsoft Corporation EMET 5.52 Operating System OpenSource (http://cristobaldobranco.github.io/ blog/2015/01/20/compiling-ffmpeg- ffmpeg 2.7.2 Operating System with-windows-tools/) OpenSource (http://glew.sourceforge.net/) GLEW 1.7.0 UBE the SZ development Homedale 1.99 Service Intel Corporation Intel® Chipset Device Software 10.1.1.38 Operating System Intel Intel® Ethernet Connection I218-LM 22.2.4.0 Connectivity Intel Corporation Intel® Processor Graphics 21.20.16.4599 PIMS 1 For supported countries. Requires a customer account in teamplay Fleet. Please contact your local Siemens Healthineers organization for further details. 19 Product and Solution Security White Paper · ACUSON P500 VC10 Software Bill of Materials Vendor name Component name Component version Description/use Intel® Compilers Redistributable Libraries 17.0 Update 4 Imaging Intel® Integrated Performance Intel Primitives 2018.3.210 Imaging, UBE Intel® Math Kernel Library 11.3 Update 3 Imaging Intel® Threading Building Blocks 4.4 Update 4 Imaging Microsoft Corporation Internet Explorer (x86/x64) 11.0 Service www.ijg.org (Open Source) Jpeg.lib 8.0 UBE Open Source (http://libjpeg-turbo.virtualgl.org) libjpeg-turbo 1.4.0 UBE, PIMS OpenSource Log4cxx 0.10.0.1 Framework Open Source (Apache Software Foundation) Log4net 2.0.8.0 Service Open Source (http://luajit.org/luajit.html) LuaJIT 2.0.2 UBE Microsoft ODBC Driver 11 for SQL Server 12.1.4232.0 Operating System Microsoft SQL Server 2008 Setup Support Files 10.3.5500.0 Operating System Microsoft SQL Server 2012 Native Client 11.0.2100.60 Operating System Microsoft SQL Server 2014 Microsoft Corporation Express LocalDB 12.1.4232.0 Operating System Microsoft SQL Server 2014 RsFx Driver 12.1.4100.1 Operating System Microsoft SQL Server 2014 Setup (English) 12.1.4232.0 Operating System Microsoft SQL Server 2014 Transact-SQL ScriptDom 12.1.4100.1 Operating System Microsoft SQL Server 12.0.4232.1 PIMS 20 ACUSON P500 VC10 · Product and Solution Security White Paper Vendor name Component name Component version Description/use Microsoft Visual C++ 2005 Redistributable 8.0.61001 Operating System Microsoft Visual C++ 2005 Redistributable (x64) 8.0.61000 Operating System Microsoft Visual C++ 2008 Redistributable (x86) 9.0.30729.6161 Operating System Microsoft Corporation Microsoft Visual C++ 2008 Redistributable (x86) 9.0.30729.4148 Operating System Microsoft Visual C++ 2008 SP1 Redistributable Package (x86) 9.0.30729.17 Operating System Microsoft Visual C++ 2010 SP1 Redistributable Package (x86/x64) 10.0.40219 Operating System Microsoft Visual C++ 2012 Redistributable (x64)-11.0.61030 11.0.61030.0 Operating System Microsoft Microsoft Visual C++ 2012 x64 Additional Runtime – 11.0.61030 11.0.61030 Operating System Microsoft Visual C++ 2012 x64 Minimum Runtime – 11.0.61030 11.0.61030 Operating System Microsoft Visual C++ 2013 Redistributable (x64)-12.0.30501 12.0.30501.0 Operating System Microsoft Visual C++ 2013 x64 Additional Runtime-12.0.21005 12.0.21005 Operating System Microsoft Visual C++ 2013 x64 Minimum Runtime-12.0.21005 12.0.21005 Operating System Microsoft Visual C++ 2015 Microsoft Corporation Redistributable (x64/x64)- 14.0.24215.1 Operating System 14.0.24215 Microsoft Visual C++ 2015 x64 Additional Runtime-14.0.24215 14.0.24215 Operating System Microsoft Visual C++ 2015 x64 Minimum Runtime-14.0.24215 14.0.24215 Operating System Microsoft VSS Writer for SQL Server 2014 12.1.4100.1 Operating System Siemens AG Healthcare Sector MNP VI44C Service OpenSource (www.nuget.org/packages/moq/) Moq 4.0 Framework OpenSource (www.nuget.org/packages/moq/) Moq 4.2 Framework 21 Product and Solution Security White Paper · ACUSON P500 VC10 Software Bill of Materials Vendor name Component name Component version Description/use Microsoft Corporation MSXML Parser and SDK 4 SP2 4.20.9849.0 Imaging Open Source (Ingo Berg) muParser 2.2.5 M&R Open source Nunit 2.6.0 Service NVIDIA Corporation NVIDIA Graphics Driver 440.97 Operating System khronos.org OpenCL 2.0 UBE TLS Toolkit OpenSSL 1.0.2k PIMS Microsoft Corporation Prism framework 4.0 Operating System Realtek Realtek High Definition Audio 6.0.1.8036 Operating System Trillium Technology, Inc. ShowCase Onboard Viewer 5.4.0.0 PIMS OpenSource (https://snappy4net.codeplex.com/) Snappy 1.1.1.7 UBE, Framework SQLite SQLite 1.0.99.0 Framework Siemens HealthCare GmbH syngo – Typical Developer 9.1 09.01.0001.0001 Service blue elephant systems GmbH The IT Machine with correlation module 1.2.5 Service Open Source (http://sourceforge.net/projects/ tinyXML.lib 2.0 UBE tinyxml/) Siemens Ultrasound USA TeamViewer 1.0.0.17 Service Microsoft Corporation Windows 10 IOT Enterprise 2016 lTSB 1607 Operating System Silicon Laboratories Inc. Windows Driver Package – Silicon Laboratories Inc. (silabser) Ports 10.1.8.2466 Imaging/Service Riverbed Technology, Inc. WinPcap 4.1.3 Service WireShare.org Wireshark 3.6.1 Service OpenSource (https://github.com/JamesNK/ Json.NET 6.0.6 N/A Newtonsoft.Json) OpenSource JSON for Modern C++ (https://github.com/nlohmann/json) (Nlohmann Json) 3.2.0 Imaging OpenSource (https://zeromq.org/) ZeroMQ 4.0.4 Imaging Cirque Corporation GlidePoint Touchpad Driver 3.8.0.64 SDR IRTOUCH SYSTEMS Touchscreen Driver 14.0.1.0 SDR 22 ACUSON P500 VC10 · Product and Solution Security White Paper Vendor name Component name Component version Description/use Motorola Solutions, Inc. Motorola Scanner SDK 1.2.11.0 PLATFORM Sony UP-D898MD BW Printer Driver 1.0.0.0 PLATFORM Sony Sony UP-D25MD Color Printer Driver 1.0.0.0 PLATFORM Mitsubishi P95DW BW Printer Driver 1.2 Build 1 PLATFORM Mitsubishi Mitsubishi CP30DW Color Printer Driver 2.4 Build 1 PLATFORM azule systems zulu runtime environment 8.50.0.21 PLATFORM Merge Healthcare Incorporated MergeCOM3 3.8.0.2 Imaging C, PIMS EWF Manager 1.0.299.0 Operating System .NET Framework 2.0 Service Pack Operating System 2 2.0.50727.4927 Microsoft Corporation .NET Framework 3.0 Service Pack 1 3.0.30729.4926 Operating System .NET Framework 3.5 Service Pack 1 3.5.30729.4926 Operating System .NET Framework 4.6 4.6.01586 Operating System congatec BIOS FRK3R111 Hardware Apache Software Foundation Apache FOP 0.95 REPORT REPORT, Yann OLLIVIER Mathematical expression parser 2.0 MEASUREMENT, PLATFORM Open Source (Thomas Williams, Colin Kelley) gnuplot 5.0.4 PLATFORM Open Source (The HDF Group) HDF5 1.8.17 PLATFORM OpenSource (https://github.com/ csoltenborn/GoogleTestAdapter/ Google Test Adapter 0.18.0 Imaging blob/master/LICENSE.md) OpenSource (https://www.nuget. org/packages/moq/) Moq4 4.14 Framework McAfee McAfee Application and Change Control (Solidcore) 8.3.3 PLATFORM 23 Product and Solution Security White Paper · ACUSON P500 VC10 Manufacturer Disclosure Statement (MDS2 ) Copyright to this MDS2 Form belongs to the National Electrical Manufacturers Association (NEMA) and the Health Information and Management Systems Society (HIMSS) www.nema.org/Standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers DOC-2 Device Description Portable Ultrasound Imaging System DOC-3 Device Model P500 3.0 VC10 DOC-4 Document ID 11652687-FPD-001 Siemens Medical Solutions – DOC-5 Manufacturer Contact Information Ultrasound 22010 SE 51st St, Issaquah, WA 98029 Optionally, the ACUSON P500 Ultrasound System can be configured to communicate to a hospital Patient Archival Communication System (PACS). DOC-6 Intended use of device in network-connected The following DICOM Services environment: are supported: Store SCP/SCU, Modality Worklist SCU, Query/ Retrieve SCU, Storage Commitment SCU, Print SCU and DICOM Structured Reporting SCU. DOC-7 Document Release Date January 5, 2022 Coordinated Vulnerability Disclosure: Does DOC-8 the manufacturer have a vulnerability Yes, see note Note 1 disclosure program for this device? ISAO: Is the manufacturer part of an DOC-9 Information Sharing and Analysis Yes Organization? Diagram: Is a network or data flow diagram DOC-10 available that indicates connections to other Yes, see section Network system components or expected external Information (CONNECTIVITY CAPABILITIES (CONN)) resources? 24 ACUSON P500 VC10 · Product and Solution Security White Paper Question ID Question Answer See Note DOC-11 SaMD: Is the device Software as a Medical Device (i.e., software-only, no hardware)? No DOC-11.1 Does the SaMD contain an operating system? N/A DOC-11.2 Does the SaMD rely on an owner/operator provided operating system? N/A DOC-11.3 Is the SaMD hosted by the manufacturer? N/A DOC-11.4 Is the SaMD hosted by the customer? N/A Management of personally identifiable information (MPII) Can this device display, transmit, store, or modify personally identifiable information MPII-1 (e.g., electronic Protected Health Information Yes (ePHI))? Does the device maintain personally MPII-2 identifiable information? Yes Does the device maintain personally MPII-2.1 identifiable information temporarily in volatile memory (i.e., until cleared by Yes power-off or reset)? MPII-2.2 Does the device store personally identifiable information persistently on internal media? Yes Is personally identifiable information MPII-2.3 preserved in the device’s non-volatile Yes memory until explicitly erased? MPII-2.4 Does the device store personally identifiable information in a database? Yes Does the device allow configuration to MPII-2.5 automatically delete local personally identifiable information after it is stored to a No long term solution? Does the device import/export personally identifiable information with other systems MPII-2.6 (e.g., a wearable monitoring device might Yes export personally identifiable information to a server)? 25 Product and Solution Security White Paper · ACUSON P500 VC10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See Note Does the device maintain personally MPII-2.7 identifiable information when powered off, Yes or during power service interruptions? Does the device allow the internal media to be MPII-2.8 removed by a service technician (e.g., for Yes separate destruction or customer retention)? Does the device allow personally identifiable information records be stored in a separate MPII-2.9 location from the device’s operating system Yes (i.e., secondary internal drive, alternate drive partition, or remote storage location)? Does the device have mechanisms used for MPII-3 the transmitting, importing/exporting of Yes personally identifiable information? Does the device display personally MPII-3.1 identifiable information Yes (e.g., video display, etc.)? Does the device generate hardcopy reports or MPII-3.2 images containing personally identifiable Yes information? Does the device retrieve personally identifiable information from or record MPII-3.3 personally identifiable information to removable media (e.g., removable-HDD, USB Yes memory, DVD-R/RW,CD-R/RW, tape, CF/SD card, memory stick, etc.)? Does the device transmit/receive or import/ MPII-3.4 export personally identifiable information via dedicated cable connection (e.g., RS-232, Yes RS-423, USB, FireWire, etc.)? Does the device transmit/receive personally MPII-3.5 identifiable information via a wired network Yes connection (e.g., RJ45, fiber optic, etc.)? Does the device transmit/receive personally MPII-3.6 identifiable information via a wireless network connection (e.g., WiFi, Bluetooth, Yes NFC, infrared, cellular, etc.)? Does the device transmit/receive personally MPII-3.7 identifiable information over an external Yes Note 2 network (e.g., Internet)? MPII-3.8 Does the device import personally identifiable information via scanning a document? No 26 ACUSON P500 VC10 · Product and Solution Security White Paper Question ID Question Answer See Note Does the device transmit/receive personally MPII-3.9 identifiable information via a proprietary No protocol? Does the device use any other mechanism MPII-3.10 to transmit, import or export personally No identifiable information? Management of Private Data notes: N/A Automatic Logoff (ALOF) The device's ability to prevent access and misuse by unauthorized users if device is left idle for a period of time. Can the device be configured to force reauthorization of logged-in user(s) after a ALOF-1 predetermined length of inactivity (e.g., auto- Yes logoff, session lock, password protected screen saver)? Is the length of inactivity time before auto- ALOF-2 logoff/screen lock user or administrator Yes configurable? Audit Controls (AUDT) The ability to reliably audit activity on the device. Can the medical device create additional AUDT-1 audit logs or reports beyond standard Yes operating system logs? AUDT-1.1 Does the audit log record a USER ID? Yes AUDT-1.2 Does other personally identifiable information exist in the audit trail? Yes Note 3 Are events recorded in an audit log? If yes, AUDT-2 indicate which of the following events are Yes recorded in the audit log: AUDT-2.1 Successful login/logout attempts? Yes AUDT-2.2 Unsuccessful login/logout attempts? Yes AUDT-2.3 Modification of user privileges? Yes AUDT-2.4 Creation/modification/deletion of users? Yes 27 Product and Solution Security White Paper · ACUSON P500 VC10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See Note Presentation of clinical or PII data (e.g., AUDT-2.5 display, print)? Yes AUDT-2.6 Creation/modification/deletion of data? Yes AUDT-2.7 Import/export of data from removable media (e.g., USB drive, external hard drive, DVD)? Yes AUDT-2.8 Receipt/transmission of data or commands over a network or point-to-point connection? Yes AUDT-2.8.1 Remote or on-site support? Yes Application Programming Interface (API) and AUDT-2.8.2 similar activity? No AUDT-2.9 Emergency access? Yes AUDT-2.10 Other events (e.g., software updates)? Yes Note 4 AUDT-2.11 Is the audit capability documented in more detail? Yes AUDT-3 Can the owner/operator define or select which events are recorded in the audit log? Yes Is a list of data attributes that are captured in AUDT-4 the audit log for an event available? Yes AUDT-4.1 Does the audit log record date/time? Yes Can date and time be synchronized by AUDT-4.1.1 Network Time Protocol (NTP) or equivalent Yes time source? AUDT-5 Can audit log content be exported? Yes AUDT-5.1 Via physical media? Yes AUDT-5.2 Via IHE Audit Trail and Node Authentication (ATNA) profile to SIEM? No Via Other communications (e.g., external AUDT-5.3 service device, mobile applications)? Yes Note 5 Are audit logs encrypted in transit or on AUDT-5.4 storage media? See notes Note 6 AUDT-6 Can audit logs be monitored/reviewed by owner/operator? Yes AUDT-7 Are audit logs protected from modification? Yes AUDT-7.1 Are audit logs protected from access? Yes AUDT-8 Can audit logs be analyzed by the device? See notes Note 7 28 ACUSON P500 VC10 · Product and Solution Security White Paper Question ID Question Answer See Note Authorization (AUTH) The ability of the device to determine the authorization of users. Does the device prevent access to AUTH-1 unauthorized users through user login Yes Note 8 requirements or other mechanism? Can the device be configured to use federated AUTH-1.1 credentials management of users for No authorization (e.g., LDAP, OAuth)? AUTH-1.2 Can the customer push group policies to the device (e.g., Active Directory)? No AUTH-1.3 Are any special groups, organizational units, or group policies required? See notes Note 9 Can users be assigned different privilege AUTH-2 levels based on 'role' (e.g., user, Yes administrator, and/or service, etc.)? Can the device owner/operator grant themselves unrestricted administrative AUTH-3 privileges (e.g., access operating system or No application via local root or administrator account)? Does the device authorize or control all API AUTH-4 access requests? See notes Note 10 Does the device run in a restricted access AUTH-5 mode, or ‘kiosk mode’, by default? Yes Cybersecurity Product Upgrades (CSUP) The ability of on-site service staff, remote service staff, or authorized customer staff to install/upgrade device's security patches. Does the device contain any software or firmware which may require security updates CSUP-1 during its operational life, either from the device manufacturer or from a third-party Yes manufacturer of the software/firmware? If no, answer “N/A” to questions in this section. CSUP-2 Does the device contain an Operating System? If yes, complete 2.1-2.4. Yes 29 Product and Solution Security White Paper · ACUSON P500 VC10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See Note Does the device documentation provide CSUP-2.1 instructions for owner/operator installation of Yes Note 11 patches or software updates? Does the device require vendor or vendor- CSUP-2.2 authorized service to install patches or See notes Note 12 software updates? Does the device have the capability to receive CSUP-2.3 remote installation of patches or software Yes updates? Does the medical device manufacturer allow security updates from any third-party CSUP-2.4 manufacturers (e.g., Microsoft) to be No installed without approval from the manufacturer? CSUP-3 Does the device contain Drivers and Firmware? If yes, complete 3.1-3.4. Yes Does the device documentation provide CSUP-3.1 instructions for owner/operator installation of Yes Note 13 patches or software updates? Does the device require vendor or vendor- CSUP-3.2 authorized service to install patches or See notes Note 14 software updates? Does the device have the capability to receive CSUP-3.3 remote installation of patches or software Yes updates? Does the medical device manufacturer allow security updates from any third-party CSUP-3.4 manufacturers (e.g., Microsoft) to be No installed without approval from the manufacturer? CSUP-4 Does the device contain Anti-Malware Software? If yes, complete 4.1-4.4. Yes Note 15 Does the device documentation provide CSUP-4.1 instructions for owner/operator installation of Yes Note 16 patches or software updates? Does the device require vendor or vendor- CSUP-4.2 authorized service to install patches or See notes Note 17 software updates? Does the device have the capability to receive CSUP-4.3 remote installation of patches or software Yes updates? 30 ACUSON P500 VC10 · Product and Solution Security White Paper Question ID Question Answer See Note Does the medical device manufacturer allow security updates from any third-party CSUP-4.4 manufacturers (e.g., Microsoft) to be No installed without approval from the manufacturer? Does the device contain Non-Operating CSUP-5 System commercial off-the-shelf Yes components? If yes, complete 5.1-5.4. Does the device documentation provide CSUP-5.1 instructions for owner/operator installation of Yes Note 18 patches or software updates? Does the device require vendor or vendor- CSUP-5.2 authorized service to install patches or See notes Note 19 software updates? Does the device have the capability to receive CSUP-5.3 remote installation of patches or software Yes updates? Does the medical device manufacturer allow security updates from any third-party CSUP-5.4 manufacturers (e.g., Microsoft) to be No installed without approval from the manufacturer? Does the device contain other software components (e.g., asset management CSUP-6 software, license management)? If yes, please No provide details or reference in notes and complete 6.1-6.4. Does the device documentation provide CSUP-6.1 instructions for owner/operator installation of N/A patches or software updates? Does the device require vendor or vendor- CSUP-6.2 authorized service to install patches or N/A software updates? Does the device have the capability to receive CSUP-6.3 remote installation of patches or software N/A updates? Does the medical device manufacturer allow security updates from any third-party CSUP-6.4 manufacturers (e.g., Microsoft) to be N/A installed without approval from the manufacturer? 31 Product and Solution Security White Paper · ACUSON P500 VC10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See Note CSUP-7 Does the manufacturer notify the customer when updates are approved for installation? Yes Note 20 CSUP-8 Does the device perform automatic installation of software updates? No Does the manufacturer have an approved list CSUP-9 of third-party software that can be installed No on the device? Can the owner/operator install manufacturer- CSUP-10 approved third-party software on the device No themselves? CSUP-10.1 Does the system have mechanism in place to prevent installation of unapproved software? Yes Note 21 Does the manufacturer have a process in CSUP-11 place to assess device vulnerabilities and Yes updates? CSUP-11.1 Does the manufacturer provide customers with review and approval status of updates? Yes Note 22 CSUP-11.2 Is there an update review cycle for the device? Yes Note 23 Health Data De-Identification (DIDT) The ability of the device to directly remove information that allows identification of a person. Does the device provide an integral capability DIDT-1 to de-identify personally identifiable Yes information? Does the device support de-identification DIDT-1.1 profiles that comply with the DICOM standard See notes Note 24 for de-identification? Data Backup and Disaster Recovery (DTBK) The ability to recover after damage or destruction of device data, hardware, software, or site configuration information. Does the device maintain long term primary DTBK-1 storage of personally identifiable information/ No Note 25 patient information (e.g., PACS)? 32 ACUSON P500 VC10 · Product and Solution Security White Paper Question ID Question Answer See Note Does the device have a “factory reset” DTBK-2 function to restore the original device Yes settings as provided by the manufacturer? DTBK-3 Does the device have an integral data backup capability to removable media? No Does the device have an integral data backup DTBK-4 capability to remote storage? No Does the device have a backup capability for DTBK-5 system configuration information, patch Yes Note 26 restoration, and software restoration? Does the device provide the capability to DTBK-6 check the integrity and authenticity of a See notes Note 27 backup? Emergency Access (EMRG) The ability of the device user to access personally identifiable information in case of a medical emergency situation that requires immediate access to stored personally identifiable information. EMRG-1 Does the device incorporate an emergency access (i.e., “break-glass”) feature? Yes Health Data Integrity and Authenticity (IGAU) How the device ensures that the stored data on the device has not been altered or destroyed in a non-authorized manner and is from the originator. Does the device provide data integrity IGAU-1 checking mechanisms of stored health data No (e.g., hash or digital signature)? Does the device provide error/failure IGAU-2 protection and recovery mechanisms for No stored health data (e.g., RAID-5)? 33 Product and Solution Security White Paper · ACUSON P500 VC10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See Note Malware Detection/Protection (MLDP) The ability of the device to effectively prevent, detect and remove malicious software (malware). Is the device capable of hosting executable MLDP-1 software? Yes Does the device support the use of anti- malware software (or other anti-malware MLDP-2 mechanism)? Provide details or reference in Yes Note 28 notes. MLDP-2.1 Does the device include anti-malware software by default? Yes MLDP-2.2 Does the device have anti-malware software available as an option? No Note 29 Does the device documentation allow the MLDP-2.3 owner/operator to install or update anti- No malware software? MLDP-2.4 Can the device owner/operator independently (re-)configure anti-malware settings? No MLDP-2.5 Does notification of malware detection occur in the device user interface? Yes Can only manufacturer-authorized persons MLDP-2.6 repair systems when malware has been Yes detected? MLDP-2.7 Are malware notifications written to a log? Yes Are there any restrictions on anti-malware MLDP-2.8 (e.g., purchase, installation, configuration, Yes Note 30 scheduling)? If the answer to MLDP-2 is NO, and anti- MLDP-3 malware cannot be installed on the device, are other compensating controls in place or N/A available? Does the device employ application whitelisting that restricts the software and MLDP-4 services that are permitted to be run on the Yes device? 34 ACUSON P500 VC10 · Product and Solution Security White Paper Question ID Question Answer See Note Does the device employ a host-based MLDP-5 intrusion detection/prevention system? No Can the host-based intrusion detection/ MLDP-5.1 prevention system be configured by the N/A customer? Can a host-based intrusion detection/ MLDP-5.2 prevention system be installed by the N/A customer? Node Authentication (NAUT) The ability of the device to authenticate communication partners/nodes. Does the device provide/support any means of node authentication that assures both the sender and the recipient of data are known to NAUT-1 each other and are authorized to receive No transferred information (e.g., Web APIs, SMTP, SNMP)? Are network access control mechanisms supported (e.g., does the device have an NAUT-2 internal firewall, or use a network connection Yes whitelist)? NAUT-2.1 Is the firewall ruleset documented and available for review? See notes Note 31 NAUT-3 Does the device use certificate-based network connection authentication? See notes Note 32 Connectivity Capabilities (CONN) All network and removable media connections must be considered in determining appropriate security controls. This section lists connectivity capabilities that may be present on the device. CONN-1 Does the device have hardware connectivity capabilities? Yes CONN-1.1 Does the device support wireless connections? Yes CONN-1.1.1 Does the device support Wi-Fi? See notes Note 33 CONN-1.1.2 Does the device support Bluetooth? No 35 Product and Solution Security White Paper · ACUSON P500 VC10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See Note Does the device support other wireless CONN-1.1.3 network connectivity (e.g., LTE, Zigbee, No proprietary)? Does the device support other wireless CONN-1.1.4 connections (e.g., custom RF controls, No wireless detectors)? CONN-1.2 Does the device support physical connections? Yes CONN-1.2.1 Does the device have available RJ45 Ethernet ports? Yes CONN-1.2.2 Does the device have available USB ports? Yes CONN-1.2.3 Does the device require, use, or support removable memory devices? Yes CONN-1.2.4 Does the device support other physical connectivity? No Does the manufacturer provide a list of CONN-2 network ports and protocols that are used or Yes may be used on the device? CONN-3 Can the device communicate with other systems within the customer environment? Yes Can the device communicate with other CONN-4 systems external to the customer Yes Note 34 environment (e.g., a service host)? CONN-5 Does the device make or receive API calls? See notes Note 35 CONN-6 Does the device require an internet connection for its intended use? No CONN-7 Does the device support Transport Layer Security (TLS)? Yes CONN-7.1 Is TLS configurable? Yes Does the device provide operator control CONN-8 functionality from a separate device (e.g., See notes Note 36 telemedicine)? 36 ACUSON P500 VC10 · Product and Solution Security White Paper Question ID Question Answer See Note Person Authentication (PAUT) The ability to configure the device to authenticate users. Does the device support and enforce unique PAUT-1 IDs and passwords for all users and roles Yes (including service accounts)? Does the device enforce authentication of PAUT-1.1 unique IDs and passwords for all users and No Note 37 roles (including service accounts)? Is the device configurable to authenticate PAUT-2 users through an external authentication service (e.g., MS Active Directory, NDS, LDAP, No OAuth, etc.)? Is the device configurable to lock out a user PAUT-3 after a certain number of unsuccessful logon Yes Note 38 attempts? Are all default accounts (e.g., technician PAUT-4 service accounts, administrator accounts) No listed in the documentation? PAUT-5 Can all passwords be changed? Yes Is the device configurable to enforce creation PAUT-6 of user account passwords that meet established (organization specific) complexity Yes Note 39 rules? Does the device support account passwords PAUT-7 that expire periodically? Yes Note 40 PAUT-8 Does the device support multi-factor authentication? No PAUT-9 Does the device support single sign-on (SSO)? No PAUT-10 Can user accounts be disabled/locked on the device? Yes PAUT-11 Does the device support biometric controls? No Does the device support physical tokens (e.g., PAUT-12 badge access)? No PAUT-13 Does the device support group authentication (e.g., hospital teams)? No Does the application or device store or PAUT-14 manage authentication credentials? Yes PAUT-14.1 Are credentials stored using a secure method? Yes 37 Product and Solution Security White Paper · ACUSON P500 VC10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See Note Physical Locks (PLOK) Physical locks can prevent unauthorized users with physical access to the device from compromising the integrity and confidentiality of personally identifiable information stored on the device or on removable media PLOK-1 Is the device software only? If yes, answer “N/A” to remaining questions in this section. No Are all device components maintaining personally identifiable information (other PLOK-2 than removable media) physically secure (i.e., Yes Note 41 cannot remove without tools)? Are all device components maintaining personally identifiable information (other PLOK-3 than removable media) physically secured No behind an individually keyed locking device? Does the device have an option for the PLOK-4 customer to attach a physical lock to restrict No access to removable media? Roadmap for Third Party Applications and Software Components in Device Life Cycle (RDMP) Manufacturer’s plans for security support of third-party components within the device’s life cycle. Was a secure software development process, RDMP-1 such as ISO/IEC 27034 or IEC 62304, followed Yes during product development? Does the manufacturer evaluate third-party applications and software components RDMP-2 included in the device for secure Yes Note 42 development practices? Does the manufacturer maintain a web page RDMP-3 or other source of information on software Yes Note 43 support dates and updates? Does the manufacturer have a plan for RDMP-4 managing third-party component end-of-life? Yes 38 ACUSON P500 VC10 · Product and Solution Security White Paper Question ID Question Answer See Note Software Bill of Materials (SBoM) A Software Bill of Material (SBoM) lists all the software components that are incorporated into the device being described for the purpose of operational security planning by the healthcare delivery organization. This section supports controls in the RDMP section. SBOM-1 Is the SBoM for this product available? Yes SBOM-2 Does the SBoM follow a standard or common method in describing software components? Yes SBOM-2.1 Are the software components identified? Yes SBOM-2.2 Are the developers/manufacturers of the software components identified? Yes SBOM-2.3 Are the major version numbers of the software components identified? Yes SBOM-2.4 Are any additional descriptive elements identified? Yes Does the device include a command or SBOM-3 process method available to generate a list of No software components installed on the device? SBOM-4 Is there an update process for the SBoM? Yes System and Application Hardening (SAHD) The device’s inherent resistance to cyber attacks and malware. SAHD-1 Is the device hardened in accordance with any industry standards? Yes Note 44 SAHD-2 Has the device received any cybersecurity certifications? No 39 Product and Solution Security White Paper · ACUSON P500 VC10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See Note SAHD-3 Does the device employ any mechanisms for software integrity checking No Does the device employ any mechanism (e.g., SAHD-3.1 release-specific hash key, checksums, digital signature, etc.) to ensure the installed Yes Note 45 software is manufacturer-authorized? Does the device employ any mechanism (e.g., release-specific hash key, checksums, digital SAHD-3.2 signature, etc.) to ensure the software Yes Note 46 updates are the manufacturer-authorized updates? Can the owner/operator perform software SAHD-4 integrity checks (i.e., verify that the system No has not been modified or tampered with)? Is the system configurable to allow the SAHD-5 implementation of file-level, patient level, or Yes other types of access controls? SAHD-5.1 Does the device provide role-based access controls? Yes Are any system or user accounts Unrestricted SAHD-6 or disabled by the manufacturer at system No delivery? SAHD-6.1 Are any system or user accounts configurable by the end user after initial configuration? Yes Does this include restricting certain system or SAHD-6.2 user accounts, such as service technicians, to No least privileged access? Are all shared resources (e.g., file shares) SAHD-7 which are not required for the intended use Yes of the device disabled? Are all communication ports and protocols SAHD-8 that are not required for the intended use of Yes the device disabled? Are all services (e.g., telnet, file transfer protocol [FTP], internet information server SAHD-9 [IIS], etc.), which are not required for the Yes intended use of the device deleted/disabled? Are all applications (COTS applications as well SAHD-10 as OS-included applications, e.g., MS Internet Explorer, etc.) which are not required for the No intended use of the device deleted/disabled? 40 ACUSON P500 VC10 · Product and Solution Security White Paper Question ID Question Answer See Note Can the device prohibit boot from uncontrolled or removable media (i.e., a SAHD-11 source other than an internal drive or Yes memory component)? Can unauthorized software or hardware be SAHD-12 installed on the device without the use of No physical tools? Does the product documentation include SAHD-13 information on operational network security No scanning by users? SAHD-14 Can the device be hardened beyond the default provided state? No SAHD-14.1 Are instructions available from vendor for increased hardening? No SHAD-15 Can the system prevent access to BIOS or other bootloaders during boot? Yes Have additional hardening methods not SAHD-16 included in 2.3.19 been used to harden the No device? Security Guidance (SGUD) Availability of security guidance for operator and administrator of the device and manufacturer sales and service. SGUD-1 Does the device include security documentation for the owner/operator? Yes Does the device have the capability, and SGUD-2 provide instructions, for the permanent Yes deletion of data from the device or media? SGUD-3 Are all access accounts documented? Yes SGUD-3.1 Can the owner/operator manage password control for all accounts? Yes Does the product include documentation on SGUD-4 recommended compensating controls for the No device? 41 Product and Solution Security White Paper · ACUSON P500 VC10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See Note Health Data Storage Confidentiality (STCF) The ability of the device to ensure unauthorized access does not compromise the integrity and confidentiality of personally identifiable information stored on the device or removable media. STCF-1 Can the device encrypt data at rest? Yes Note 47 STCF-1.1 Is all data encrypted or otherwise protected? Yes STCF-1.2 Is the data encryption capability configured by default? No STCF-1.3 Are instructions available to the customer to configure encryption? No STCF-2 Can the encryption keys be changed or configured? No STCF-3 Is the data stored in a database located on the device? Yes STCF-4 Is the data stored in a database external to the device? No Transmission Confidentiality (TXCF) The ability of the device to ensure the confidentiality of transmitted personally identifiable information. Can personally identifiable information be TXCF-1 transmitted only via a point-to-point No dedicated cable? Is personally identifiable information TXCF-2 encrypted prior to transmission via a network No or removable media? TXCF-2.1 If data is not encrypted by default, can the customer configure encryption options? No Is personally identifiable information TXCF-3 transmission Unrestricted to a fixed list of No network destinations? TXCF-4 Are connections limited to authenticated systems? No TXCF-5 Are secure transmission methods supported/ implemented (DICOM, HL7, IEEE 11073)? No 42 ACUSON P500 VC10 · Product and Solution Security White Paper Question ID Question Answer See Note Transmission Integrity (TXIG) The ability of the device to ensure the integrity of transmitted data. Does the device support any mechanism TXIG-1 (e.g., digital signatures) intended to ensure No data is not modified during transmission? Does the device include multiple TXIG-2 sub-components connected by external No cables? Remote Service (RMOT) Remote service refers to all kinds of device maintenance activities performed by a service person via network or other remote connection. RMOT-1 Does the device permit remote service connections for device analysis or repair? Yes Note 48 Does the device allow the owner/operator RMOT-1.1 to initiate remote service sessions for device Yes Note 49 analysis or repair? RMOT-1.2 Is there an indicator for an enabled and active remote session? Yes Note 50 RMOT-1.3 Can patient data be accessed or viewed from the device during the remote session? Yes Note 51 RMOT-2 Does the device permit or use remote service connections for predictive maintenance data? No Does the device have any other remotely RMOT-3 accessible functionality (e.g., software Yes Note 52 updates, remote training)? 43 Product and Solution Security White Paper · ACUSON P500 VC10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See Note Other Security Considerations (OTHR) NONE Notes Note 1 www.siemens-healthineers.com/support-documentation/cybersecurity Note 2 Over VPN for remote service troubleshooting. Note 3 User Name exists. Note 4 e.g., system start, shutdown Note 5 SysLog Server. Note 6 Yes on local storage. In transit depends on SysLog Server configuration. Note 7 Not by the device, but yes at the device Note 8 Checking authentication with Password. Note 9 Depends on Syngo role controls. Note 10 Whitelisting controls the execution of executables and dll access. Note 11 Yes, SRS-based updates. No, if the installation happens through self-install from "teamplay Fleet" (ASU). Note 12 Yes, for SRS-based updates (RUH). Note 13 Yes, SRS-based updates. No, if the installation happens through self-install from "teamplay Fleet" (ASU). Note 14 Yes, for SRS-based updates (RUH). Note 15 Yes, containing SolidCore. Note 16 Yes, SRS-based updates. No, if the installation happens through self-install from "teamplay Fleet" (ASU). Note 17 Yes, for SRS-based updates (RUH). Note 18 Yes, SRS-based updates. No, if the installation happens through self-install from "teamplay Fleet" (ASU). Note 19 Yes, for SRS-based updates (RUH). Note 20 Yes, via teamplay Fleet. Note 21 Yes, providing whitelisting through SolidCore. Note 22 Yes, via teamplay Fleet. 44 ACUSON P500 VC10 · Product and Solution Security White Paper Question ID Question Answer See Note Note 23 Yes, monthly. The P500 VC10 system supports de-identification profiles as below: 1. The patient's ID and name tags are present but their values are changed to the format as below: 1.1. ID: _ 1.1.1. UserInputValue: the string which is entered by a user (default string: Anonymous) Note 24 1.1.2. CreationTime: the time when ID is generated (format: yyyymmddhhmmss) 1.2. Name: 1.2.1. UserInputValue: same definition as 1.1.1 2. The patient's date of birth value is replaced to empty string. 3. Other optional personal data fields including performing physician's name, operator's name, patient's age, size and weight, and requesting physician key/value pairs are removed. Note 25 Service data partition available on booting using F10 with ext USB keyboard. Note 26 Only for ultrasound configuration presets. Note 27 Yes for integrity, No for authenticity. Note 28 Yes, Whitelisting by Solidcore. Note 29 Always included and running by default. Note 30 No additional malware can be added to the system. Note 31 Most important ports are, but not all of them. Note 32 Only wifi connections based on TLS-based connectivity. Note 33 Wireless feature is option, customer can select it. Note 34 SRS supported. Note 35 The device receives API calls over the SRS network when service interacts with it for troubleshooting purposes. Note 36 Providing remotely system controls via TeamViewer. Note 37 There is no enforcement if the user does not want to. Note 38 Configurable by System Admin. Note 39 Password Complexity is configurable by System Admin. Note 40 Configurable by System Admin. Note 41 Using Kensington Security Slot. Note 42 Yes, via SVM. Note 43 Siemens Healthineers is maintaining teamplay Fleet to support software updates connected from CSMS. 45 Product and Solution Security White Paper · ACUSON P500 VC10 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Answer See Note Note 44 Following STIGS hardening instructions. Note 45 System supports whitelisting using SolidCore. Note 46 System supports whitelisting using SolidCore. Note 47 Yes, BitLocker supported. Note 48 Yes, SRS supported. Note 49 The owner/operator would need to put the system into full access in order to allow a remote service session. Note 50 Yes, there is a headset icon that appears in the upper right hand of the main imaging screen when the system is accessed remotely. Note 51 Only with owner/operator consent provided to the remote requestor. Note 52 Remote updates, remote training, remote assistance. 46 ACUSON P500 VC10 · Product and Solution Security White Paper Manufacturer Disclosure Statement (IEC60601-1) Z1 Instructions for the responsible Organization Z1-1 Connection of the system to a NETWORK/DATA COUPLING that includes other equipment could result in previously unidentified risks to patients, operators or third parties; the RESPONSIBLE ORGANIZATION should identify, evaluate and control these risks Z1-2 Subsequent changes to the NETWORK/DATA COUPLING could introduce new RISKS and require additional analysis. Z1-3 Changes to the network include: • changes in NETWORK/DATA COUPLING configuration; • connection to additional items to the NETWORK/DATA COUPLING; • disconnecting items from the NETWORK/DATA COUPLING; • update of equipment connected to the NETWORK/DATA COUPLING; • upgrade of equipment connected to the NETWORK/DATA COUPLING; Z1-4 The RESPONSIBLE ORGANIZATION is fully responsible for the security of the network to which the device is connected. Z1-5 The RESPONSIBLE ORGANIZATION is fully responsible to ensure staff who have access to the device do not have the opportunity to provide any harm to the system. Z1-6 The RESPONSIBLE ORGANIZATION has to ensure that the internal network cannot be accessed physically by non-authorized persons. Z1-7 Staff of the RESPONSIBLE ORGANIZATION has to be trained in security. The RESPONSIBLE ORGANIZATION is responsible for providing this. Z1-8 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that only authorized medical/ administrative staff shall have access to the device. Z1-9 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that visitors/patients do not have unsupervised physical access to the system. Z1-10 The RESPONSIBLE ORGANIZATION shall provide access to the system for device administrators and device service engineers. Z1-11 The RESPONSIBLE ORGANIZATION has at least one staff person with administrative rights who has access to the system. Z1-12 The RESPONSIBLE ORGANIZATION shall ensure that neither access from the public internet or the organization’s intranet to the device is possible. Z1-13 The RESPONSIBLE ORGANIZATION is responsible to ensure physical security for the device. 47 Product and Solution Security White Paper · ACUSON P500 VC10 Manufacturer Disclosure Statement (IEC60601-1) Z1 Instructions for the responsible Organization Z1-14 The RESPONSIBLE ORGANIZATION shall ensure that access to services for the device from other equipment is possible only on a need-to-do basis. An adequate network topology with appropriate firewall settings shall be used. Z1-15 The RESPONSIBLE ORGANIZATION is responsible for a secure infrastructure that makes it impossible to change, prevent, or tamper with data in transit in any way. Z1-16 RECOMMENDATION: It is highly recommended that the RESPONSIBLE ORGANIZATION monitors the network for unusual traffic. Z1-17 The RESPONSIBLE ORGANIZATION is responsible for the hard drive encryption keys and for preventing the theft or loss of those keys. Z1 notes: Z2 Intended purpose of integrating the Device into an IT-Network Z2-1 To integrate the system into the clinical workflow, the whole ultrasound system will interact as a DICOM node in the clinical network. Z2-2 The system is DICOM-compliant, allowing it to be connected to a network with other compliant devices for the exchange of images. Networking allows the transmission of images acquired to other DICOM-compatible review stations or PACS. A list of all patients ever imaged can be kept on the Radiology PACS making future retrievals fast and easy. Z2-3 The system connects to the network through an Ethernet cable or a wireless protocol. The network interfaces allow DICOM connections to specific clinical systems such as a Radiology PACS or printer. Patient demographic data will be received via DICOM; acquired images will be sent to the Radiology PACS or DICOM workstations for detailed viewing and long-term storage. Z2 notes: 48 ACUSON P500 VC10 · Product and Solution Security White Paper Z3 Network Properties required by the System and resulting risks Z3-1 The device is connected via Ethernet cable or wireless protocol to the hospital using a TCP/IP network with 1Gb/s performance: • if the network is down, the network services (see below) are not available which can lead to the risks stated below. if the network is unavailable, medical images cannot be transferred for remote consultation. - if the wireless network is incorrectly protected (for example, open Wi-Fi configuration), the - attack surface of all the connected devices is much larger, which can lead to the risks stated below. if the recommended network performance (1Gbit/s) is not provided, the transfer of images is - extended, and availability of images at destinations (e.g., for consulting) is delayed. only the protocols shown in the table of used ports are needed for communication. - Z3-2 PACS system for archiving images/results • If the PACS is not available: images cannot be archived after the examination. In case of a system hardware failure, all - non-archived images can be lost. images cannot be archived after the examination. Examinations may no longer be possible - because the hard drive is full as non-archived images cannot be automatically removed. images cannot be archived after the examination. In case of manual deletion of images, - unarchived images can be lost. images are not available for remote consultation via PACS consoles. - prior images are not available. - • If the recommended network performance (1Gbit/s) is not provided, the transfer time to PACS is extended, and the wait for switching off the system consecutive to the last transfer operations is prolonged. Z3-3 DICOM printer • If the DICOM printer is not available, film is not available for diagnosis/archive. Z3-4 RIS system • If the RIS system is not available: the modality worklist is not available. This can lead to data inconsistencies as well as - unavailability of images when sent to the PACS until they are manually coerced with the RIS data in the PACS. in the case a Worklist Query time-out due to poor network transfer, there is a possibility that - non-actual RIS data is used when registering a patient from the list of schedules on the system. Z3-5 Network connection to the SRS server • If the connection to the Smart Remote Services server is not available, then support from Siemens Healthineers service is limited. 49 Product and Solution Security White Paper · ACUSON P500 VC10 Manufacturer Disclosure Statement (IEC60601-1) Z3 Network Properties required by the System and resulting risks Z3-6 Common medical protocol properties • Protocols used in medical environments are typically unsecure, with the exception of secure Smart Remote Services (using HTTPS). Z3-7 Unsuccessful data transfer not recognized • Function: Archiving and Networking • Hazard: Wrong diagnosis/loss of acquisition data • Caution: Data transfers between systems are not verified automatically. Loss of data, if data is deleted locally before it has been successfully transferred to another system. • Measure: Since not all systems support automatic storage commitment, verify the correctness of the data transfer at the remote system before deleting the local data. • Effect on: Patient Z3-8 Incorrect or incomplete data transfer • Function: Data Exchange – Network • Hazard: Wrong diagnosis, wrong examination/loss of acquisition data, loss of post processing results, corrupted data, inconsistent data • Cause: DICOM objects are sent/received/retrieved. While objects are being prepared or during transfer, not all DICOM objects that are not considered are deleted, corrupted or unintentionally manipulated. Data on the sender and receiver side is not consistent. Failure of transfer not recognized. • Measure: It has to be verified by testing, that there is no object loss during sending, which means: Verify that exception scenarios result in a failed job (and check for other exceptions in log - files). Verify that error cases, which result in data not complying with the DICOM standard, are - covered by exception scenarios. • Effect on: Patient 50 ACUSON P500 VC10 · Product and Solution Security White Paper Z3 Network Properties required by the System and resulting risks Z3-9 Insecure or incorrectly configured clinical network • Function: Network Security • Hazard: Incorrect diagnosis basis, wrong diagnosis, wrong treatment, delayed diagnosis, delayed therapy, wrong examination, repetition of examination/loss of acquisition data, corrupted data, system DoS • Caution: Unauthorized access may affect system performance and data security. • Cause: Any unauthorized access to the system may affect the system performance and data security and may lead to: Lowered system performance and/or non-operational system - Loss of data security including loss of all patient data - • Measure: Enable your system administrator to ensure network security and the security of the - operational infrastructure Consult manuals for secure setup - Perform system updates as required - Run your medical device only in protected network environments, and do not connect it - directly to public networks Set up firewalls - Prevent configuration files from being changed by users - Update and patch networked systems as required - • Effect on: Patient Z3-10 Bitlocker recovery keys not available when needed • Function: Hard drive encryption • Hazard: loss of patient data, system DoS • Caution: Customer should keep Bitlocker recovery keys safe • Cause: In the case the customer opted for hard drive encryption and if BitLocker fails to access the encrypted drive for whatever reason, then the recovery keys will be needed by Siemens Healthineers Service to pause encryption and have offline access to the hard drive and the patient data stored in it. • Effect on: Patient, System Z3 notes: 51 Product and Solution Security White Paper · ACUSON P500 VC10 Abbreviations AD Active Directory LDAP Lightweight Directory Access Protocol AES Advanced Encryption Standard MD5 Message Digest 5 ASU Anytime Software Updates MDS2 Manufacturer Disclosure Statement for BIOS Basic Input Output System Medical Device Security COM Component Object Model MSTS Microsoft Terminal Server DCOM Distributed Component Object Model NEMA National Electrical Manufacturers Association DES Data Encryption Standard NTP Network Time Protocol DHCP Dynamic Host Configuration Protocol OCR Office for Civil Rights DICOM Digital Imaging and Communications in Medicine OS Operating System DISA Defense Information Systems Agency OU Organization Unit DMZ Demilitarized Zone PACS Picture Archiving and Communication Domain Name System System DNS PHI Protected Health Information DoS Denial of Service PII Personally Identifiable Information ePHI Electronic Protected Health Information PNRP Peer Name Resolution Protocol FDA Food and Drug Administration RIS Radiology Information System FIPS Federal Information Processing Standards RPC Remote Procedure Call HD High Density RUH Remote Update Handling HDCP High-bandwidth Digital Content SAM Security Accounts Manager Protection SBoM Software Bill of Materials HECI Host Embedded Controller Interface SHA Secure Hash Algorithm HHS Health and Human Services SMP Spaces Management Provider HIPAA Health Insurance Portability and SQL Structured Query Language Accountability Act SRS Smart Remote Services HIMSS Healthcare Information and SSL Management Systems Society Secure Socket Layer STIG HTTP Hypertext Transfer Protocol Security Technical Implementation Guideline HTTPS HTTP Secure SW Software ICS Integrated Communication Services TCP Transmission Control Protocol IDS Intrusion Detection System TLS Transport Layer Security IEC International Electrotechnical TPM Trusted Platform Module Commission UltraVNC Ultra Virtual Network Computing IIS Internet Information Services UDP Intrusion Prevention System User Datagram Protocol IPS UI User Interface IPsec Internet Protocol Security VLAN Virtual Local Area Network iSCSI Internet Small Computer System Interface VPN Virtual Private Network IKE Internet Key Exchange WMI Windows Management Instrumentation IVM Intervention Module WWW World Wide Web JPEG Joint Photographic Experts Group 52 ACUSON P500 VC10 · Product and Solution Security White Paper Disclaimer According to IEC 80001-1 1-1 The Device has the capability to be connected to a Adobe is either a trademark or registered trademark of medical IT-network which is managed under full Adobe Systems Incorporated in the United States and/or responsibility of the operating responsible other countries. organization. It is assumed that the responsible organization assigns a Medical IT-Network Risk Intel is a trademark of Intel Corporation in the United Manager to perform IT-Risk Management (see States and other countries. IEC 80001-1:2010/EN 80001-1:2011) for Microsoft and Windows are registered trademarks of IT-networks incorporating medical devices. Microsoft Corporation in the United States and other This statement describes Device-specific countries. 1-2 IT-networking safety and security capabilities. It is McAfee is a registered trademark of McAfee, LCC or its not a responsibility agreement according to subsidiaries in the US and other countries. IEC 80001-1:2010/EN 80001-1:2011. NVIDIA is a registered trademark of NVIDIA Corporation. 1-3 Any modification of the platform, the software or the interfaces of the Device – unless authorized and approved by Siemens Healthcare GmbH Healthcare voids all warranties, liabilities, assertions and – contracts. Statement on FDA Cybersecurity 1-4 The responsible organization acknowledges that the Device’s underlying standard computer with Guidance operating system is to some extent vulnerable to typical attacks like e.g., malware or denial-of- service. 1-5 Unintended consequences (like e.g., misuse/loss/ Siemens Healthineers will follow cybersecurity guidance corruption) of data not under control of the Device issued by the FDA as appropriate. Siemens Healthineers e.g., after electronic communication from the recognizes the principle described in FDA cybersecurity Device to some IT-network or to some storage, are guidance that an effective cybersecurity framework is a under the responsibility of the responsible shared responsibility among multiple stakeholders (e.g., organization. medical device manufacturers, health care facilities, patients and providers), and is committed to drawing on 1-6 Unauthorized use of the external connections or its innovation, engineering and pioneering skills in storage media of the Device can cause hazards collective efforts designed to prevent, detect and regarding the availability and information security respond to new and emerging cybersecurity threats. of all components of the medical IT-network. The While FDA cybersecurity guidance is informative as to responsible organization must ensure – through adopting a risk-based approach to addressing potential technical and/or organizational measures – that patient harm, it is not binding and alternative approaches only authorized use of the external connections may be used to satisfy FDA regulatory requirements. and storage media is permitted. The representations contained in this white paper are International Electrotechnical Commission Glossary designed to describe Siemens Healthineers’ approach to (extract) cybersecurity of its medical devices and to disclose the Responsible organization: security capabilities of the devices/systems described Entity accountable for the use and maintenance of a herein. Neither Siemens Healthineers nor any medical medical IT-network. device manufacturer can warrant that its systems will be ACUSON P500 is a trademark of Siemens Medical invulnerable to cyberattack. Siemens Healthineers makes Solutions, USA, Inc. no representation or warranty that its cybersecurity efforts will ensure that its medical devices/systems will syngo is a trademark of Siemens Healthineers GmbH. be error-free or secure against cyberattack. 53 On account of certain regional limitations of sales rights In the interest of complying with legal requirements and service availability, we cannot guarantee that all concerning the environmental compatibility of our products included in this brochure are available through products (protection of natural resources and waste the Siemens Healthineers sales organization worldwide. conservation), we recycle certain components. Using Availability and packaging may vary by country and are the same extensive quality assurance measures as subject to change without prior notice. for factory-new components, we ensure the quality of Some/All of the features and products described herein these recycled components. may not be available in the United States or other Note: Any technical data contained in this document may countries. vary within defined tolerances. Original images always The information in this document contains general lose a certain amount of detail when reproduced. technical descriptions of specifications and options as Caution: Federal law restricts this device to sale by or well as standard and optional features that do not always on the order of a physician. have to be present in individual cases. Siemens Healthineers reserves the right to modify the design, packaging, specifications and options described herein without prior notice. Please contact your local Siemens Healthineers sales representative for the most current information. Siemens Healthineers Headquarters Manufacturer Siemens Healthcare GmbH Siemens Medical Solutions USA, Inc. Henkestr. 127 Ultrasound 91052 Erlangen, Germany 22010 S.E. 51st Street Phone: +49 9131 84-0 Issaquah, WA 98029, USA siemens-healthineers.com Phone: 1-888-826-9702 siemens-healthineers.com/ultrasound Published by Siemens Medical Solutions USA, Inc. · 11694 0122 online · ©Siemens Medical Solutions USA, Inc., 2022