ACUSON NX3 Security and MDS² Form - VA10

White paper ACUSON NX3 ultrasound system, release VA10 Security and MDS2 Form Facts about security and privacy requirements siemens-healthineers.com/ultrasound SIEMENS Healthineers Product & solution security white paper . ACUSON NX3 VA10 The Siemens Healthineers product and solution security program At Siemens Healthineers, we are committed to working Elements of our product and solution security with you to address your cybersecurity and privacy program requirements. . Provide information about the secure configuration Our Product and Solution Security Office is responsible and use of Siemens Healthineers medical devices in for our global program to ensure that cybersecurity your IT environment is addressed throughout the lifecycle of our medical . Formal threat and risk analysis for our medical devices devices. We support you to protect the privacy of your data, at the same time providing measures that . Secure architecture, design and coding methodologies strengthen the resiliency of our products from external in our software development process cybersecurity attackers. . Static code analysis of medical device software To help you meet your IT security and privacy obligations, . Security testing of medical devices under development we comply with security and privacy regulations of the as well as medical devices already in the field U.S. Department of Health and Human Services (HHS), . Patch management tailored to the medical device and including the Food and Drug Administration (FDA) and your requirements Office for Civil Rights (OCR). . Security vulnerability monitoring to track reported Vulnerability and incident management third-party component issues in our medical devices Siemens Healthineers cooperates with government . Work with suppliers to ensure security is addressed agencies and cybersecurity researchers concerning throughout the supply chain reported potential vulnerabilities. . Employee training to ensure their knowledge is consistent with the requirements that contribute to Our communications policy strives for coordinated protecting your data and device integrity disclosure. We work in this way with our customers and other parties, when appropriate, in response to potential Please contact us anytime to report product and solution vulnerabilities and incidents in our medical devices, no security, cybersecurity or privacy incidents. Send an matter the source. email to: productsecurity@siemens-healthineers.com For all other communications with Siemens Healthineers about product and solution security, please contact ProductTechnologyAssurance.dl@siemens-healthineers.com Yours sincerely, Jim Jacobson Chief Product and Solution Security Officer Siemens Healthineers 2 siemens-healthineers.com/ultrasound ACUSON NX3 VA10 . Product & solution security white paper Contents Basic Information 4 Network Information 5 Security Controls 7 Software Bill of Materials 8 Manufacturer Disclosure Statement According to IEC 60601-1 . 11 Manufacturer Disclosure Statement for Medical Device Security - MDS2 . 14 Abbreviations 21 Disclaimer According to IEC 80001-1 22 International Electrotechnical Commission Glossary (extract) .... 22 Statement on FDA Cybersecurity Guidance 23 siemens-healthineers.com/ultrasound 3 Product & solution security white paper . ACUSON NX3 VA10 Basic Information Why is cybersecurity important? Operating Systems Keeping patient data safe and secure typically should Refer to the Software Bill of Materials chapter. be one of the top priorities of healthcare institutions. It is estimated that the cost associated in the recovery of each medical record in the United States can be as high User account information as $380.1 According to the Ponemon Institute research report,2 39% of medical devices were hacked, with . ACUSON NX3 VA10 software supports local system hackers able to take control of the device. Moreover, accounts that can be managed by the local 38% of healthcare organizations said that their patients administrator of the system. received inappropriate medical treatment because of . The system provides preconfigured Password Policies an insecure medical device. that can be customized by administrators. The Siemens Healthineers Patching strategy product security program . Security patches will be provided as needed to Cybersecurity is essential for digitalizing healthcare. maintain clinical function of the medical device At Siemens Healthineers, we build secure products, after validation by Siemens Healthineers. keep them protected throughout their lifecycle, and . If connected to Smart Remote Services (SRS), continuously refine our cybersecurity safeguards for updates can be pushed to the system automatically. every product generation. We communicate proactively about the security controls of our equipment. We inform . Technologies and software components are actively about vulnerabilities and how we have addressed them. monitored for vulnerabilities and availability of We deliver solutions that help keep the equipment as security updates. secure as possible. We follow the FDA's post-market guidance and are aligned with industry best practices to Handling of sensitive data continuously monitor all security relevant components for newly identified vulnerabilities. . This ultrasound system is designed for temporary data storage only. Siemens Healthineers recommends Our purpose is to help healthcare storing data to a long-term archive, e.g ., on a PACS and deleting in a facility-defined procedure. providers succeed . Protected Health Information (PHI) is temporarily The Siemens Healthineers ACUSON NX3 VA10 ultrasound stored on the ultrasound system similar to DICOM system embodies what you love about smart technology. data, raw data, and meta data for DICOM creation. Built specifically around the way you work, the ACUSON Note: The time for which PHI is stored is determined NX3 Series systems are simple and uncomplicated, by the facility. yet powerful. When form meets function, the result is Personally Identifiable Information (Pll) as part of intuitive and smart ultrasound systems that will help the DICOM records also is stored temporarily on the promote your highest levels of performance. ultrasound system, e.g ., patient's name, birthday or age, height and weight, personal identification number, and referring physician's name. Additional sensitive information might be present in user-editable input fields or in the images acquired. 1 https://healthitsecurity.com/news/how-much-do-healthcare-databreaches-cost-organizations 2 Ponemon Institute research report, Medical Device Security: An Industry Under Attack and Unprepared to Defend; https://www.ajg.com/media/1699098/medical-devicecybersecuritywhitepaper.pdf 4 siemens-healthineers.com/ultrasound ACUSON NX3 VA10 . Product & solution security white paper Network Information Smart ... ... Remote Services VPN IN, OUT: TCP, UDP, RDP SRS Router IBC > Access Server IN, OUT: TCP, UDP ... IN, OUT: DICOM, V Smart Remote Services IN, OUT: DICOM PACS/RIS ... OUT CP Network Share Ultrasound Machine Clinical Network Internet Figure 1: System Deployment overview with regard to network boundaries Siemens Healthineers recommends operating the ultrasound machine in a dedicated network segment (e.g ., VLAN). To minimize the risk of unauthorized network access, Siemens Healthineers recommends operating the ultrasound machine behind a firewall and/or using access control lists on the network switches to limit traffic to identified peers. At minimum, the DICOM Port (see Table 1) needs to be visible for customer DICOM network nodes (e.g ., PACS, syngo®.via, etc.). Please contact the Siemens Healthineers service organization for further information. siemens-healthineers.com/ultrasound 5 Product & solution security white paper . ACUSON NX3 VA10 The following ports are used by the system. All of the ports are closed except for the ports listed in Table 1. Port number Service/function Direction Protocol 80 Microsoft IIS Inbound TCP 104 DICOM communication In/outbound TCP 443 Administration Portal - Remote Service Inbound TCP (encrypted) 11080 Remote Assist (Team Viewer) Inbound TCP 11081 Remote Assist (Team Viewer) Inbound TCP 31257 SRS (Smart Remote Services) Inbound TCP 31258 SRS (Smart Remote Services) Inbound TCP 49173 syngo Inbound TCP 49190 syngo Inbound TCP Table 1: Port numbers 6 siemens-healthineers.com/ultrasound ACUSON NX3 VA10 . Product & solution security white paper Security Controls Malware protection Physical protection Whitelisting (McAfee® Application Control) . You are responsible for the physical protection of the ACUSON NX3 system's VA10 software, e.g ., by Authentication authorization controls installing it in a room with controlled access. Please The ACUSON NX3 VA10 software supports role-based note that the computer contains patient data and privilege assignment (Admin and Non-Admin) and should be protected against tampering and theft. access control to patient data. . It is possible to change the BIOS password. Please The user interface of the ACUSON NX3 VA10 software contact Siemens Healthineers service for support. provides a screen lock functionality that can be engaged automatically after a certain inactivity time. Data protection controls For details, please refer to the User Manual. . The system is not intended to be an archive (data at rest). Continuous vulnerability assessment and remediation PHI is protected by role-based privilege assignment Continuous Vulnerability Assessment is performed. and access control. Network controls ACUSON NX3 VA10 software provides local user accounts. .The system is designed to make limited use of network ports and protocols. The Microsoft Windows firewall is Remote connectivity configured to block unwanted inbound network traffic except for the ports listed in Table 1. SRS is optionally used for proactive maintenance. The connection is created using a secured channel (VPN- or . Siemens Healthineers recommends operating the IBC-based). It may be used to download security patches system in a secured network environment, e.g ., a and updates. separate network segmented or a VLAN. . Connection to the Internet or private networks used Incident response and management by patients/guests is not recommended. The incident handling process is defined and executed . In case of a denial-of-service (Dos) or malware attack, on demand to deal with incidents as mandated by the the system can be taken off the network and operated United States FDA Post-Market Guidance documents. as a stand-alone. siemens-healthineers.com/ultrasound 7 Product & solution security white paper . ACUSON NX3 VA10 Software Bill of Materials The following table comprises the most relevant third-party technologies used (general drivers not included). Vendor name Component name Component Description / use version Adobe Acrobat Professional 9 .X Apache Software Foundation Formatting Objects Processor (FOP) 1.0 Azul Systems Zulu 8.11 D R Commander libjpeg-turbo 1.4.0 DisplayLink DisplayLink USB Graphics for 7.7 Windows GrapeCity Spread 6.0 Info-ZIP Info-ZIP 3.0 Intel Graphics Drivers 15.22.03 Intel Chipset Device Software 9.3 Intel Intel Network Connections 18.7.x Intel PROSet/Wireless Software 19.x McAfee Application Control (MAC) 6.2.0 Meta Geek LLC inSSIDer 2.1.5 1.1 SP1 .NET Framework 4.0 4.5.1 Internet Explorer 8.0 Microsoft Baseline Security 2.0.1 Analyzer Microsoft Foundation Class Library (MFC) 8.0 Microsoft Microsoft XML Core Services 4.0 SP3 (MSXML) SQL Server 2014 SP2 SQL Server Desktop Engine 8.00.761 Visual C++ 2005 SP1 Redistributable Package (x64) Visual C++ 2005 Redistributable Package (x86) Without SP 8 siemens-healthineers.com/ultrasound ACUSON NX3 VA10 . Product & solution security white paper Vendor name Component name Component Description / use version Visual C++ 2008 Redistributable Package (x64) Without SP Visual C++ 2008 Redistributable Package (x86) SP1 Visual C++ 2010 Redistributable Package (x64) Without SP Microsoft Visual C++ 2010 Redistributable Package (x86) SP1 Visual C++ Runtime 2003 Windows Embedded Standard 7 Service Pack 1 Windows Installer 4.5 Mitsubishi Electric Corporation P95DW Windows Printer Driver 1.2 Nicomsoft Ltd. Advanced WiFi-Manager 5.5 peter.dolkens Nuget Package: Ionic. Zip 1.9.1.8 Primo Software Corporation PrimoBurner SDK 3.6 for .NET Python Software Foundation Python 2.7.2 Realtek Semiconductor Corp. High Definition Audio Driver 6.0 Riverbed Technology Wireshark 1.10.5 UP-D25MD Windows Printer 1.1 Driver UP-D711MD Printer Driver for Sony 1.0 Windows UP-D898MD Printer Driver for 1.00 Windows Stéphane Bidoul Libxml and Libxslt Python 2.7.7 Bindings for Windows TEAC UR-50BD Driver 6.5 TeamViewer TeamViewer 10.0.x Tom Tec Imaging Systems VVI 5 2.0.0.0 GmbH Versant Versant Object Database 8.0.2 WinPcap WinPcap 4.1.3 siemens-healthineers.com/ultrasound 9 Product & solution security white paper . ACUSON NX3 VA10 Manufacturer Disclosure Statement According to IEC 60601-1 Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13 1. Network properties required by the system and resulting risks 1-1 The device is connected via Ethernet cable or wireless protocol to the hospital using a TCP/IP network with 1 Gb/s . . If the network is down, the network services (see below) are not available which can lead to the risks stated below. . If the network is unavailable, medical images cannot be transferred for remote consultation. . If the wireless network is incorrectly protected (for example, open Wi-Fi configuration), the attack surface of all the connected devices is much larger, which can lead to the risks stated below. If the recommended network performance (1Gbit/s) is not provided, the transfer of images is extended, and availability of images at destinations (e.g ., for consulting) is delayed. . Only the protocols shown in the table of used ports are needed for communication. 1-2 PACS system for archiving images/results . If the PACS is not available: - images cannot be archived after the examination. In case of a system hardware failure, all non-archived images can be lost. - images cannot be archived after the examination. Examinations may no longer be possible because the hard drive is full as non-archived images cannot be automatically removed. - images cannot be archived after the examination. In case of manual deletion of images, unarchived images can be lost. - images are not available for remote consultation via PACS consoles. - prior images are not available. If the recommended network performance (1Gbit/s) is not provided, the transfer time to PACS is extended, and the wait for switching off the system consecutive to the last transfer operations is prolonged. 1-3 DICOM printer . If the DICOM printer is not available, film is not available for diagnosis/archive. 1-4 RIS system If the RIS system is not available: - the modality worklist is not available. This can lead to data inconsistencies as well as unavailability of images when sent to the PACS until they are manually coerced with the RIS data in the PACS. - In case of a Worklist Query time-out due to poor network transfer, there is a possibility that non-actual RIS data is used when registering a patient from the list of schedules on the system. 1-5 Network connection to the SRS server . If the connection to the Smart Remote Services server is not available, then support from Siemens Healthineers service is limited. 1-6 Common medical protocol properties . Protocols used in medical environments are typically unsecure, with the exception of secure Smart Remote Services (using HTTPS). 10 siemens-healthineers.com/ultrasound ACUSON NX3 VA10 . Product & solution security white paper 2. Instructions for the responsible organization 2-1 Connection of the system to a network that includes other equipment could result in previously unidentified risks to patients, operators or third parties. The RESPONSIBLE ORGANIZATION should identify, evaluate and control these risks. 2-2 Subsequent changes to the network could introduce new RISKS and require additional analysis. 2-3 Changes to the network include: . changes in network configuration . connection of additional items to the network . disconnecting items from the network . update of equipment connected to the network . upgrade of equipment connected to the network 2-4 The RESPONSIBLE ORGANIZATION is fully responsible for the security of the network to which the device is connected. 2-5 The RESPONSIBLE ORGANIZATION is fully responsible to ensure staff who have access to the device do not have the opportunity to provide any harm to the system. 2-6 The RESPONSIBLE ORGANIZATION has to ensure that the internal network cannot be accessed physically by non-authorized persons. 2-7 Staff of the RESPONSIBLE ORGANIZATION has to be trained in security. The RESPONSIBLE ORGANIZATION is responsible for providing this. 2-8 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that only authorized medical/administrative staff shall have access to the device. 2-9 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that visitors/patients do not have unsupervised physical access to the system. 2-10 The RESPONSIBLE ORGANIZATION shall provide access to the system for device administrators and device service engineers. 2-11 The RESPONSIBLE ORGANIZATION has at least one staff person with administrative rights who has access to the system. 2-12 The RESPONSIBLE ORGANIZATION shall ensure that neither access from the public internet or the organization's intranet to the device is possible. 2-13 The RESPONSIBLE ORGANIZATION is responsible to ensure physical security for the device. 2-14 The RESPONSIBLE ORGANIZATION shall ensure that access to services for the device from other equipment is possible only on a need-to-do basis. An adequate network topology with appropriate firewall settings shall be used. 2-15 The RESPONSIBLE ORGANIZATION is responsible for a secure infrastructure that makes it impossible to change, prevent, or tamper with data in transit in any way. 2-16 RECOMMENDATION: It is highly recommended that the RESPONSIBLE ORGANIZATION monitors the network for unusual traffic. siemens-healthineers.com/ultrasound 11 Product & solution security white paper . ACUSON NX3 VA10 3. Intended purpose of integrating the device into an IT network 3-1 To integrate the system into the clinical workflow, the whole ultrasound system will interact as a DICOM node in the clinical network. 3-2 The system is DICOM-compliant, allowing it to be connected to a network with other compliant devices for the exchange of images. Networking allows the transmission of images acquired to other DICOM-compatible review stations or PACS. A list of all patients ever imaged can be kept on the Radiology PACS making future retrievals fast and easy. 3-3 The system connects to the network through an Ethernet cable or a wireless protocol. The network interfaces allow DICOM connections to specific clinical systems such as a Radiology PACS or printer. Patient demographic data will be received via DICOM; acquired images will be sent to the Radiology PACS or DICOM workstations for detailed viewing and long-term storage. 12 siemens-healthineers.com/ultrasound ACUSON NX3 VA10 . Product & solution security white paper 4. Network properties required by the system and resulting risks 4-1 Unsuccessful data transfer not recognized Function: Archiving and Networking Hazard: Wrong diagnosis / loss of acquisition data Caution: Data transfers between systems are not verified automatically. Loss of data, if data is deleted locally before it has been successfully transferred to another system. Measure: Since not all systems support automatic storage commitment, verify the correctness of the data transfer at the remote system before deleting the local data. Effect on: Patient 4-2 Incorrect or incomplete data transfer Function: Data Exchange - Network Hazard: Wrong diagnosis, wrong examination / loss of acquisition data, loss of post processing results, corrupted data, inconsistent data Cause: DICOM objects are sent/received/retrieved. While objects are being prepared or during transfer, not all DICOM objects that are not considered are deleted, corrupted or unintentionally manipulated. Data on the sender and receiver side is not consistent. Failure of transfer not recognized. Measure: It has to be verified by testing, that there is no object loss during sending, which means: . Verify that exception scenarios result in a failed job (and check for other exceptions in log files). . Verify that error cases, which result in data not complying with the DICOM standard, are covered by exception scenarios. Effect on: Patient 4-3 Insecure or incorrectly configured clinical network Function: Network Security Hazard: Incorrect diagnosis basis, wrong diagnosis, wrong treatment, delayed diagnosis, delayed therapy, wrong examination, repetition of examination / loss of acquisition data, corrupted data, system Dos Caution: Unauthorized access may affect system performance and data security. Cause: Any unauthorized access to the system may affect the system performance and data security and may lead to: . Lowered system performance and/or non-operational system Loss of data security including loss of all patient data Measure: . Enable your system administrator to ensure network security and the security of the operational infrastructure . Consult manuals for secure setup . Perform system updates as required . Run your medical device only in protected network environments, and do not connect it directly to public networks . Set up firewalls Prevent configuration files from being changed by users . Update and patch networked systems as required Effect on: Patient, System siemens-healthineers.com/ultrasound 13 Product & solution security white paper . ACUSON NX3 VA10 Manufacturer Disclosure Statement for Medical Device Security - MDS2 Manufacturer Disclosure Statement for Medical Device Security - MDS2 Device Description Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions (non-controlled USA, Inc. document) Device Model Software Revision Software Release Date ACUSON NX3 / NX3 Elite VA10 November, 2015 Manufacturer or Company Name Manufacturer Contact Information Representative Contact Siemens Medical Solutions USA, Inc. Siemens Medical Solutions - Ultrasound Information 685 E Middlefield Rd, Mountain View, CA 94043 Representative Name/Position Intended use of device in network-connected environment 14 siemens-healthineers.com/ultrasound ACUSON NX3 VA10 . Product & solution security white paper Management of Private Data Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information Yes, No, Note # requested in this form. N/A, or See Note A Can this device display, transmit, or maintain private data (including electronic Protected Health Yes Information [ePHI])? B Types of private data elements that can be maintained by the device: B. Demographic (e.g ., name, address, location, unique identification number)? Yes B. Medical record (e.g ., medical record #, account #, test or treatment date, device identification number)? Yes - B.3 Diagnostic/therapeutic (e.g ., photo/radiograph, test results, or physiologic data with identifying Yes characteristics)? B.4 Open, unstructured text entered by device user/operator? Yes B. 5 Biometric data? Yes B. Personal financial information? No C Maintaining private data - Can the device: C.1 Maintain private data temporarily in volatile memory (i.e ., until cleared by power-off or reset)? Yes C.2 Store private data persistently on local media? Yes C. 3 Import/export private data with other systems? Yes C. 4 Maintain private data during power service interruptions? Yes D Mechanisms used for the transmitting, importing/exporting of private data - Can the device: D. Display private data (e.g ., video display, etc.)? Yes D.2 Generate hardcopy reports or images containing private data? Yes - D.3 Retrieve private data from or record private data to removable media (e.g ., disk, DVD, CD-ROM, tape, Yes CF/SD card, memory stick, etc.)? D.4 Transmit/receive or import/export private data via dedicated cable connection (e.g ., IEEE 1073, Yes serial port, USB, FireWire, etc.)? D.5 Transmit/receive private data via a wired network connection (e.g ., LAN, WAN, VPN, intranet, Yes Internet, etc.)? D.6 Transmit/receive private data via an integrated wireless network connection (e.g ., Wifi, Bluetooth, Yes infrared, etc.)? D.7 Import private data via scanning? Yes D.8 Other? N/A Management of private data notes: siemens-healthineers.com/ultrasound 15 Product & solution security white paper . ACUSON NX3 VA10 Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions (non-controlled USA, Inc. document) Device Model Software Revision Software Release Date ACUSON NX3 / NX3 Elite VA10 November, 2015 Security capabilities Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 1 Automatic logoff (ALOF) The device's ability to prevent access and misuse by unauthorized users if device is left idle for a period of time. 1-1 Can the device be configured to force reauthorization of logged-in user(s) after a predetermined No length of inactivity (e.g ., auto-logoff, session lock, password protected screen saver)? -1.1 Is the length of inactivity time before auto-logoff/screen lock user or administrator configurable? See Note 1 (Indicate time [fixed or configurable range] in notes.) -1.2 Can auto-logoff/screen lock be manually invoked (e.g ., via a shortcut key or proximity sensor, etc.) No by the user? ALOF notes: 1. The screen lock feature is accessable to the user and has a configuration setting from 1 to 60 minutes. This only works in Patient Study Browser screen and Network configuration screen. 2 Audit controls (AUDT) The ability to reliably audit activity on the device. 2-1 Can the medical device create an audit trail? No 2-2 Indicate which of the following events are recorded in the audit log: 2 - 2 .1 Login/logout N/A 2-2.2 Display/presentation of data N/A - 2-2.3 Creation/modification/deletion of data N/A 2-2.4 Import/export of data from removable media N/A 2-2.5 Receipt/transmission of data from/to external (e.g ., network) connection N/A - 2-2.51 Remote service activity N/A 2-2.6 Other events? (describe in the notes section) N/A 2 - 3 Indicate what information is used to identify individual events recorded in the audit log: 2 - 3 . User ID No 2-3.2 Date/time No AUTH notes: 3 Authorization (AUTH) The ability of the device to determine the authorization of users. 3-1 Can the device prevent access to unauthorized users through user login requirements or other No mechanism? 3-2 Can users be assigned different privilege levels within an application based on 'roles' (e.g ., guests, No regular users, power users, administrators, etc.)? 3-3 Can the device owner/operator obtain unrestricted administrative privileges (e.g ., access operating No system or application via local root or admin account)? AUTH notes: 16 siemens-healthineers.com/ultrasound ACUSON NX3 VA10 . Product & solution security white paper Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions (non-controlled USA, Inc. document) Device Model Software Revision Software Release Date ACUSON NX3 / NX3 Elite VA 10 November, 2015 Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 4 Configuration of security features (CNFS) The ability to configure/re-configure device security capabilities to meet user's needs. 4-1 Can the device owner/operator reconfigure product security capabilities? See Note 1 CNFS notes: 1. User can turn off the virus protection service. 5 Cyber security product upgrades (CSUP) The ability of on-site service staff, remote service staff, or authorized customer staff to install/upgrade device's security patches. 5-1 Can relevant OS and device security patches be applied to the device as they become available? Yes 5-1.1 Can security patches or other software be installed remotely? Yes CSUP notes: 6 Health data DE-identification (DIDT) The ability of the device to directly remove information that allows identification of a person. 6-1 Does the device provide an integral capability to de-identify private data? Yes DIDT notes: 7 Data backup and disaster recovery (DTBK) The ability to recover after damage or destruction of device data, hardware, or software. 7-1 Does the device have an integral data backup capability (i.e ., backup to remote storage or Yes - removable media such as tape, disk)? DTBK notes: 1. Patient data and system preset settings can be backed up to CD/DVD or USB storage. 8 Emergency access (EMRG) The ability of device users to access private data in case of an emergency situation that requires immediate access to stored private data. 8-1 Does the device incorporate an emergency access ("break-glass") feature? No EMRG notes: 9 Health data integrity and authenticity (IGAU) How the device ensures that data processed by the device has not been altered or destroyed in an unauthorized manner and is from the originator. 9-1 Does the device ensure the integrity of stored data with implicit or explicit error detection/correction No technology? IGAU notes: siemens-healthineers.com/ultrasound 17 Product & solution security white paper . ACUSON NX3 VA10 Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions (non-controlled USA, Inc. document) Device Model Software Revision Software Release Date ACUSON NX3 / NX3 Elite VA10 November, 2015 Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 10 Malware detection/protection (MLDP) The ability of the device to effectively prevent, detect and remove malicious software (malware). 10-1 Does the device support the use of anti-malware software (or other anti-malware mechanism)? Yes 1 10-1.1 Can the user independently re-configure anti-malware settings? Yes - 10-1.2 Does notification of malware detection occur in the device user interface? N/A - 10-1.3 Can only manufacturer-authorized persons repair systems when malware has been detected? N/A 10-2 Can the device owner install or update anti-virus software? No 10-3 Can the device owner/operator (technically/physically) update virus definitions on No manufacturer-installed antivirus software? MLDP notes: 1. Intel McAfee Application Control software used. 11 Node authentication (NAUT) The ability of the device to authenticate communication partners/nodes. 11-1 Does the device provide/support any means of node authentication that assures both the sender and No the recipient of data are known to each other and are authorized to receive transferred information? NAUT notes: 12 Person authentication (PAUT) Ability of the device to authenticate users 12-1 Does the device support user/operator-specific username(s) and password(s) for at least one user? Yes 1 12-1.1 Does the device support unique user/operator-specific IDs and passwords for multiple users? Yes 12-2 Can the device be configured to authenticate users through an external authentication service No (e.g ., MS Active Directory, NDS, LDAP, etc.)? 12-3 Can the device be configured to lock out a user after a certain number of unsuccessful logon Yes attempts? 12-4 Can default passwords be changed at/prior to installation? N/A 2 12-5 Are any shared user IDs used in this system? N/A - 12-6 Can the device be configured to enforce creation of user account passwords that meet established Yes complexity rules? 12-7 Can the device be configured so that account passwords expire periodically? See Note 3 PAUT notes: 1. Only for Patient Study Browser screen and Network configuration screen. 2. There is no default account and password. 3. Password expiration supported but not enforce change of user password periodically. 13 Physical locks (PLOK) Physical locks can prevent unauthorized users with physical access to the device from compromising the integrity and confidentiality of private data stored on the device or on removable media 13-1 Are all device components maintaining private data (other than removable media) physically See Note 1 secure (i.e ., cannot remove without tools)? PLOK notes: 1. Phillips screw driver needed to remove. 18 siemens-healthineers.com/ultrasound ACUSON NX3 VA10 . Product & solution security white paper Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions (non-controlled USA, Inc. document) Device Model Software Revision Software Release Date ACUSON NX3 / NX3 Elite VA 10 November, 2015 Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 14 Roadmap for third party components in device life cycle (RDMP) Manufacturer's plans for security support of 3rd party components within device life cycle. 14-1 In the notes section, list the provided or required (separately purchased and/or delivered) See Note - operating system(s) - including version number(s). 14-2 Is a list of other third party applications provided by the manufacturer available? N/A RDMP notes: 1. MS Windows Embedded Standard 7 SP1 (x64) 15 System and application hardening (SAHD) The device's resistance to cyber-attacks and malware. 15-1 Does the device employ any hardening measures? Please indicate in the notes the level of N/A conformance to any industry-recognized hardening standards. 15-2 Does the device employ any mechanism (e.g ., release-specific hash key, checksums, etc.) to ensure Yes the installed program/update is the manufacturer-authorized program or software update? 15-3 Does the device have external communication capability (e.g ., network, modem, etc.)? Yes 15-4 Does the file system allow the implementation of file-level access controls (e.g ., New Technology Yes File System (NTFS) for MS Windows platforms)? 15-5 Are all accounts which are not required for the intended use of the device disabled or deleted, Yes for both users and applications? 15-6 Are all shared resources (e.g ., file shares) which are not required for the intended use of the device, disabled? Yes 15-7 Are all communication ports which are not required for the intended use of the device closed/disabled? Yes 15-8 Are all services (e.g ., telnet, file transfer protocol [FTP], internet information server [IIS], etc.), which Yes are not required for the intended use of the device deleted/disabled? 15-9 Are all applications (COTS applications as well as OS-included applications, e.g ., MS Internet Explorer, Yes etc.) which are not required for the intended use of the device deleted/disabled? 15-10 Can the device boot from uncontrolled or removable media (i.e ., a source other than an internal Yes drive or memory component)? 15-11 Can software or hardware not authorized by the device manufacturer be installed on the device No without the use of tools? SAHD notes: 16 Security guidance (SGUD) The availability of security guidance for operator and administrator of the system and manufacturer sales and service. 16-1 Are security-related features documented for the device user? No 16-2 Are instructions available for device/media sanitization (i.e ., instructions for how to achieve No the permanent deletion of personal or other sensitive data)? SGUD notes: siemens-healthineers.com/ultrasound 19 Product & solution security white paper . ACUSON NX3 VA10 Device Category Manufacturer Document ID Document Diagnostic Ultrasound Siemens Medical Solutions (non-controlled USA, Inc. document) Device Model Software Revision Software Release Date ACUSON NX3 / NX3 Elite VA10 November, 2015 Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note # N/A, or See Note 17 Health data storage confidentiality (STCF) The ability of the device to ensure unauthorized access does not compromise the integrity and confidentiality of private data stored on device or removable media. 17-1 Can the device encrypt data at rest? No STCF notes: 18 Transmission confidentiality (TXCF) The ability of the device to ensure the confidentiality of transmitted private data. 18-1 Can private data be transmitted only via a point-to-point dedicated cable? No 18-2 Is private data encrypted prior to transmission via a network or removable media? No - (If yes, indicate in the notes which encryption standard is implemented.) 18-3 Is private data transmission restricted to a fixed list of network destinations? Yes TXCF notes: 19 Transmission integrity (TXIG) The ability of the device to ensure the integrity of transmitted private data. 19-1 Does the device support any mechanism intended to ensure data is not modified during transmission? (If yes, describe in the notes section how this is achieved.) TXIG notes: 20 Other security considerations (OTHR) Additional security considerations/notes regarding medical device security. 20-1 Can the device be serviced remotely? Yes 20-2 Can the device restrict remote access to/from specified devices or users or network locations (e.g ., Yes specific IP addresses)? 20-2.1 Can the device be configured to require the local user to accept or initiate remote access? Yes OTHR notes: 20 siemens-healthineers.com/ultrasound ACUSON NX3 VA10 . Product & solution security white paper Abbreviations AD Active Directory MD5 Message Digest 5 AES Advanced Encryption Standard MDS2 Manufacturer Disclosure BIOS Basic Input Output System Statement MSTS DES Data Encryption Standard Microsoft Terminal Server DICOM Digital Imaging and NEMA National Electrical Communications in Medicine Manufacturers Association NTP DISA Defense Information Systems Network Time Protocol Agency OCR Office for Civil Rights DMZ Demilitarized Zone OU Organizational Unit Dos Denial of Service PACS Picture Archiving and Communication System PHI Electronic Protected Health Information PHI Protected Health Information FDA Food and Drug Administration PII Personally Identifiable Information FIPS Federal Information Processing Standards RIS Radiology Information System GPO Group Policy Object RPC Remote Procedure Call HHS Health and Human Services RSA Random Sequential Absorption HIPAA Health Insurance Portability SAM Security Accounts Manager and Accountability Act SHA Secure Hash Algorithm HIMSS Healthcare Information and Management Systems Society SQL Structured Query Language HTTP Hypertext Transfer Protocol SRS Smart Remote Services HTTP Secure STIG HTTPS Security Technical Implementation Guidelines ICS Integrated Communication SW Software Services TCP Transmission Control Protocol IEC International Electrotechnical Commission UltraVNC Ultra Virtual Network IVM Intervention Module Computing UDP LDAP Lightweight Directory Access User Datagram Protocol Protocol VPN Virtual Private Network siemens-healthineers.com/ultrasound 21 Product & solution security white paper . ACUSON NX3 VA10 Disclaimer According to International Electrotechnical IEC 80001-1 Commission Glossary (extract) 1-1 The Device has the capability to be connected Responsible organization: to a medical IT network, which is managed under Entity accountable for the use and maintenance of a full responsibility of the operating legal entity medical IT network (hereafter called "RESPONSIBLE ORGANIZATION"). It is assumed that the RESPONSIBLE ORGANIZATION ACUSON NX series is a trademark of Siemens Medical assigns a Medical IT Network Risk Manager to Solutions USA, Inc. perform IT Risk Management syngo is a registered trademark of Siemens Healthcare (see IEC 80001-1:2010 / EN 80001-1:2011) for IT. GmbH. 1-2 This statement describes Device-specific IT Adobe is either a trademark or registered trademark of networking safety and security capabilities. It is Adobe Systems Incorporated in the United States and/or NOT a RESPONSIBILITY AGREEMENT according to other countries. IEC 80001-1:2010 / EN 80001-1:2011. Intel is a trademark of Intel Corporation in the United 1-3 Any modification of the platform, the software States and other countries. or the interfaces of the Device - unless authorized and approved by Siemens Healthcare GmbH - voids McAfee is a registered trademark of McAfee, LLC or its all warranties, liabilities, assertions and contracts. subsidiaries in the US and other countries. 1-4 The RESPONSIBLE ORGANIZATION acknowledges Microsoft and Windows are registered trademarks of that the Device's underlying standard computer Microsoft Corporation in the United States and other with operating system is to some extent vulnerable countries. to typical attacks such as malware or denial-of- PowerScribe® 360 | Reporting is a registered trademark service. of Nuance Communications, Inc. 1-5 Unintended consequences (e.g ., misuse/loss/ corruption) of data not under control of the Device (e.g ., after electronic communication from the Device to an IT network or to storage media), are under the responsibility of the RESPONSIBLE ORGANIZATION. 1-6 Unauthorized use of the external connections or storage media of the Device can cause hazards regarding the availability and information security of all components of the medical IT network. The RESPONSIBLE ORGANIZATION must ensure - through technical and/or organizational measures - that only authorized use of the external connections and storage media is permitted. 22 siemens-healthineers.com/ultrasound ACUSON NX3 VA10 . Product & solution security white paper Statement on FDA Cybersecurity Guidance Siemens Healthineers will follow cybersecurity guidance issued by the FDA as appropriate. Siemens Healthineers recognizes the principle described in FDA cybersecurity guidance that an effective cybersecurity framework is a shared responsibility among multiple stakeholders (e.g ., medical device manufacturers, healthcare facilities, patients and providers), and is committed to drawing on its innovation, engineering and pioneering skills in collective efforts designed to prevent, detect and respond to new and emerging cybersecurity threats. While FDA cybersecurity guidance is informative as to adopting a risk-based approach to addressing potential patient harm, it is not binding and alternative approaches may be used to satisfy FDA regulatory requirements. The representations contained in this whitepaper are designed to describe Siemens Healthineers' approach to cybersecurity of its medical devices and to disclose the security capabilities of the devices/systems described herein. Neither Siemens Healthineers nor any medical device manufacturer can warrant that its systems will be invulnerable to cyberattack. Siemens Healthineers makes no representation or warranty that its cyber-security efforts will ensure that its medical devices/systems will be error-free or secure against cyberattack. siemens-healthineers.com/ultrasound 23 Siemens Healthineers Headquarters Legal Manufacturers Siemens Healthcare GmbH Siemens Medical Solutions USA, Inc. Henkestr. 127 Ultrasound 91052 Erlangen, Germany 685 E. Middlefield Road Phone: +49 9131 84-0 Mountain View, CA 94043 siemens-healthineers.com USA Phone: 1-888-826-9702 siemens-healthineers.com/ultrasound Published by Siemens Medical Solutions USA, Inc. · 7906 0919 online · @Siemens Medical Solutions USA, Inc ., 2019