Redwood Ultrasound System, release VA20 Security and MDS² Form

White paper · ACUSON Redwood ultrasound system, release 2.0 (VA20) Security and MDS2 Form Facts about security and privacy requirements siemens-healthineers.com/cybersecurity SIEMENS Healthineers Product and Solution Security White Paper · ACUSON Redwood VA20 Foreword Jim Jacobson Chief Product and Solution Security Officer Siemens Healthineers The Siemens Healthineers Product & Solution Elements of our product and solution security Security (PSS) program program At Siemens Healthineers, we are committed to • Providing information to facilitate secure configuration working with you to address cybersecurity and privacy and use of our medical devices in your IT environment requirements. Our Product and Solution Security Office • is responsible for our global program that focuses Conducting formal threat and risk analysis for our on addressing cybersecurity throughout the product products lifecycle of our products. • Incorporating secure architecture, design and coding Our program targets incorporating state-of-the-art methodologies in our software development process cybersecurity into our current and future products. • Performing static code analysis of our products We seek to protect the security of your data while, • at the same time, providing measures to strengthen Conducting security testing of products under the resiliency of our products from cyber threats. development as well as products already in the field • We comply with applicable security and privacy Tailoring patch management to the medical device regulations from the US Department of Health and and depth of coverage chosen by you Human Services (HHS), including the Food and Drug • Monitoring security vulnerability to track reported Administration (FDA) and Office for Civil Rights third party components issues in our products (OCR), to help you meet your IT security and privacy • obligations. Working with suppliers to address security throughout the supply chain • Vulnerability and incident management Training of employees to provide knowledge consistent with their level of responsibilities regarding your data Siemens Healthineers cooperates with government and device integrity. agencies and cybersecurity researchers concerning reported potential vulnerabilities. Our communications policy strives for coordinated disclosure. We work in Contacting Siemens Healthineers about product this way with our customers and other parties, when and solution security appropriate, in response to potential vulnerabilities and Siemens Healthineers requests that any cybersecurity incidents in our products, no matter what the source. or privacy incidents are reported by email to: productsecurity@siemens-healthineers.com 2 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Contents Basic Information.............................................................4 Network Information .......................................................6 Security Controls............................................................28 Shared Responsibilities ..................................................30 Software Bill of Materials...............................................31 Manufacturer Disclosure Statement (MDS2)...................37 Manufacturer Disclosure Statement (IEC60601-1) .........58 Abbreviations.................................................................62 Disclaimer According to IEC 80001-1..............................63 Statement on FDA Cybersecurity Guidance....................63 siemens-healthineers.com/acuson-redwood 3 Product and Solution Security White Paper · ACUSON Redwood VA20 Basic Information Why is cybersecurity important? User account information Keeping patient data safe and secure should typically be • The ACUSON Redwood system VA20 software user one of the top priorities of healthcare institutes. The accounts can be local Windows accounts, managed estimated cost associated in the recovery of each medical by the administrator of the system. A break the glass record in the United States can be as high as $380.1 mechanism ensures access to the system in emergency According to the Ponemon Institute research report,2 scenarios. 39% of medical devices were hacked, with hackers being • able to take control of the device. Moveover, 38% of The system provides preconfigured password policies healthcare organizations said that their patients received that can be customized by administrators. inappropriate medical treatment because of an insecure medical device. Patching strategy • Security patches will be provided on a regular basis Our purpose is to help healthcare providers succeed after validation by Siemens Healthineers to maintain The ACUSON Redwood ultrasound system is the result of the clinical function of the medical device. more than three decades of experience in ultrasound • If connected to Smart Remote Services (SRS) formerly engineering. A general imaging ultrasound system, it Siemens Remote Service, updates will be pushed to the was developed in response to one of the most prevalent system automatically. The updates need to be challenges in ultrasound imaging today: 3D/4D as new confirmed/executed by the practitioners. software feature in the ACUSON Redwood system • provides transition between 2D imaging and 4D studies. Alternatively, you can manually install updates by 3D data volumes are acquired by sampling several 2D using the Siemens Healthinners Anytime Software arrays sequentially. These 3-dimensional volume data Update (ASU) service provided in the teamplay Fleet sets are used to generate qualitative 3-dimensional platform. reconstruction and/or 3D surface rendered displays • Technologies and software components are actively (gradient and texture shading) or optional multiplane monitored for vulnerabilities and availability of security reconstruction where cross sections of the 3D volume updates. set can be displayed. With its powerful architecture and innovative features, Cryptography usage the ACUSON Redwood system expands precision The ACUSON Redwood system VA20 software uses medicine by enabling high-resolution imaging that ciphers and protocols built into Windows 10 for adapts to patients’ size and personal characteristics, encryption and data protection. If needed, hardening contributing to more confident diagnosis. measures limit usage to those that are at least FIPS 140-2-compliant. Operating systems Please refer to the Software Bill of Materials chapter. Handling of sensitive data The ACUSON Redwood system VA20 is designed for Hardware specifications temporary data storage only. Siemens Healthineers Please refer to the corresponding Datasheets for more recommends storing patient data in a long-term archive, information. Hardware configuration may vary e.g., on a PACS, and data must be deleted using a facility- depending on customer requirements. defined procedure. • Protected Health Information (PHI) is temporarily stored on the ultrasound system, similar to DICOM data, raw data, and metadata for DICOM creation. Note: The time for which PHI is stored is determined by the facility. 1 https://healthitsecurity.com/news/how-much-do-healthcare-data-breaches-cost-organizations 2 https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/medical-device-security-ponemon-synopsys.pdf 4 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper • Personal Identifiable Information (PII) as part of the Boundary defense DICOM records is also temporarily stored on the ultrasound system, e.g., patient’s name, birthday Built in firewall has an effect to minimize the network or age, height and weight, personal identification attack surface. number, and referring physician’s name. Additional For optimized protection of sensitive data and operation sensitive information might be present in user-editable of the system it must be deployed in a secure network input fields or in the images acquired. environment, utilizing e.g., network segmentation, client • PHI is transmitted via DICOM in encryption or access control and protection against access from public unencryption. networks. Please see the related Secure Configuration and Hardening Guide. Data recovery Boundary defense in the hospital should be multilayered The ACUSON Redwood system VA20 software uses local relaying on firewalls, proxies, DMZ and network-based data storage for storing application data as configured IDS and IPS, as well as physical protections. during installation. There are several scenarios which require a recovery of the system or the database. In case Terms and conditions of software errors, the following recovery strategies are Please see local terms and conditions for purchasing and available: operating this device within your area. • Recovery of corrupted files • Recovery of partition in case of corrupt Operating System (OS) or application A secure data backup, including offline backup and restrictive access, is in the responsibility of the customer. siemens-healthineers.com/acuson-redwood 5 Product and Solution Security White Paper · ACUSON Redwood VA20 Network Information Smart Remote IN, OUT: IN, OUT: VPN Services TCP SRS Router TCP Remote Service Access Server = IN, OUT: IN, OUT: DICOM DICOM, Smart Remote Services PACS/RIS OUT: TCP Network Share Ultrasound Machine Clinical Network Internet Figure 1: System Deployment overview with regard to network boundaries Siemens Healthineers recommends operating the ultrasound machine in a dedicated network segment (e.g., VLAN). To minimize the risk of unauthorized network access, Siemens Healthineers recommends operating the ultrasound machine behind a firewall or at least use access control lists on the network switches to limit traffic to identified peers. At minimum, the DICOM Port (see Table 1) needs to be visible for customer DICOM network nodes (e.g., PACS, syngo® via etc.). 6 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper The following ports are used by the system. All the ports are closed except for the ports listed in Table 1. Port number Service/function Direction Protocol 80 Administration Portal – Remote Service In TCP 104 DICOM Communication In/out TCP 443 Administration Portal – Remote Service (encrypted) In TCP 2762 Secure DICOM (optional) In/out TCP 8226 Managed Node Package MNP In TCP 8227 Managed Node Package MNP In TCP 8228 Managed Node Package MNP In TCP 11080 Remote Assist (SieLink) In TCP 12061 Managed Node Package MNP In TCP 13001 Managed Node Package MNP In TCP Table 1: Used port numbers Allowed services accessible through network running on the device: Service Description Startup type Log on as ActiveX Installer provides User Account Control validation ActiveX for the installation of ActiveX controls from the Internet and Installer enables management of ActiveX control installation based on Group Policy settings. This service is started on demand Manual Local System (AxInstSV) and if disabled the installation of ActiveX controls will behave according to default browser settings. Adobe Flash Player Update This service keeps your Adobe Flash Player installation up Service to date with the latest enhancements and security fixes. Manual Local System AllJoyn Router Routes AllJoyn messages for the local AllJoyn clients. If this Manual Service service is stopped the AllJoyn clients that do not have their own bundled routers will be unable to run. (Trigger Start) Local Service App Readiness App Readiness makes apps arrangements for use the first time a user signs in to this PC and when adding new apps. Manual Local System Application Information facilitates the running of interactive Application applications with additional administrative privileges. If this service is stopped, users will be unable to launch applica- Manual Information tions with the additional administrative privileges they may (Trigger Start) Local System require to perform desired user tasks. siemens-healthineers.com/acuson-redwood 7 Product and Solution Security White Paper · ACUSON Redwood VA20 Network Information Service Description Startup type Log on as Application Management processes installation, and enumeration requests for software deployed through Application Group Policy. If the service is disabled, users will be unable Management to install, remove, or enumerate software deployed through Manual Local System Group Policy. If this service is disabled, any services that explicitly depend on it will fail to start. AppX Deploy- AppXSVC provides infrastructure support for deploying ment Service Store applications. This service is started on demand and (AppXSVC) if disabled Store applications will not be deployed to the Manual Local System system, and may not function properly. ASP.NET State Service provides support for out-of-process ASP.NET State session states for ASP.NET. If this service is stopped, out- Service of-process requests will not be processed. If this service is Manual Network disabled, any services that explicitly depend on it will fail Service to start. Autoreport Service Autoreport Automatic Local System Background This service transfers files in the background using idle Intelligent network bandwidth. If the service is disabled, then any Transfer applications that depend on BITS, such as Windows Update Disabled Local System Service or MSN Explorer, will be unable to automatically download programs and other information. Background Tasks Infra- Windows infrastructure service that controls which structure background tasks can run on the system. Automatic Local System Service The Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and Base Filtering implements user mode filtering. Stopping or disabling the Engine BFE service will significantly reduce the security of the Automatic Local Service system. It will also result in unpredictable behavior in IPsec management and firewall applications. BDESVC hosts the BitLocker Drive Encryption service. BitLocker Drive Encryption provides secure startup for the operating system, as well as full volume encryption for OS, fixed or removable volumes. This service allows BitLocker BitLocker Drive to prompt users for various actions related to their volumes Encryption when mounted, and unlocks volumes automatically without Manual (Trigger Start) Local System Service user interaction. Additionally, it stores recovery information to Active Directory, if available, and, if necessary, ensures the most recent recovery certificates are used. Stopping or disabling the service would prevent users from leveraging this functionality. 8 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Service Description Startup type Log on as The WBENGINE service is used by Windows Backup to Block Level perform backup and recovery operations. If this service Backup Engine is stopped by a user, it may cause the currently running Local System Service backup or recovery operation to fail. Disabling this service Manual may disable backup and recovery operations using Windows Backup on this computer. Bluetooth This service enables wireless Bluetooth headsets to run on Handsfree this computer. If this service is stopped or disabled, then Manual Service Bluetooth headsets will not function properly with this (Trigger Start) Local Service machine. The Bluetooth service supports discovery and association of Bluetooth remote Bluetooth devices. Stopping or disabling this service Support may cause already installed Bluetooth devices to fail to Manual Local Service Service operate properly and prevent new devices from being (Trigger Start) discovered or associated. BranchCache This service caches network content from peers on the local Manual Network subnet. Service BuReService Burning Removable Media Service Manual Local System This service copies user certificates and root certificates Certificate from smart cards into the current user’s certificate store, Propagation detects when a smart card is inserted into a smart card Manual Local System reader, and, if needed, installs the smart card Plug and Play minidriver. Client License ClipSVC provides infrastructure support for the Microsoft Service Store. This service is started on demand and if disabled Manual (ClipSVC) applications bought using Windows Store will not behave (Trigger Start) Local System correctly. The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys CNG Key and associated cryptographic operations as required by the Manual Isolation Common Criteria. The service stores and uses long-lived (Trigger Start) Local System keys in a secure process complying with Common Criteria requirements. This service supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. COM+ Event System If the service is stopped, SENS will close and will not be Automatic Local Service able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start. This service manages the configuration and tracking of COM+ System Component Object Model (COM)+-based components. If Application the service is stopped, most COM+-based components will Manual Local System not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. siemens-healthineers.com/acuson-redwood 9 Product and Solution Security White Paper · ACUSON Redwood VA20 Network Information Service Description Startup type Log on as Connected Devices This service is used for Connected Devices and Universal Automatic Platform Glass scenarios (Delayed Start, Local Service Service Trigger Start) The Connected User Experiences and Telemetry service enables features that support in-application and connected Connected user experiences. Additionally, this service manages the User event driven collection and transmission of diagnostic and Experiences usage information (used to improve the experience and Automatic Local System and Telemetry quality of the Windows Platform) when the diagnostics and usage privacy option settings are enabled under Feedback and Diagnostics. CoreMessaging CoreMessaging manages communication between system Automatic Local Service components. Credential Credential Manger provides secure storage and retrieval Manager of credentials to users, applications and security service Manual Local System packages. cRSP- Teamviewer- cRSP Teamviewer Moderator Gateway working as proxy Moderator- for RTC’s Automatic Local System Gateway This service provides three management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Cryptographic Authority certificates from this computer; and Automatic Services Automatic Network Root Certificate Update Service, which retrieves root Service certificates from Windows Update and enable scenarios such as SSL. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. CsaComp- MgrInit Boot service for the syngo component manager Automatic Local System CsaKeyboard- With syngo a keyboard filter driver is provided which can Filter be used to either disable configured key combinations or to Automatic Local System define specific reactions to configured key combinations. Data Sharing Service This service provides data brokering between applications. Manual (Trigger Start) Local System DataCollec- tionPublishing- The DCP (Data Collection and Publishing) service supports Manual Service first party apps to upload data to cloud. (Trigger Start) Local System 10 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Service Description Startup type Log on as The DCOMLAUNCH service launches COM and DCOM servers DCOM Server in response to object activation requests. If this service is Process stopped or disabled, programs using COM or DCOM will not Automatic Local System Launcher function properly. It is strongly recommended that you have the DCOMLAUNCH service running. Delivery This service performs content delivery optimization tasks Automatic Optimization (Delayed Start) Local System Device Association This service enables pairing between the system and wired Manual Local System Service or wireless devices. (Trigger Start) Device Install This service enables a computer to recognize and adapt to Service hardware changes with little or no user input. Stopping or Manual disabling this service will result in system instability. (Trigger Start) Local System Device Management This service performs Device Enrollment Activities for Device Enrollment Management Manual Local System Service Device Setup Manager enables the detection, download Device Setup and installation of device-related software. If this service is Manual Manager disabled, devices may be configured with outdated software, (Trigger Start) Local System and may not work correctly. DevQuery Background This service enables apps to discover devices with a Manual Discovery background task (Trigger Start) Local System Broker DHCP Client registers and updates IP addresses and DNS records for this computer. If this service is stopped, this DHCP Client computer will not receive dynamic IP addresses and DNS Automatic Local Service updates. If this service is disabled, any services that explicitly depend on it will fail to start. Diagnostic The Diagnostic Policy Service enables problem detection, Policy Service troubleshooting and resolution for Windows components. Automatic Local Service If this service is stopped, diagnostics will no longer function. The Diagnostic Service Host is used by the Diagnostic Policy Diagnostic Service to host diagnostics that need to run in a Local Service Host Service context. If this service is stopped, any diagnostics Automatic Local Service that depend on it will no longer function. The Diagnostic System Host is used by the Diagnostic Policy Diagnostic Service to host diagnostics that need to run in a Local System Host System context. If this service is stopped, any diagnostics Manual Local System that depend on it will no longer function. Distributed Link Tracking Distibuted Link Tracking Client maintains links between NTFS files within a computer or across computers in a network. Automatic Local System Client siemens-healthineers.com/acuson-redwood 11 Product and Solution Security White Paper · ACUSON Redwood VA20 Network Information Service Description Startup type Log on as This service coordinates transactions that span multiple Distributed resource managers, such as databases, message queues, Transaction and file systems. If this service is stopped, these transactions Manual Network Coordinator will fail. If this service is disabled, any services that explicitly Service depend on it will fail to start. dmwappushsvc WAP Push Message Routing Service Manual (Trigger Start) Local System The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will DNS Client continue to be resolved. However, the results of DNS name Automatic Network queries will not be cached and the computer’s name will (Trigger Start) Service not be registered. If the service is disabled, any services that explicitly depend on it will fail to start. Embedded The Embedded Mode service enables scenarios related to Manual Mode Background Applications. Disabling this service will prevent Local System Background Applications from being activated. (Trigger Start) EFS provides the core file encryption technology used to Encrypting File store encrypted files on NTFS file system volumes. If this Manual System (EFS) service is stopped or disabled, applications will be unable (Trigger Start) Local System to access encrypted files. Enterprise App Management This service enables enterprise application management. Manual Local System Service The Extensible Authentication Protocol (EAP) service provides network authentication in such scenarios as 802.1x wired Extensible and wireless, VPN, and Network Access Protection (NAP). Authentication EAP also provides application programming interfaces (APIs) Manual Local System Protocol that are used by network access clients, including wireless and VPN clients, during the authentication process. If you disable this service, this computer is prevented from accessing networks that require EAP authentication. Fax service enables you to send and receive faxes, utilizing Network Fax fax resources available on this computer or on the network. Manual Service File History This service protects user files from accidental loss by Manual Service copying them to a backup location (Trigger Start) Local System The FDPHOST service hosts the Function Discovery (FD) network discovery providers. These FD providers supply network discovery services for the Simple Services Discovery Function Protocol (SSDP) and Web Services ?Discovery (WS-D) protocol. Discovery Stopping or disabling the FDPHOST service will disable Manual Local Service Provider Host network discovery for these protocols when using FD. When this service is unavailable, network services using FD and relying on these discovery protocols will be unable to find network devices or resources. 12 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Service Description Startup type Log on as Function This service publishes this computer and resources attached Discovery to this computer so they can be discovered over the network. If this service is stopped, network resources will no longer be Manual Local Service Resource Publication published and they will not be discovered by other computers on the network. This service monitors the current location of the system and Geolocation manages geofences (a geographical location with associated Manual Service events). If you turn off this service, applications will be unable (Trigger Start) Local System to use or receive notifications for geolocation or geofences. The service is responsible for applying settings configured by administrators for the computer and users through the Group Policy Group Policy component. If the service is disabled, the settings will not be applied and applications and compo- Automatic Client Local System nents will not be manageable through Group Policy. Any (Trigger Start) components or applications that depend on the Group Policy component might not be functional if the service is disabled. HomeGroup Listener makes local computer changes associated with configuration and maintenance of the HomeGroup homegroup-joined computer. If this service is stopped Listener or disabled, your computer will not work properly in a Manual Local System homegroup and your homegroup might not work properly. It is recommended that you keep this service running. HomeGroup Provider performs networking tasks associated with configuration and maintenance of homegroups. If this HomeGroup service is stopped or disabled, your computer will be unable Manual Provider to detect other homegroups and your homegroup might not (Trigger Start) Local Service work properly. It is recommended that you keep this service running. This service provides an interface for the Hyper-V hypervisor HV Host Service to provide per-partition performance counters to the host Manual operating system. (Trigger Start) Local System Hyper-V Data This service provides a mechanism to exchange data Exchange between the virtual machine and the operating system Manual Service running on the physical computer. (Trigger Start) Local System Hyper-V Guest This service provides an interface for the Hyper-V host to Service interact with specific services running inside the virtual Manual (Trigger Start) Local System Interface machine. Hyper-V Guest This service provides a mechanism to shut down the Shutdown operating system of this virtual machine from the Manual Local System Service management interfaces on the physical computer. (Trigger Start) Hyper-V This service monitors the state of this virtual machine by Heartbeat reporting a heartbeat at regular intervals. This service helps Manual you identify running virtual machines that have stopped (Trigger Start) Local System Service responding. siemens-healthineers.com/acuson-redwood 13 Product and Solution Security White Paper · ACUSON Redwood VA20 Network Information Service Description Startup type Log on as Hyper-V This service provides a mechanism to manage virtual PowerShell machine with PowerShell via VM session without a virtual Manual Direct Service network. (Trigger Start) Local System Hyper-V Remote This service provides a platform for communication between Desktop the virtual machine and the operating system running on Manual Virtualization the physical computer. (Trigger Start) Local System Service Hyper-V Time Synchroniza- This service synchronizes the system time of this virtual Manual tion Service machine with the system time of the physical computer. (Trigger Start) Local Service Hyper-V This service coordinates the communications that are Volume required to use Volume Shadow Copy Service to back up Manual Shadow Copy applications and data on this virtual machine from the (Trigger Start) Local System Requestor operating system on the physical computer. IIS service enables this server to administer the IIS metabase. IIS Admin The IIS metabase stores configuration for the SMTP and FTP Service services. If this service is stopped, the server will be unable Automatic Local System to configure SMTP or FTP. If this service is disabled, any services that explicitly depend on it will fail to start. The IKEEXT service hosts the Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) keying modules. These keying modules are used for authentication and key IKE and AuthIP exchange in Internet Protocol security (IPsec). Stopping or IPsec Keying disabling the IKEEXT service will disable IKE and AuthIP key Automatic Local System Modules exchange with peer computers. IPsec is typically configured (Trigger Start) to use IKE or AuthIP; therefore, stopping or disabling the IKEEXT service might result in an IPsec failure and might compromise the security of the system. It is strongly recommended that you have the IKEEXT service running. Infrared This service detects other Infrared devices that are in range monitor and launches the file transfer application. Stopping the Manual Local System service service will prevent file transfer from working Intel® Content Protection Intel® Content Protection HDCP Service – enables Local System HDCP Service communication with Content Protection HDCP HW Manual Intel® Content Protection Intel® Content Protection HECI Service – enables HECI Service communication with the Content Protection FW Manual Local System Intel® HD Graphics Control Panel Service for Intel® HD Graphics Control Panel Automatic Local System Service 14 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Service Description Startup type Log on as This service enables user notification of user input for interactive services, which enables access to dialogs created Interactive by interactive services when they appear. If this service is Services stopped, notifications of new interactive service dialogs will no longer function and there might not be access to Manual Local System Detection interactive service dialogs. If this service is disabled, both notifications of and access to new interactive service dialogs will no longer function. Internet ICS provides network address translation, addressing, name Connection resolution and/or intrusion prevention services for a home Manual Local System Sharing (ICS) or small office network. (Trigger Start) Internet Protocol security (IPsec) supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. IPsec Policy This service enforces IPsec policies created through the IP Manual Agent Security Policies snap-in or the command-line tool “netsh Network ipsec”. If you stop this service, you may experience network (Trigger Start) Service connectivity issues if your policy requires that connections use IPsec. Also, remote management of Windows Firewall is not available when this service is stopped. KtmRm coordinates transactions between the Distributed Transaction Coordinator (MSDTC) and the Kernel Transaction KtmRm for Manager (KTM). If it is not needed, it is recommended that Distributed this service remain stopped. If it is needed, both MSDTC Manual Network Transaction and KTM will start this service automatically. If this service (Trigger Start) Service Coordinator is disabled, any MSDTC transaction interacting with a Kernel Resource Manager will fail and any services that explicitly depend on it will fail to start. Link-Layer This service creates a Network Map, consisting of PC and Topology device topology (connectivity) information, and metadata Discovery describing each PC and device. If this service is disabled, Manual Local Service Mapper the Network Map will not function properly. Local Session Core Windows Service that manages local user sessions. Manager Stopping or disabling this service will result in system Automatic Local System instability. Microsoft® Diagnostics Diagnostics Hub Standard Collector Service. When running, Hub Standard this service collects real time ETW events and processes Manual Local System Collector them. Service Microsoft This service assistant enables user sign-in through Microsoft Account account identity services. If this service is stopped, users will Manual Sign-in not be able to logon to the computer with their Microsoft (Trigger Start) Local System Assistant account. siemens-healthineers.com/acuson-redwood 15 Product and Solution Security White Paper · ACUSON Redwood VA20 Network Information Service Description Startup type Log on as This service manages Internet SCSI (iSCSI) sessions from Microsoft iSCSI this computer to remote iSCSI target devices. If this service Initiator is stopped, this computer will not be able to login or access Manual Local System Service iSCSI targets. If this service is disabled, any services that explicitly depend on it will fail to start. This service provides process isolation for cryptographic keys used to authenticate to a user’s associated identity Microsoft providers. If this service is disabled, all uses and manage- Passport ment of these keys will not be available, which includes Manual Local System machine logon and single-sign on for apps and websites. (Trigger Start) This service starts and stops automatically. It is recom- mended that you do not reconfigure this service. This service manages local user identity keys used to Microsoft authenticate user to identity providers as well as TPM virtual Passport smart cards. If this service is disabled, local user identity Manual Local Service Container keys and TPM virtual smart cards will not be accessible. It (Trigger Start) is recommended that you do not reconfigure this service. Microsoft This service manages software-based volume shadow copies Software taken by the Volume Shadow Copy service. If this service is Shadow Copy stopped, software-based volume shadow copies cannot be Manual Local System Provider managed. If this service is disabled, any services that explicitly depend on it will fail to start. Microsoft Host service for the Microsoft Storage Spaces management Storage provider. If this service is stopped or disabled, Storage Manual Network Spaces SMP Spaces cannot be managed. Service Microsoft Windows SMS This service routes messages based on rules to appropriate Manual Local System Router Service clients. (Trigger Start) Net.Tcp Port Sharing This service provides ability to share TCP ports over the net.tcp protocol. Automatic Local Service Service Netlogon maintains a secure channel between this computer and the domain controller for authenticating users and Netlogon services. If this service is stopped, the computer may not authenticate users and services and the domain controller Manual Local System cannot register DNS records. If this service is disabled, any services that explicitly depend on it will fail to start. Network Connected Devices Auto-Setup service monitors Network and installs qualified devices that connect to a qualified Connected network. Stopping or disabling this service will prevent Devices Windows from discovering and installing qualified network Manual (Trigger Start) Local Service Auto-Setup connected devices automatically. Users can still manually add network connected devices to a PC through the user interface. 16 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Service Description Startup type Log on as Network Connection This service brokers connections that allow Windows Store Manual Broker Apps to receive notifications from the internet. (Trigger Start) Local System Network This service manages objects in the Network and Dial-Up Connections Connections folder, in which you can view both local area Manual Local System network and remote connections. Network Connectivity This service provides DirectAccess status notification for Manual Local System Assistant UI components (Trigger Start) This service identifies the networks to which the computer Network List has connected, collects and stores properties for these Service networks, and notifies applications when these properties Automatic Local Service change. This service collects and stores configuration information for Network the network and notifies programs when this information is Location modified. If this service is stopped, configuration informa- Automatic Network tion might be unavailable. If this service is disabled, any Service Awareness services that explicitly depend on it will fail to start. The Network Setup Service manages the installation Network Setup of network drivers and permits the configuration of low-level Manual Service network settings. If this service is stopped, any driver (Trigger Start) Local System installations that are in-progress may be cancelled. This service delivers network notifications (e.g. interface Network Store addition/deleting etc) to user mode clients. Stopping this Interface service will cause loss of network connectivity. If this service Automatic Local Service Service is disabled, any other services that explicitly depend on this service will fail to start. NVIDIA Display NVIDIA Display Container LS container service for NVIDIA Container LS root features Automatic Local System NVIDIA WMI NVIDIA WMI Provider provides WMI objects for managing Provider NVIDIA components of the system Automatic Local System Office Source Office Source Engine saves installation files used for updates Engine and repairs and is required for the downloading of Setup Manual Local System updates and Watson error reports. Peer Name Resolution Protocol enables serverless peer name Peer Name resolution over the Internet using the Peer Name Resolution Resolution Protocol (PNRP). If disabled, some peer-to-peer and colla- Manual Local Service Protocol borative applications, such as Remote Assistance, may not function. Peer Peer Networking Grouping enables multi-party communica- Networking tion using Peer-to-Peer Grouping. If disabled, some applica- Manual Local Service Grouping tions, such as HomeGroup, may not function. siemens-healthineers.com/acuson-redwood 17 Product and Solution Security White Paper · ACUSON Redwood VA20 Network Information Service Description Startup type Log on as Peer Networking Identity Manager provides identity services Peer for the Peer Name Resolution Protocol (PNRP) and Peer-to- Networking Peer Grouping services. If disabled, the Peer Name Resolu- Identity tion Protocol (PNRP) and Peer-to-Peer Grouping services may Manual Local Service Manager not function, and some applications, such as HomeGroup and Remote Assistance, may not function correctly. Performance Counter DLL Host enables remote users and Performance 64-bit processes to query performance counters provided by Counter DLL 32-bit DLLs. If this service is stopped, only local users and Manual Local Service Host 32-bit processes will be able to query performance counters provided by 32-bit DLLs. Performance Logs and Alerts Collects performance data from local or remote computers based on preconfigured schedule Performance parameters, then writes the data to a log or triggers an alert. Logs & Alerts If this service is stopped, performance information will not Manual Local Service be collected. If this service is disabled, any services that explicitly depend on it will fail to start. Phone Service Phone Service manages the telephony state on the device Manual (Trigger Start) Local Service Plug and Play enables a computer to recognize and adapt Plug and Play to hardware changes with little or no user input. Stopping Manual Local System or disabling this service will result in system instability. PNRP Machine This service publishes a machine name using the Peer Name Name Publication Resolution Protocol. Configuration is managed via the netsh Manual Local Service Service context ‘p2p pnrp peer’ This service manages power policy and power policy Power notification delivery. Automatic Local System This service spools print jobs and handles interaction with Print Spooler the printer. If you turn off this service, you won’t be able Automatic Local System to print or see your printers. Printer This service opens custom printer dialog boxes and handles Extensions and notifications from a remote print server or a printer. If you Manual Local System Notifications turn off this service, you won’t be able to see printer extensions or notifications. Problem Reports and This service provides support for viewing, sending and Solutions deletion of system-level problem reports for the Problem Manual Local System Control Panel Reports and Solutions control panel. Support Program This service provides support for the Program Compatibility Compatibility Assistant (PCA). PCA monitors programs installed and run Assistant by the user and detects known compatibility problems. Automatic Local System Service If this service is stopped, PCA will not function properly. 18 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Service Description Startup type Log on as Quality Windows Audio Video Experience (qWave) is a Quality networking platform for Audio Video (AV) streaming Windows applications on IP home networks. qWave enhances AV Audio Video streaming performance and reliability by ensuring network Manual Local Service Experience quality-of-service (QoS) for AV applications. It provides mechanisms for admission control, run time monitoring and enforcement, application feedback, and traffic prioritization. Radio Management Radio Management and Airplane Mode Service Manual Local Service Service This service manages dial-up and virtual private network Remote Access Connection (VPN) connections from this computer to the Internet or Local System Manager other remote networks. If this service is disabled, any Manual services that explicitly depend on it will fail to start. Remote Desktop Configuration service (RDCS) is responsible Remote for all Remote Desktop Services and Remote Desktop related Desktop configuration and session maintenance activities that require Manual Local System Configuration SYSTEM context. These include per-session temporary folders, RD themes, and RD certificates. Remote Desktop Services Remote Desktop Services UserMode Port Redirector allows Manual Local System UserMode Port the redirection of Printers/Drives/Ports for RDP connections Redirector The RPCSS service is the Service Control Manager for COM and DCOM servers. It performs object activations requests, Remote object exporter resolutions and distributed garbage collection Procedure Call for COM and DCOM servers. If this service is stopped or Automatic Network (RPC) disabled, programs using COM or DCOM will not function Service properly. It is strongly recommended that you have the RPCSS service running. In Windows 2003 and earlier versions of Windows, the Remote Remote Procedure Call (RPC) Locator service manages the Procedure Call RPC name service database. In Windows Vista and later Manual Network (RPC) Locator versions of Windows, this service does not provide any Service functionality and is present for application compatibility. Retail Demo The Retail Demo service controls device activity while the Service device is in retail demo mode. Manual Local System Routing and Routing and Remote Access offers routing services to businesses in local area and wide area network Disabled Local System Remote Access environments. RPC Endpoint Mapper resolves RPC interfaces identifiers to RPC Endpoint transport endpoints. If this service is stopped or disabled, Mapper Automatic Network programs using Remote Procedure Call (RPC) services will Service not function properly. siemens-healthineers.com/acuson-redwood 19 Product and Solution Security White Paper · ACUSON Redwood VA20 Network Information Service Description Startup type Log on as SAM SAM service Automatic Local System Secondary Logon enables starting processes under alternate Secondary credentials. If this service is stopped, this type of logon Logon access will be unavailable. If this service is disabled, any Manual Local System services that explicitly depend on it will fail to start. Secure Socket Secure Socket Tunneling Protocol Service provides support Tunneling for the Secure Socket Tunneling Protocol (SSTP) to connect Protocol to remote computers using VPN. If this service is disabled, Manual Local Service Service users will not be able to use SSTP to access remote servers. The startup of this service signals other services that the Security Security Accounts Manager (SAM) is ready to accept requests. Disabling this service will prevent other services Accounts Manager in the system from being notified when the SAM is ready, Automatic Local System which may in turn cause those services to fail to start correctly. This service should not be disabled. Sensor Data Service Sensor Data Service delivers data from a variety of sensors Manual (Trigger Start) Local System Sensor Monitoring Service monitors various sensors in order Sensor to expose data and adapt to system and user state. If this Monitoring service is stopped or disabled, the display brightness will Manual Local Service Service not adapt to lighting conditions. Stopping this service may (Trigger Start) affect other system functionality and features as well. A service for sensors that manages different sensors’ functionality. Manages Simple Device Orientation (SDO) and History for sensors. Loads the SDO sensor that reports Sensor Service device orientation changes. If this service is stopped or Manual Local System disabled, the SDO sensor will not be loaded and so auto- (Trigger Start) rotation will not occur. History collection from Sensors will also be stopped. This service supports file, print, and named-pipe sharing Server over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, Automatic Local System any services that explicitly depend on it will fail to start. Shell Hardware Shell Hardware Detection provides notifications for AutoPlay Detection hardware events. Automatic Local System Smart Card service manages access to smart cards read by Smart Card this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, Disabled Local Service any services that explicitly depend on it will fail to start. Smart Card Smart Card Device Enumeration Service creates software Device device nodes for all smart card readers accessible to a given Manual Enumeration session. If this service is disabled, WinRT APIs will not be (Trigger Start) Local System Service able to enumerate smart card readers. 20 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Service Description Startup type Log on as Smart Card Smart Card Removal Policy allows the system to be Removal Policy configured to lock the user desktop upon smart card Manual Local System removal. SNMP Trap receives trap messages generated by local or remote Simple Network Management Protocol (SNMP) agents and forwards the messages to SNMP management SNMP Trap programs running on this computer. If this service is Manual Local Service stopped, SNMP-based programs on this computer will not receive SNMP trap messages. If this service is disabled, any services that explicitly depend on it will fail to start. Software Protection enables the download, installation and enforcement of digital licenses for Windows and Windows Software applications. If the service is disabled, the operating system Automatic Network Protection and licensed applications may run in a notification mode. It (Delayed Start, is strongly recommended that you not disable the Software Trigger Start) Service Protection service. Spot Verifier This service verifies potential file system corruptions. Manual (Trigger Start) Local System SQL Server (PIMS_ SQL Server provides storage, processing and controlled Automatic Network DATABASE) access of data, and rapid transaction processing. Service SQL Server VSS SQL Server VSS Writer provides the interface to backup/ Writer restore Microsoft SQL server through the Windows VSS Automatic Local System infrastructure. State Repository This service provides required infrastructure support for Manual Local System Service the application model. Still Image Acquisition Still Image Acquisition Events launches applications associated with still image acquisition events. Manual Local System Events Storage Storage Service provides enabling services for storage Manual Service settings and external storage expansion (Trigger Start) Local System Storage Tiers Storage Tiers Management optimizes the placement of data Management in storage tiers on all tiered storage spaces in the system. Manual Local System SysMgmt. WcfService System management service for ultrasound platform Automatic Local System System Event System Event Notification Service monitors system events Notification and notifies subscribers to COM+ Event System of these Automatic Local System Service events. System Events System Events Broker coordinates execution of background Automatic Broker work for WinRT application. If this service is stopped or (Trigger Start) Local System disabled, then background work might not be triggered. siemens-healthineers.com/acuson-redwood 21 Product and Solution Security White Paper · ACUSON Redwood VA20 Network Information Service Description Startup type Log on as Task Scheduler enables a user to configure and schedule automated tasks on this computer. The service also hosts Task Scheduler multiple Windows system-critical tasks. If this service is stopped or disabled, these tasks will not be run at their Automatic Local System scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. This service provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients on TCP/IP NetBIOS the network, therefore enabling users to share files, print, Manual Helper and log on to the network. If this service is stopped, these (Trigger Start) Local Service functions might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. This service provides Telephony API (TAPI) support for Telephony programs that control telephony devices on the local computer and, through the LAN, on servers that are also Manual Network Service running the service. Tile Data model server Tile Server for tile updates. Automatic Local System Time Broker coordinates execution of background work for Time Broker WinRT application. If this service is stopped or disabled, then Manual background work might not be triggered. (Trigger Start) Local Service Touch Keyboard and Thie service enables Touch Keyboard and Handwriting Panel Automatic Handwriting pen and ink functionality (Trigger Start) Local System Panel Service TRANSFERMGR TransferMgr service Automatic Local System Update Orchestrator Service for UsoSvc Manual Local System Windows Update User Data Acdess provides apps access to structured user User Data data, including contact info, calendars, messages, and other Manual Access content. If you stop or disable this service, apps that use this Local System data might not work correctly. User Data Storage handles storage of structured user data, User Data including contact info, calendars, messages, and other Storage content. If you stop or disable this service, apps that use Manual Local System this data might not work correctly. User Manager provides the runtime components required User Manager for multi-user interaction. If this service is stopped, some Automatic (Trigger Start) Local System applications may not operate correctly. 22 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Service Description Startup type Log on as This service is responsible for loading and unloading user profiles. If this service is stopped or disabled, users will no User Profile longer be able to successfully sign in or sign out, apps might Service have problems getting to users’ data, and components Automatic Local System registered to receive profile event notifications won’t receive them. VERSANTD Versant DB in syngo for supporting multiple database sessions Automatic Local System Virtual Disk Virtual Disk provides management services for disks, volumes, file systems, and storage arrays. Manual Local System Volume Shadow Copy manages and implements Volume Volume Shadow Copies used for backup and other purposes. If this Shadow Copy service is stopped, shadow copies will be unavailable for Manual Local System backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start. W3C Logging W3C Logging Service provides W3C logging for Internet Service Information Services (IIS). If this service is stopped, W3C Manual Local System logging configured by IIS will not work. WalletService WalletService hosts objects used by clients of the wallet Manual Local System Web Farm Controller Web Farm Controller Service Automatic Local System Service Web The Web Management Service enables remote and Management delegated management capabilities for administrators Service to manage for the Web server, sites and applications Manual Local Service present on this machine. WebClient enables Windows-based programs to create, access, and modify Internet-based files. If this service is WebClient stopped, these functions will not be available. If this service Manual (Trigger Start) Local Service is disabled, any services that explicitly depend on it will fail to start. Windows Audio manages audio for Windows-based Windows programs. If this service is stopped, audio devices and Audio effects will not function properly. If this service is disabled, Automatic Local Service any services that explicitly depend on it will fail to start Windows Windows Audio Endpoint Builder manages audio devices for Audio the Windows Audio service. If this service is stopped, audio Endpoint devices and effects will not function properly. If this service Automatic Local System Builder is disabled, any services that explicitly depend on it will fail to start Windows Windows Backup provides Windows Backup and Restore Backup capabilities. Manual Local System siemens-healthineers.com/acuson-redwood 23 Product and Solution Security White Paper · ACUSON Redwood VA20 Network Information Service Description Startup type Log on as The Windows biometric service gives client applications the Windows ability to capture, compare, manipulate, and store biometric Biometric data without gaining direct access to any biometric hard- Automatic Local System Service ware or samples. The service is hosted in a privileged (Trigger Start) SVCHOST process. Windows Camera Frame Windows Camera Frame Server enables multiple clients Manual Server to access video frames from camera devices. (Trigger Start) Local Service Windows WCNCSVC hosts the Windows Connect Now Configuration Connect Now – which is Microsoft’s Implementation of Wireless Protected Config Setup (WPS) protocol. This is used to configure Wireless LAN Manual Local Service Registrar settings for an Access Point (AP) or a Wireless Device. The service is started programmatically as needed. Windows Windows Connection Manager makes automatic connect/ Connection disconnect decisions based on the network connectivity Automatic options currently available to the PC and enables manage- Local Service Manager (Trigger Start) ment of network connectivity based on Group Policy settings. Windows Defender Advanced Windows Defender Advanced Threat Protection service Threat helps protect against advanced threats by monitoring and Manual Local System Protection reporting security events that happen on the computer. Service Windows Defender Windows Defender Network Inspection Service helps guard Network against intrusion attempts targeting known and newly Manual Local Service Inspection discovered vulnerabilities in network protocols Service Windows Defender Windows Defender Service helps protect users from malware Service and other potentially unwanted software, Manual Local System Windows Driver Foundation – Windows Driver Foundation creates and manages user-mode Manual User-mode driver processes. This service cannot be stopped. (Trigger Start) Local System Driver Framework Windows Encryption Provider Host Service brokers Windows encryption related functionalities from Third-Party Encryption Encryption Providers to processes that need to evaluate and Manual Provider Host apply EAS policies. Stopping this will compromise EAS (Trigger Start) Local Service Service compliancy checks that have been established by the connected Mail Accounts 24 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Service Description Startup type Log on as Windows Error Reporting Service allows errors to be reported Windows Error when programs stop working or responding and allows Reporting existing solutions to be delivered. Also allows logs to be Manual Service generated for diagnostic and repair services. If this service is (Trigger Start) Local System stopped, error reporting might not work correctly and results of diagnostic services and repairs might not be displayed. This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. Windows This includes Windows Vista event logs, hardware and IPMI- Network Event Collector enabled event sources. The service stores forwarded events Automatic in a local Event Log. If this service is stopped or disabled Service event subscriptions cannot be created and forwarded events cannot be accepted. This service manages events and event logs. It supports logging events, querying events, subscribing to events, Windows archiving event logs, and managing event metadata. It can Event Log display events in both XML and plain text format. Stopping Automatic Local Service this service may compromise security and reliability of the system. Windows Windows Firewall helps protect your computer by preventing Firewall unauthorized users from gaining access to your computer Automatic Local Service through the Internet or a network. Windows Font Cache Service optimizes performance of Windows Font applications by caching commonly used font data. Appli- Cache Service cations will start this service if it is not already running. It Automatic Local Service can be disabled, though doing so will degrade application performance. Windows Image WIA provides image acquisition services for scanners and Acquisition Manual Local Service cameras (WIA) Windows Insider Service Wisvc Manual Local System Windows Installer adds, modifies, and removes applications Windows provided as a Windows Installer (*.msi, * .msp) package. If Installer this service is disabled, any services that explicitly depend Manual Local System on it will fail to start. Windows This service provides infrastructure support for the Windows License Store. This service is started on demand and if disabled then Manual Manager content acquired through the Windows Store will not (Trigger Start) Local Service Service function properly. siemens-healthineers.com/acuson-redwood 25 Product and Solution Security White Paper · ACUSON Redwood VA20 Network Information Service Description Startup type Log on as Windows Management Instrumentation provides a common Windows interface and object model to access management infor- Management mation about operating system, devices, applications and Local System Instrumen- services. If this service is stopped, most Windows-based Automatic tation software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Windows Windows Modules Installer enables installation, modifi- Modules cation, and removal of Windows updates and optional Installer components. If this service is disabled, install or uninstall Manual Local System of Windows updates might fail for this computer. Windows Windows Presentation Foundation Font Cache optimizes Presentation performance of Windows Presentation Foundation (WPF) Foundation applications by caching commonly used font data. WPF applications will start this service if it is not already Manual Local Service Font Cache 3.0.0.0 running. It can be disabled, though doing so will degrade the performance of WPF applications. Windows The Windows Process Activation Service (WAS) provides Process Activation process activation, resource management and health Manual Local System Service management services for message-activated applications. Windows Push This service runs in session 0 and hosts the notification Notifications platform and connection provider which handles the Automatic Local System System Service connection between the device and WNS server. Windows Push This service hosts Windows notification platform which Notifications provides support for local and push notifications. Supported Manual Local System User Service notifications are tile, toast and raw. Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The WinRM Service needs to be Windows configured with a listener using winrm.cmd command line Remote tool or through Group Policy in order for it to listen over the Management network. The WinRM service provides access to WMI data Automatic Network (WS-Manage- and enables event collection. Event collection and (Delayed Start) Service ment) subscription to events require that the service is running. WinRM messages use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but is preconfigured to share a port with IIS on the same machine. The WinRM service reserves the /wsman URL prefix. To prevent conflicts with IIS, administrators should ensure that any websites hosted on IIS do not use the /wsman URL prefix. 26 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Service Description Startup type Log on as Windows Time maintains date and time synchronization on all clients and servers in the network. If this service is Windows Time stopped, date and time synchronization will be unavailable. Manual (Trigger Start) Local Service If this service is disabled, any services that explicitly depend on it will fail to start. WinHTTP implements the client HTTP stack and provides WinHTTP Web developers with a Win32 API and COM Automation Proxy Auto- component for sending HTTP requests and receiving Discovery responses. In addition, WinHTTP provides support for auto- Manual Local Service Service discovering a proxy configuration via its implementation of the Web Proxy Auto-Discovery (WPAD) protocol. The WLANSVC service provides the logic required to configure, discover, connect to, and disconnect from a wireless local area network (WLAN) as defined by IEEE 802.11 standards. It also contains the logic to turn your computer into a software access point so that other devices WLAN AutoConfig or computers can connect to your computer wirelessly using Automatic Local System a WLAN adapter that can support this. Stopping or disabling the WLANSVC service will make all WLAN adapters on your computer inaccessible from the Windows networking UI. It is strongly recommended that you have the WLANSVC service running if your computer has a WLAN adapter. Workstation creates and maintains client network connections to remote servers using the SMB protocol. Workstation If this service is stopped, these connections will be Automatic Network unavailable. If this service is disabled, any services that Service explicitly depend on it will fail to start. World Wide Web World Wide Web Publishing Service provides Web Publishing connectivity and administration through the Internet Automatic Local System Service Information Services Manager This service manages mobile broadband (GSM & CDMA) data card/embedded module adapters and connections by WWAN AutoConfig auto-configuring the networks. It is strongly recommended Manual Local Service that this service be kept running for best user experience of mobile broadband devices. siemens-healthineers.com/acuson-redwood 27 Product and Solution Security White Paper · ACUSON Redwood VA20 Security Controls Malware Protection Network Controls • Whitelisting (Microsoft Device Guard) • The ACUSON Redwood system is designed to make limited use of network ports and protocols. Microsoft Controlled Use of Administrative Privileges Windows Firewall is configured to block unwanted inbound network traffic except for the ports listed in • The system distingushes between clinical and administrative roles. Clinical users do not require the table of used port numbers on the section Network administrative privileges. Information. • Siemens Healthineers recommends operating the • Authorization as administrator is required for administrative tasks. system in a secured network environment, e.g., a separate network segmented or VLAN. Authentication • Connection to the internet or private networks for The ACUSON Redwood system VA20 software supports patients/guests is not recommended. • Health Insurance Portability and Accountability Act • In case of a denialof service (DoS) or malware attack, (HIPAA) regulation with role-based privilege the system can be taken off the network and operated assignment and access control. in a stand-alone state. • The user interface of the ACUSON Redwood system VA20 software provides a screen lock functionality Physical Safeguards that can be engaged manually or automatically after • Customers are responsible for the physical protection a certain inactivity time. For details, please refer to of the ACUSON Redwood system VA20 software, e.g., the User Manual. by operating it in a room with access control. Please note that the system contains patient data and should Security Scanning be protected against tampering and theft. • Security scans are performed during development • The ACUSON Redwood system is protected by Secure and release phase. The product is scanned for Boot, which blocks unsigned boot media. vulnerabilities by using Nessus. Penetration testing • and Fuzz testing are also parts of software The recommendation is to change the BIOS password development life cycle. from default. Please contact Siemens Healthineers Service for support. Continuous Vulnerability Monitoring • Continuous vulnerability assessment and remediation is performed. Hardening • The ACUSON Redwood system VA20 software hardening is implemented based on the Security Technical implementation Guidelines developed by the Defense Information Systems Agency (DISA). 28 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Data Protection Controls Auditing/Logging • The ACUSON Redwood system is not intended to be an • The ACUSON Redwood system provides HIPAA- data archive i.e. prevention of data at rest. compliant auditing of operations of PHI, PII, and user PHI is protected by both role-based access control as information (i.e., login, read access to PHI, • well as optional hard drive encryption. modification of PHI). • Hard drive encryption is implemented through Remote Connectivity Microsoft Bitlocker technology and use of the Trusted • Platform Module (TPM) chip on the motherboard. Smart Remote Services is optionally used for proactive maintenance. The connection is created using a • The ACUSON Redwood system provides auditing of PHI secured channel (VPN- or IBC-based connection). It is access control. used, for example, to download security patches and Optionally, confidentiality and integrity of PHI/PII data updates. • can be protected by encryption of DICOM • Alternatively, customers can use the communication with other DICOM nodes. Siemens Healthineers teamplay Fleet platform to • The ACUSON Redwood system supports Bitlocker to-go. download available hotfixes andinstall them in offline machines that are not connected to the Smart Remote • In the VA20 software release for the ACUSON Redwood Services network. system, encrypted communication can be used if all connected DICOM nodes support it. Incident Response and Management • The incident handling process is defined and executed on demand to deal with incidents as mandated by the United States FDA Post-Market Guidance documents. siemens-healthineers.com/acuson-redwood 29 Product and Solution Security White Paper · ACUSON Redwood VA20 Shared Responsibilities A cyber-security of the ACUSON Redwood ultrasound system is shared responsibility covered by the vendor responsibility (e.g., system hardening) as well as the customer responsibility (e.g., network configuration). For detailed description of vendor responsibility – RESPONSIBLE ORGANIZATION obligations see chapter Manufacturer Disclosure Statement – Instructions for the responsible organization. 30 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Software Bill of Materials The following table lists the most relevant third-party technologies. A comprehensive list is maintained in teamplay Fleet.1 Vendor name Component name Component version Description / use .NET Framework 2.0 Service Pack 2 2.0.50727.8745 Operating System Microsoft Corporation .NET Framework 3.5 Service Pack 1 3.5.30729.8763 Operating System .NET Framework 4.6.1 4.6.1586.0 Operating System HP Inc. 64 Bit HP CIO Components Installer 20.2.1 Operating System Igor Pavlov 7-Zip 19.00 (x64 edition) 19.0.0.0 Operating System Adobe Systems Incorporated Adobe Reader XI (11.0.21) MUI 11.0.21 Operating System Open Source (https://sourceforge.net/projects/ adodbapi 2.0 Service adodbapi/files/) Tomtec Cariac SR (DicomConverter) 5.0.0.9 PIMS Open Source cffi 1.11.5 Service (https://chardet.readthedocs.io/en/ latest/) chardet 2.3.0 Service Visualization Science Group – www.vsg3d.com Coin Inventor 4.0 UBE Congatec congatec CGOS API 07.28.2012 Operating System Open Source (https://pypi.org/project/colorama/) colorama 0.3.7 Service OpenSource (https://code.google.com/p/crashrpt/)CrashRpt 1.4.3 Imaging NVIDIA CUDA 9.1 Imaging UBE Open Source (https://matplotlib.org/cycler/) cycler 0.10.0 Service Merge Healthcare Incorporated DICOM Toolkit 5.6.0 PIMS DirectX 11 UBE Microsoft Corporation EMET 5.52 Service OpenSource (http://cristobaldobranco.github.io/ blog/2015/01/20/compiling-ffmpeg- ffmpeg 2.7.2 Framework with-windows-tools/) Embedded Systems Academy Flash Magic 10.50 Imaging ftdchip FTDI drivers(VCP and D3XX) 2.12.28.0 Imaging 1 https://fleet.siemens-healthineers.com/welcome For supported countries. Requires a customer account in teamplay Fleet. Please contact your local Siemens Healthineers organization for further details. siemens-healthineers.com/acuson-redwood 31 Product and Solution Security White Paper · ACUSON Redwood VA20 Software Bill of Materials Vendor name Component name Component version Description / use Open Source (http://www.gevent.org/) gevent 1.3.2.post0 Service OpenSource (http://glew.sourceforge.net/) GLEW 1.7.0 UBE Open Source (https://github.com/python-greenlet/ greenlet 0.4.13 Service greenlet) the SZ development Homedale 1.75 Service Microsoft Corporation IIS URL Rewrite Module 2 7.2.1952 Operating System Intel Performance Primitives 9.0.4 UBE Intel® Chipset Device Software 10.1.1.38 Operating System Intel® Ethernet Connection I218-LM 22.2.4.0 Connectivity Intel® Processor Graphics 21.20.16.4599 Operating System Intel Corporation Intel® Compilers Redistributable Libraries 17.0 Update 4 Imaging Intel® Integrated Performance Primitives 9.0 Update 4 Imaging Intel® Math Kernel Library 11.3 Update 4 Imaging Intel® Threading Building Blocks 4.4 Update 4 Imaging Microsoft Corporation Internet Explorer (x86/x64) 11.0 Service Open Source isapi N/A Service www.ijg.org(Open Source) Jpeg.lib 8.0 UBE Open Source (https://github.com/nucleic/kiwi) kiwisolver 1.0.1 Service Open Source (http://libjpeg-turbo.virtualgl.org) libjpeg-turbo 1.5.2 UBE, PIMS Open Source Log4cxx 0.10.0.1 Framework Open Source (Apache Software Foundation) Log4net 2.0.8.0 UBE/Service Open Source (https://www.logilab.org/project/ logilab-common 1.2.0 Service logilab-common) Open Source (http://luajit.org/luajit.html) LuaJIT 2.0.0 UBE Open Source (https://matplotlib.org/) matplotlib 2.2.2 Service 32 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Vendor name Component name Component version Description / use Microsoft Application Request Routing 3.0 3.0.1952 Operating System Microsoft ODBC Driver 11 for SQL Server 12.1.4232.0 Operating System Microsoft SQL Server 2008 Setup Support Files 10.3.5500.0 Operating System Microsoft SQL Server 2012 Native Client 11.0.2100.60 Operating System Microsoft SQL Server 2014 Express LocalDB 12.1.4232.0 Operating System Microsoft SQL Server 2014 RsFx Driver 12.1.4100.1 Operating System Microsoft SQL Server 2014 Setup (English) 12.1.4232.0 Operating System Microsoft SQL Server 2014 Transact-SQL ScriptDom 12.1.4100.1 Operating System Microsoft SQL Server 12.0.4232.1 PIMS Microsoft Visual C++ 2005 Microsoft Corporation Redistributable 8.0.61001 Operating System Microsoft Visual C++ 2005 Redistributable(x64) 8.0.61000 Operating System Microsoft Visual C++ 2008 Redistributable (x86) 9.0.30729.6161 Operating System Microsoft Visual C++ 2008 Redistributable (x86) 9.0.30729.4148 Operating System Microsoft Visual C++ 2008 Redistributable – x86 9.0.30729.4148 Operating System 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable – x86 9.0.30729.6161 Operating System 9.0.30729.6161 Microsoft Visual C++ 2008 SP1 Redistributable Package (x86) 9.0.30729.17 Operating System Microsoft Visual C++ 2010 SP1 Redistributable Package (x86/x64) 10.0.40219 Operating System Microsoft Visual C++ 2012 Redistributable (x64) – 11.0.61030 11.0.61030.0 Operating System siemens-healthineers.com/acuson-redwood 33 Product and Solution Security White Paper · ACUSON Redwood VA20 Software Bill of Materials Vendor name Component name Component version Description / use Microsoft Visual C++ 2012 x64 Additional Runtime – 11.0.61030 11.0.61030 Operating System Microsoft Visual C++ 2012 x64 Minimum Runtime – 11.0.61030 11.0.61030 Operating System Microsoft Visual C++ 2013 Redistributable (x64) – 12.0.30501 12.0.30501.0 Operating System Microsoft Visual C++ 2013 x64 Additional Runtime – 12.0.21005 12.0.21005 Operating System Microsoft Visual C++ 2013 x64 Minimum Runtime – 12.0.21005 12.0.21005 Operating System Microsoft Visual C++ 2015 Platform, Frame- Redistributable 2015 work, Imaging, UBE Microsoft Corporation Microsoft Visual C++ 2015 Redistributable (x64/x64) – 14.0.24215.1 Operating System 14.0.24215 Microsoft Visual C++ 2015 x64 Additional Runtime – 14.0.24215 14.0.24215 Operating System Microsoft Visual C++ 2015 x64 Minimum Runtime – 14.0.24215 14.0.24215 Operating System Microsoft VSS Writer for SQL Server 2014 12.1.4100.1 Operating System Microsoft Web Deploy 2.0 2.0.1070 Operating System Microsoft Web Farm Framework Version 2.2 2.2.1341 Operating System Microsoft Web Platform Installer 3.0 3.0.5 Operating System Siemens AG Healthcare Sector MNP VI40B Service OpenSource Moq 4.0 Framework (https://www.nuget.org/packages/ moq/) Moq 4.2 Framework Open Source (https://matplotlib.org/1.5.1/users/ mpl_toolkits N/A Service license.html) Microsoft Corporation MSXML Parser and SDK 4 SP2 4.20.9849.0 Imaging Open Source (https://numpy.org/) numpy 1.14.3 Service Open source Nunit 2.6.2 Service 34 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Vendor name Component name Component version Description / use NVIDIA Corporation NVIDIA Graphics Driver 440.97 Operating System khronos.org OpenCL 2.0 UBE TLS Toolkit OpenSSL 1.0.2k PIMS Open Source (https://pip.pypa.io/en/stable/) pip 10.0.1 Service Microsoft Corporation Prism framework 4.0 Framework Open Source (https://github.com/pyparsing/ pyparsing 2.1.4 Service pyparsing/) Riverbank Computing PyQt 5.10.1 Service Open Source (Python Software Foundation) Python 3.7.3 Operating System Open Source (https://github.com/kennethreitz/ Python requests 2.10.0 Service requests) Open Source (https://dateutil.readthedocs.io/en/ python-dateutil 2.5.3 Service stable/) Open Source (https://pypi.org/project/pytz/) pytz 2016.4 Service Open Source (https://github.com/mhammond/ Pywin32 223 Service pywin32) OpenSource (https://www.nuget.org/packages/ QRCoder 1.3.5.0 Service QRCoder/) Realtek Realtek High Definition Audio 6.0.1.8036 Operating System Open Sourcet (https://github.com/pypa/setuptools) setuptools 39.2.0 Service Trillium Technology, Inc. ShowCase Onboard Viewer 5.4.0.0 PIMS Open Source (https://www.riverbankcomputing. sip 4.19.8 Service com/software/sip/download) Open Source (https://github.com/benjaminp/six) six 1.10.0 Service OpenSource (https://snappy4net.codeplex.com/) Snappy 1.1.1.7 UBE, Framework siemens-healthineers.com/acuson-redwood 35 Product and Solution Security White Paper · ACUSON Redwood VA20 Software Bill of Materials Vendor name Component name Component version Description / use Sony Sony UP-D711MD BW Printer Driver 1.0.0.0 Connectivity SQLite SQLite 1.0.99.0 Framework Open Source (https://github.com/btubbs/sseclient) sseclient 0.0.14 Service Siemens Healthcare GmbH syngo – Typical Developer 9.1 09.01.0001.0001 Service blue elephant systems GmbH The IT Machine with correlation module 1.2.5 Operating System Open Source (http://sourceforge.net/projects/ tinyXML.lib 2.0 UBE tinyxml/) Siemens Ultrasound USA Ultrasound TeamViewer Core VA10B (ver 1.0.0.17) 1.0.0.17 Service Open Source (https://urllib3.readthedocs.io/en/ urllib3 1.15.1 Service latest/) Open Source (https://github.com/val-labs/ websocket_client 0.37.0 Service websocket-client2) Microsoft Corporation Windows 10 Enterprise 2016 lTSB 2016 LTSB Operating System Silicon Laboratories Inc. Windows Driver Package – Silicon Laboratories Inc. (silabser) Ports 10.1.7.2399 Imaging/Service Riverbed Technology, Inc. WinPcap 4.1.3 Service WireShare.org Wireshark 2.6.5.0 Service Open Source (http://timgolden.me.uk/python/ wmi 1.4.9 Service wmi/index.html) 36 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Manufacturer Disclosure Statement (MDS2 ) Question ID Question Notes DOC-1 Manufacturer Name Siemens Healthineers DOC-2 Device Description Redwood DOC-3 Device Model ACUSON Redwood VA20 DOC-4 Document ID 11575773-FPD-01 DOC-5 Manufacturer Contact Information Siemens Medical Solutions – Ultrasound 22010 SE 51st St, Issaquah, WA 98029 Ultrasound imaging scanner Optionally, the ACUSON Redwood Ultrasound System can be configured to communicate to a hospital Patient Archival Communication DOC-6 Intended use of device in network- connected environment. System (PACS). The following DICOM Services are supported: Store SCP/SCU, Modality Worklist SCU, Query/Retrieve SCU, Storage Commitment SCU, Print SCU and DICOM Structured Reporting SCU. DOC-7 Document Release Date November 3, 2021 Coordinated Vulnerability Disclosure: Does Yes, see DOC-8 the manufacturer have a vulnerability https://www.siemens-healthineers.com/ disclosure program for this device? support-documentation/cybersecurity ISAO: Is the manufacturer part of an DOC-9 Information Sharing and Analysis Yes Organization? Diagram: Is a network or data flow diagram DOC-10 available that indicates connections to other system components or expected Yes, see section Network Information external resources? DOC-11 SaMD: Is the device Software as a Medical Device (i.e. software-only, no hardware)? No DOC-11.1 Does the SaMD contain an operating system? N/A DOC-11.2 Does the SaMD rely on an owner/operator provided operating system? N/A DOC-11.3 Is the SaMD hosted by the manufacturer? N/A DOC-11.4 Is the SaMD hosted by the customer? N/A siemens-healthineers.com/acuson-redwood 37 Product and Solution Security White Paper · ACUSON Redwood VA20 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Notes Management of personally identifiable information Can this device display, transmit, store, or modify personally identifiable information MPII-1 (e.g.,electronic Protected Health Yes Information (ePHI))? Does the device maintain personally MPII-2 identifiable information? Yes Does the device maintain personally MPII-2.1 identifiable information temporarily in volatile memory (i.e., until cleared by Yes power-off or reset)? Does the device store personally MPII-2.2 identifiable information persistently on Yes internal media? Is personally identifiable information MPII-2.3 preserved in the device’s non-volatile Yes memory until explicitly erased? MPII-2.4 Does the device store personally identifiable information in a database? Yes Does the device allow configuration to MPII-2.5 automatically delete local personally identifiable information after it is stored No to a long term solution? Does the device import/export personally identifiable information with other systems MPII-2.6 (e.g., a wearable monitoring device might Yes export personally identifiable information to a server)? Does the device maintain personally MPII-2.7 identifiable information when powered off, Yes or during power service interruptions? Does the device allow the internal media to MPII-2.8 be removed by a service technician (e.g., for Yes separate destruction or customer retention)? Does the device allow personally identifiable information records be stored MPII-2.9 in a separate location from the device’s operating system (i.e. secondary internal Yes drive, alternate drive partition, or remote storage location)? 38 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Question ID Question Notes Does the device have mechanisms used for MPII-3 the transmitting, importing/exporting of Yes personally identifiable information? Does the device display personally MPII-3.1 identifiable information (e.g., video display, Yes etc.)? Does the device generate hardcopy reports MPII-3.2 or images containing personally identifiable Yes information? Does the device retrieve personally identifiable information from or record MPII-3.3 personally identifiable information to removable media (e.g., removable-HDD, Yes USB memory, DVD-R/RW,CD-R/RW, tape, CF/SD card, memory stick, etc.)? Does the device transmit/receive or import/ MPII-3.4 export personally identifiable information via dedicated cable connection (e.g., Yes RS-232, RS-423, USB, FireWire, etc.)? Does the device transmit/receive personally MPII-3.5 identifiable information via a wired network Yes connection (e.g., RJ45, fiber optic, etc.)? Does the device transmit/receive personally MPII-3.6 identifiable information via a wireless network connection (e.g., WiFi, Bluetooth, Yes NFC, infrared, cellular, etc.)? Does the device transmit/receive personally MPII-3.7 identifiable information over an external Over VPN for remote service Yes network (e.g., Internet)? troubleshooting. Does the device import personally MPII-3.8 identifiable information via scanning a No document? Does the device transmit/receive personally MPII-3.9 identifiable information via a proprietary No protocol? Does the device use any other mechanism MPII-3.10 to transmit, import or export personally No identifiable information? siemens-healthineers.com/acuson-redwood 39 Product and Solution Security White Paper · ACUSON Redwood VA20 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Notes Automatic Logoff (ALOF) The device’s ability to prevent access and misuse by unauthorized users if device is left idle for a period of time. Can the device be configured to force reauthorization of logged-in user(s) after ALOF-1 a predetermined length of inactivity Yes (e.g., auto-logoff, session lock, password protected screen saver)? Is the length of inactivity time before auto- ALOF-2 logoff/screen lock user or administrator Yes configurable? Audit Controls (AUDT) The ability to reliably audit activity on the device. Can the medical device create additional AUDT-1 audit logs or reports beyond standard Yes operating system logs? AUDT-1.1 Does the audit log record a USER ID? Yes AUDT-1.2 Does other personally identifiable information exist in the audit trail? Yes User Name exists. Are events recorded in an audit log? AUDT-2 If yes, indicate which of the following Yes events are recorded in the audit log: AUDT-2.1 Successful login/logout attempts? Yes AUDT-2.2 Unsuccessful login/logout attempts? Yes AUDT-2.3 Modification of user privileges? Yes AUDT-2.4 Creation/modification/deletion of users? Yes AUDT-2.5 Presentation of clinical or PII data (e.g., display, print)? Yes AUDT-2.6 Creation/modification/deletion of data? Yes Import/export of data from removable AUDT-2.7 media (e.g., USB drive, external hard drive, Yes DVD)? 40 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Question ID Question Notes Receipt/transmission of data or commands AUDT-2.8 over a network or point-to-point Yes connection? AUDT-2.8.1 Remote or on-site support? Yes Application Programming Interface (API) AUDT-2.8.2 and similar activity? No AUDT-2.9 Emergency access? Yes AUDT-2.10 Other events (e.g., software updates)? Yes AUDT-2.11 Is the audit capability documented in more detail? Yes AUDT-3 Can the owner/operator define or select which events are recorded in the audit log? Yes Is a list of data attributes that are captured AUDT-4 in the audit log for an event available? Yes AUDT-4.1 Does the audit log record date/time? Yes Can date and time be synchronized by AUDT-4.1.1 Network Time Protocol (NTP) or equivalent Yes time source? AUDT-5 Can audit log content be exported? Yes AUDT-5.1 Via physical media? Yes AUDT-5.2 Via IHE Audit Trail and Node Authentication (ATNA) profile to SIEM? No Via Other communications (e.g., external AUDT-5.3 service device, mobile applications)? Yes Via SysLog Server. Are audit logs encrypted in transit or on Yes on local storage. AUDT-5.4 storage media? See notes In transit depends on SysLog Server configuration. AUDT-6 Can audit logs be monitored/reviewed by owner/operator? Yes AUDT-7 Are audit logs protected from modification? Yes AUDT-7.1 Are audit logs protected from access? Yes AUDT-8 Can audit logs be analyzed by the device? See notes Not by the device, but yes at the device. siemens-healthineers.com/acuson-redwood 41 Product and Solution Security White Paper · ACUSON Redwood VA20 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Notes Authorization (AUTH) The ability of the device to determine the authorization of users. Does the device prevent access to AUTH-1 unauthorized users through user login Checking authentication Yes requirements or other mechanism? with Password. Can the device be configured to use AUTH-1.1 federated credentials management of users No for authorization (e.g., LDAP, OAuth)? AUTH-1.2 Can the customer push group policies to the device (e.g., Active Directory)? No AUTH-1.3 Are any special groups, organizational units, or group policies required? See notes Depends on syngo role controls. Can users be assigned different privilege AUTH-2 levels based on ‘role’ (e.g., user, Yes administrator, and/or service, etc.)? Can the device owner/operator grant themselves unrestricted administrative AUTH-3 privileges (e.g., access operating system No or application via local root or administrator account)? Does the device authorize or control all Whitelisting controls the AUTH-4 API access requests? See notes execution of executables and dll access. Does the device run in a restricted access AUTH-5 mode, or ‘kiosk mode’, by default? Yes Cyber Security Product Upgrades (CSUP) The ability of on-site service staff, remote service staff, or authorized customer staff to install/upgrade device’s security patches. Does the device contain any software or firmware which may require security updates during its operational life, either CSUP-1 from the device manufacturer or from a Yes third-party manufacturer of the software/ firmware? If no, answer “N/A” to questions in this section. 42 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Question ID Question Notes CSUP-2 Does the device contain an Operating System? If yes, complete 2.1–2.4. Yes Does the device documentation provide CSUP-2.1 instructions for owner/operator installation Yes Yes, SRS-based updates. of patches or software updates? Does the device require vendor or vendor- No, if the installation happens CSUP-2.2 authorized service to install patches or See notes through self-install from software updates? teamplay Fleet (ASU). Yes, for SRS-based updates (RUH). Does the device have the capability to CSUP-2.3 receive remote installation of patches or Yes software updates? Does the medical device manufacturer allow security updates from any third-party CSUP-2.4 manufacturers (e.g., Microsoft) to be No installed without approval from the manufacturer? CSUP-3 Does the device contain Drivers and Firmware? If yes, complete 3.1–3.4. Yes Does the device documentation provide CSUP-3.1 instructions for owner/operator installation Yes Yes, SRS-based updates. of patches or software updates? Does the device require vendor or vendor- No, if the installation happens CSUP-3.2 authorized service to install patches or See notes through self-install from software updates? teamplay Fleet (ASU). Yes, for SRS-based updates (RUH). Does the device have the capability to CSUP-3.3 receive remote installation of patches or Yes software updates? Does the medical device manufacturer allow security updates from any third-party CSUP-3.4 manufacturers (e.g., Microsoft) to be No installed without approval from the manufacturer? CSUP-4 Does the device contain Anti-Malware Software? If yes, complete 4.1–4.4. Yes Yes, containing Device Guard. Does the device documentation provide CSUP-4.1 instructions for owner/operator installation Yes Yes, SRS-based updates. of patches or software updates? siemens-healthineers.com/acuson-redwood 43 Product and Solution Security White Paper · ACUSON Redwood VA20 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Notes Does the device require vendor or vendor- No, if the installation happens CSUP-4.2 authorized service to install patches or See notes through self-install from software updates? teamplay Fleet (ASU). Yes, for SRS-based updates (RUH). Does the device have the capability to CSUP-4.3 receive remote installation of patches or Yes software updates? Does the medical device manufacturer allow security updates from any third-party CSUP-4.4 manufacturers (e.g., Microsoft) to be No installed without approval from the manufacturer? Does the device contain Non-Operating CSUP-5 System commercial off-the-shelf Yes components? If yes, complete 5.1–5.4. Does the device documentation provide CSUP-5.1 instructions for owner/operator installation Yes Yes, SRS-based updates. of patches or software updates? Does the device require vendor or vendor- No, if the installation happens CSUP-5.2 authorized service to install patches or See notes through self-install from software updates? teamplay Fleet (ASU). Yes, for SRS-based updates (RUH). Does the device have the capability to CSUP-5.3 receive remote installation of patches or Yes software updates? Does the medical device manufacturer allow security updates from any third-party CSUP-5.4 manufacturers (e.g., Microsoft) to be No installed without approval from the manufacturer? Does the device contain other software components (e.g., asset management CSUP-6 software, license management)? If yes, No please provide details or reference in notes and complete 6.1–6.4. Does the device documentation provide CSUP-6.1 instructions for owner/operator installation N/A of patches or software updates? Does the device require vendor or vendor- CSUP-6.2 authorized service to install patches or N/A software updates? 44 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Question ID Question Notes Does the device have the capability to CSUP-6.3 receive remote installation of patches or N/A software updates? Does the medical device manufacturer allow security updates from any third-party CSUP-6.4 manufacturers (e.g., Microsoft) to be N/A installed without approval from the manufacturer? CSUP-7 Does the manufacturer notify the customer when updates are approved for installation? Yes Yes, via teamplay Fleet. CSUP-8 Does the device perform automatic installation of software updates? No Does the manufacturer have an approved CSUP-9 list of third-party software that can be No installed on the device? Can the owner/operator install CSUP-10 manufacturer-approved third-party No software on the device themselves? Does the system have mechanism in place CSUP-10.1 to prevent installation of unapproved Yes, providing whitelisting Yes software? through Device Guard. Does the manufacturer have a process in CSUP-11 place to assess device vulnerabilities and Yes updates? CSUP-11.1 Does the manufacturer provide customers with review and approval status of updates? Yes Yes, via teamplay Fleet. CSUP-11.2 Is there an update review cycle for the device? Yes Yes, monthly. Health Data De-Identification (DIDT) The ability of the device to directly remove information that allows identification of a person. Does the device provide an integral DIDT-1 capability to de-identify personally Yes identifiable information? siemens-healthineers.com/acuson-redwood 45 Product and Solution Security White Paper · ACUSON Redwood VA20 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Notes The Redwood VA20 system supports de-identi- fication profiles as below: 1. The patient's ID and name tags are present but their values are changed to the format as below: 1.1. ID: _ 1.1.1. UserInputValue: the string which is Does the device support de-identification entered by a user (default string: Anonymous) DIDT-1.1 profiles that comply with the DICOM 1.1.2. CreationTime: the time when ID is standard for de-identification? generated (format: yyyymmddhhmmss) 1.2. Name: 1.2.1. UserInputValue: same definition as 1.1.1 2. The patient's date of birth value is replaced to empty string. 3. Other optional personal data fields including performing physician's name, operator's name, patient's age, size and weight, and requesting physician key/value pairs are removed. Data Backup And Disaster Recovery (DTBK) The ability to recover after damage or destruction of device data, hardware, software, or site configuration information. Does the device maintain long term primary storage of personally identifiable DTBK-1 information / patient information No (e.g., PACS)? Does the device have a “factory reset” DTBK-2 function to restore the original device Service data partition available Yes settings as provided by the manufacturer? on booting using F10. DTBK-3 Does the device have an integral data backup capability to removable media? No Does the device have an integral data DTBK-4 backup capability to remote storage? No Does the device have a backup capability for system configuration information, patch Only for ultrasound configuration DTBK-5 Yes restoration, and software restoration? presets. Does the device provide the capability to DTBK-6 check the integrity and authenticity of a See notes Yes for integrity, backup no for authenticity. 46 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Question ID Question Notes Emergency Access (EMRG) The ability of the device user to access personally identifiable information in case of a medical emergency situation that requires immediate access to stored personally identifiable information. EMRG-1 Does the device incorporate an emergency access (i.e. “break-glass”) feature? Yes Health Data Integrity And Authenticity (IGAU) How the device ensures that the stored data on the device has not been altered or destroyed in a non-authorized manner and is from the originator. Does the device provide data integrity IGAU-1 checking mechanisms of stored health No data (e.g., hash or digital signature)? Does the device provide error/failure IGAU-2 protection and recovery mechanisms for No stored health data (e.g., RAID-5)? Malware Detection/Protection (MLDP) The ability of the device to effectively prevent, detect and remove malicious software (malware). Is the device capable of hosting executable MLDP-1 software? Yes Does the device support the use of antimalware software (or other anti- System supports whitelisting MLDP-2 malware mechanism) provide details Yes using Device Guard. or reference in notes? MLDP-2.1 Does the device include anti-malware software by default? Yes MLDP-2.2 Does the device have anti-malware Always included and running by software available as an option? No default. Does the device documentation allow MLDP-2.3 the owner/operator to install or update No anti-malware software? siemens-healthineers.com/acuson-redwood 47 Product and Solution Security White Paper · ACUSON Redwood VA20 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Notes MLDP-2.4 Can the device owner/operator indepen- dently (re-)configure anti-malware settings? No MLDP-2.5 Does notification of malware detection occur in the device user interface? Yes Can only manufacturer-authorized persons MLDP-2.6 repair systems when malware has been Yes detected? MLDP-2.7 Are malware notifications written to a log? Yes Are there any restrictions on anti-malware MLDP-2.8 (e.g., purchase, installation, configuration, No additional malware can be Yes scheduling)? added to the system. If the answer to MLDP-2 is NO, and anti- MLDP-3 malware cannot be installed on the device, are other compensating controls in place N/A or available? Does the device employ application whitelisting that restricts the software MLDP-4 and services that are permitted to be run Yes on the device? Does the device employ a host-based MLDP-5 intrusion detection/prevention system? No Can the host-based intrusion detection/ MLDP-5.1 prevention system be configured by the N/A customer? Can a host-based intrusion detection/ MLDP-5.2 prevention system be installed by the N/A customer? Node Authentication (NAUT) The ability of the device to authenticate communication partners/nodes. Does the device provide/support any means of node authentication that assures both the sender and the recipient of data are NAUT-1 known to each other and are authorized to No receive transferred information (e.g., Web APIs, SMTP, SNMP)? Are network access control mechanisms supported (E.g., does the device have NAUT-2 an internal firewall, or use a network Yes connection white list)? 48 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Question ID Question Notes NAUT-2.1 Is the firewall ruleset documented and available for review? See notes Most important ports are, but not all of them. NAUT-3 Does the device use certificate-based network connection authentication? See notes Only wifi connections based on TLS-based connectivity. Connectivity Capabilities (CONN) All network and removable media connections must be considered in determining appropriate security controls. This section lists connectivity capabilities that may be present on the device. CONN-1 Does the device have hardware connectivity capabilities? Yes CONN-1.1 Does the device support wireless connections? Yes CONN-1.1.1 Does the device support Wi-Fi? Yes CONN-1.1.2 Does the device support Bluetooth? No Does the device support other wireless CONN-1.1.3 network connectivity (e.g., LTE, Zigbee, No proprietary)? Does the device support other wireless CONN-1.1.4 connections (e.g., custom RF controls, No wireless detectors)? CONN-1.2 Does the device support physical connections? Yes CONN-1.2.1 Does the device have available RJ45 Ethernet ports? Yes CONN-1.2.2 Does the device have available USB ports? Yes CONN-1.2.3 Does the device require, use, or support removable memory devices? Yes CONN-1.2.4 Does the device support other physical connectivity? No Does the manufacturer provide a list of CONN-2 network ports and protocols that are used Yes or may be used on the device? CONN-3 Can the device communicate with other systems within the customer environment? Yes siemens-healthineers.com/acuson-redwood 49 Product and Solution Security White Paper · ACUSON Redwood VA20 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Notes Can the device communicate with CONN-4 other systems external to the customer Yes SRS supported. environment (e.g., a service host)? The device receives CONN-5 Does the device make or receive API calls? See notes API calls over the SRS network when service interacts with it for troubleshooting purposes. CONN-6 Does the device require an internet connection for its intended use? No CONN-7 Does the device support Transport Layer Security (TLS)? Yes CONN-7.1 Is TLS configurable? Yes Does the device provide operator control CONN-8 functionality from a separate device See notes Providing remotely system (e.g., telemedicine)? controls via TeamViewer. Person Authentication (PAUT) The ability to configure the device to authenticate users. Does the device support and enforce PAUT-1 unique IDs and passwords for all users and Yes roles (including service accounts)? Does the device enforce authentication of unique IDs and passwords for all users and There is no enforcement if PAUT-1.1 No roles (including service accounts)? the user does not want to. Is the device configurable to authenticate PAUT-2 users through an external authentication service (e.g., MS Active Directory, NDS, No LDAP, OAuth, etc.)? Is the device configurable to lock out a PAUT-3 user after a certain number of unsuccessful Yes Configurable by System Admin. logon attempts? Are all default accounts (e.g., technician PAUT-4 service accounts, administrator accounts) No listed in the documentation? PAUT-5 Can all passwords be changed? Yes Is the device configurable to enforce PAUT-6 creation of user account passwords that Password Complexity is meet established (organization specific) Yes configurale by System Admin. complexity rules? 50 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Question ID Question Notes Does the device support account PAUT-7 passwords that expire periodically? Yes Configurable by System Admin. PAUT-8 Does the device support multi-factor authentication? No PAUT-9 Does the device support single sign-on (SSO)? No PAUT-10 Can user accounts be disabled/locked on the device? Yes PAUT-11 Does the device support biometric controls? No PAUT-12 Does the device support physical tokens (e.g., badge access)? No PAUT-13 Does the device support group authentication (e.g., hospital teams)? No Does the application or device store or PAUT-14 manage authentication credentials? Yes Are credentials stored using a secure PAUT-14.1 method? Yes Physical Locks (PLOK) Physical locks can prevent unauthorized users with physical access to the device from compromising the integrity and confidentiality of personally identifiable information stored on the device or on removable media. PLOK-1 Is the device software only? If yes, answer “N/A” to remaining questions in this section. No Are all device components maintaining personally identifiable information (other PLOK-2 than removable media) physically secure Yes (i.e., cannot remove without tools)? Are all device components maintaining personally identifiable information (other PLOK-3 than removable media) physically secured No behind an individually keyed locking device? Does the device have an option for the PLOK-4 customer to attach a physical lock to No restrict access to removable media? siemens-healthineers.com/acuson-redwood 51 Product and Solution Security White Paper · ACUSON Redwood VA20 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Notes Roadmap for Third Party Applications and Software Components in Device Life Cycle (RDMP) Manufacturer’s plans for security support of third-party components within the device’s life cycle. Was a secure software development process, such as ISO/IEC 27034 or RDMP-1 IEC 62304, followed during product Yes development? Does the manufacturer evaluate third-party applications and software components RDMP-2 included in the device for secure Yes development practices? Does the manufacturer maintain a web Siemens Healthineers is RDMP-3 page or other source of information on Yes maintaining teamplay Fleet to software support dates and updates? support software updates. Does the manufacturer have a plan RDMP-4 for managing third-party component Yes end-of-life? Software Bill of Materials (SBoM) A Software Bill of Material (SBoM) lists all the software components that are incorporated into the device being described for the purpose of operational security planning by the healthcare delivery organization. This section supports controls in the RDMP section. SBOM-1 Is the SBoM for this product available? Yes Does the SBoM follow a standard or SBOM-2 common method in describing software Yes components? SBOM-2.1 Are the software components identified? Yes SBOM-2.2 Are the developers/manufacturers of the software components identified? Yes SBOM-2.3 Are the major version numbers of the software components identified? Yes SBOM-2.4 Are any additional descriptive elements identified? Yes 52 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Question ID Question Notes Does the device include a command or SBOM-3 process method available to generate a list of software components installed on the No device? SBOM-4 Is there an update process for the SBoM? Yes System and Application Hardening (SAHD) The device’s inherent resistance to cyber attacks and malware. SAHD-1 Is the device hardened in accordance with any industry standards? Yes SAHD-2 Has the device received any cybersecurity certifications? No SAHD-3 Does the device employ any mechanisms for software integrity checking? See notes Software integrity is guaranteed by using code signing. Does the device employ any mechanism (e.g., release-specific hash key, checksums, SAHD-3.1 digital signature, etc.) to ensure the System supports whitelisting Yes installed software is manufacturer- using Device Guard. authorized? Does the device employ any mechanism (e.g., release-specific hash key, checksums, SAHD-3.2 digital signature, etc.) to ensure the System supports whitelisting Yes software updates are the manufacturer- using Device Guard. authorized updates? Can the owner/operator perform software SAHD-4 integrity checks (i.e., verify that the system No has not been modified or tampered with)? Is the system configurable to allow the SAHD-5 implementation of file-level, patient level, Yes or other types of access controls? SAHD-5.1 Does the device provide role-based access controls? Yes Are any system or user accounts SAHD-6 Unrestricted or disabled by the No manufacturer at system delivery? Are any system or user accounts SAHD-6.1 configurable by the end user after initial Yes configuration? siemens-healthineers.com/acuson-redwood 53 Product and Solution Security White Paper · ACUSON Redwood VA20 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Notes Does this include restricting certain SAHD-6.2 system or user accounts, such as service No technicians, to least privileged access? Are all shared resources (e.g., file shares) SAHD-7 which are not required for the intended use Yes of the device disabled? Are all communication ports and protocols SAHD-8 that are not required for the intended use Yes of the device disabled? Are all services (e.g., telnet, file transfer protocol [FTP], internet information server SAHD-9 [IIS], etc.), which are not required for Yes the intended use of the device deleted/ disabled? Are all applications (COTS applications as well as OS-included applications, e.g., SAHD-10 MS Internet Explorer, etc.) which are not No required for the intended use of the device deleted/disabled? Can the device prohibit boot from uncontrolled or removable media (i.e., SAHD-11 a source other than an internal drive or Yes memory component)? Can unauthorized software or hardware be SAHD-12 installed on the device without the use of No physical tools? Does the product documentation include SAHD-13 information on operational network No security scanning by users? SAHD-14 Can the device be hardened beyond the default provided state? No SAHD-14.1 Are instructions available from vendor for increased hardening? No SHAD-15 Can the system prevent access to BIOS or other bootloaders during boot? Yes Have additional hardening methods not SAHD-16 included in 2.3.19 been used to harden the No device? 54 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Question ID Question Notes Security Guidance (SGUD) Availability of security guidance for operator and administrator of the device and manufacturer sales and service. SGUD-1 Does the device include security documentation for the owner/operator? Yes Does the device have the capability, and SGUD-2 provide instructions, for the permanent Yes deletion of data from the device or media? SGUD-3 Are all access accounts documented? Yes SGUD-3.1 Can the owner/operator manage password control for all accounts? Yes Does the product include documentation SGUD-4 on recommended compensating controls No for the device? Health Data Storage Confidentiality (STCF) The ability of the device to ensure unauthorized access does not compromise the integrity and confidentiality of personally identifiable information stored on the device or removable media. STCF-1 Can the device encrypt data at rest? Yes Yes, BitLocker supported. STCF-1.1 Is all data encrypted or otherwise protected? Yes STCF-1.2 Is the data encryption capability configured by default? No STCF-1.3 Are instructions available to the customer to configure encryption? No STCF-2 Can the encryption keys be changed or configured? No STCF-3 Is the data stored in a database located on the device? Yes STCF-4 Is the data stored in a database external to the device? No siemens-healthineers.com/acuson-redwood 55 Product and Solution Security White Paper · ACUSON Redwood VA20 Manufacturer Disclosure Statement (MDS2 ) Question ID Question Notes Transmission Confidentiality (TXCF) The ability of the device to ensure the confidentiality of transmitted personally identifiable information. Can personally identifiable information TXCF-1 be transmitted only via a point-to-point No dedicated cable? Is personally identifiable information TXCF-2 encrypted prior to transmission via a No network or removable media? TXCF-2.1 If data is not encrypted by default, can the customer configure encryption options? No Is personally identifiable information TXCF-3 transmission Unrestricted to a fixed list No of network destinations? TXCF-4 Are connections limited to authenticated systems? No Are secure transmission methods TXCF-5 supported/implemented (DICOM, HL7, See notes Yes, DICOM supported. IEEE 11073)? Transmission Integrity (TXIG) The ability of the device to ensure the integrity of transmitted data. Does the device support any mechanism TXIG-1 (e.g., digital signatures) intended to ensure No data is not modified during transmission? TXIG-2 Does the device include multiple sub- components connected by external cables? No 56 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Question ID Question Notes Remote Service (RMOT) Remote service refers to all kinds of device maintenance activities performed by a service person via network or other remote connection. RMOT-1 Does the device permit remote service connections for device analysis or repair? Yes Yes, SRS supported. Does the device allow the owner/operator The owner/operator would need to RMOT-1.1 to initiative remote service sessions for put the system into full access in Yes device analysis or repair? order to allow a remote service session. Yes, there is a telephone answered Is there an indicator for an enabled and icon that appears in the upper RMOT-1.2 active remote session? Yes right hand of the main imaging screen when the system is accessed remotely. RMOT-1.3 Can patient data be accessed or viewed Only with owner/operator consent from the device during the remote session? Yes provided to the remote requestor. Does the device permit or use remote RMOT-2 service connections for predictive Yes maintenance data? Does the device have any other remotely RMOT-3 accessible functionality (e.g., software Remote updates, remote training, Yes updates, remote training)? remote assistance. Other Security Considerations (OTHR) NONE Notes: siemens-healthineers.com/acuson-redwood 57 Product and Solution Security White Paper · ACUSON Redwood VA20 Manufacturer Disclosure Statement (IEC60601-1) Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13 1. Network properties required by the system and resulting risks 1-1 The device is connected via Ethernet cable or wireless protocol to the hospital using a TCP/IP network with 1Gb/s. • If the network is down, the network services (see below) are not available which can lead to the risks stated below. • If the network is unavailable, medical images cannot be transferred for remote consultation. • If the wireless network is incorrectly protected (for example, open Wi-Fi configuration), the attack surface of all the connected devices is much larger, which can lead to the risks stated below. • If the recommended network performance (1Gbit/s) is not provided, the transfer of images is extended, and availability of images at destinations (e.g., for consulting) is delayed. • Only the protocols shown in the table of used ports are needed for communication. 1-2 PACS system for archiving images/results • If the PACS is not available: images cannot be archived after the examination. In case of a system hardware failure, all non-archived – images can be lost. images cannot be archived after the examination. Examinations may no longer be possible because the – hard drive is full as non-archived images cannot be automatically removed. images cannot be archived after the examination. In case of manual deletion of images, unarchived images – can be lost. images are not available for remote consultation via PACS consoles. – prior images are not available. – • If the recommended network performance (1Gbit/s) is not provided, the transfer time to PACS is extended, and the wait for switching off the system consecutive to the last transfer operations is prolonged. 1-3 DICOM printer • If the DICOM printer is not available, film is not available for diagnosis/archive. 1-4 RIS system • If the RIS system is not available: the modality worklist is not available. This can lead to data inconsistencies as well as unavailability of – images when sent to the PACS until they are manually coerced with the RIS data in the PACS. In case of a Worklist Query time-out due to poor network transfer, there is a possibility that non-actual RIS – data is used when registering a patient from the list of schedules on the system. 1-5 Network connection to the SRS server • If the connection to the Smart Remote Services server is not available, then support from Siemens Healthineers service is limited. 1-6 Common medical protocol properties • Protocols used in medical environments are typically unsecure, with the exception of Secure Smart Remote Services (using HTTPS). 58 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper 2. Instructions for the responsible organization 2-1 Connection of the system to a network that includes other equipment could result in previously unidentified risks to patients, operators or third parties. The RESPONSIBLE ORGANIZATION should identify, evaluate and control these risks. 2-2 Subsequent changes to the network could introduce new RISKS and require additional analysis. 2-3 Changes to the network include: • changes in network configuration • connection to additional items to the network • disconnecting items from the network • update of equipment connected to the network • upgrade of equipment connected to the network 2-4 The RESPONSIBLE ORGANIZATION is fully responsible for the security of the network to which the device is connected. 2-5 The RESPONSIBLE ORGANIZATION is fully responsible to ensure staff who have access to the device do not have the opportunity to provide any harm to the system. 2-6 The RESPONSIBLE ORGANIZATION has to ensure that the internal network cannot be accessed physically by non-authorized persons. 2-7 Staff of the RESPONSIBLE ORGANIZATION has to be trained in security. The RESPONSIBLE ORGANIZATION is responsible for providing this. 2-8 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that only authorized medical/administrative staff shall have access to the device. 2-9 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that visitors/patients do not have unsupervised physical access to the system. 2-10 The RESPONSIBLE ORGANIZATION shall provide access to the system for device administrators and device service engineers. 2-11 The RESPONSIBLE ORGANIZATION has at least one staff person with administrative rights who has access to the system. 2-12 The RESPONSIBLE ORGANIZATION shall ensure that neither access from the public internet or the organization’s intranet to the device is possible. 2-13 The RESPONSIBLE ORGANIZATION is responsible to ensure physical security for the device. 2-14 The RESPONSIBLE ORGANIZATION shall ensure that access to services for the device from other equipment is possible only on a need-to-do basis. An adequate network topology with appropriate firewall settings shall be used. 2-15 The RESPONSIBLE ORGANIZATION is responsible for a secure infrastructure that makes it impossible to change, prevent, or tamper with data in transit in any way. 2-16 RECOMMENDATION: It is highly recommended that the RESPONSIBLE ORGANIZATION monitors the network for unusual traffic. 2-17 The RESPONSIBLE ORGANIZATION is responsible for the hard drive encryption keys and for preventing the theft or loss of those keys. siemens-healthineers.com/acuson-redwood 59 Product and Solution Security White Paper · ACUSON Redwood VA20 Manufacturer Disclosure Statement (IEC60601-1) Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13 3. Intended purpose of integrating the device into an IT network 3-1 To integrate the system into the clinical workflow, the whole ultrasound system will interact as a DICOM node in the clinical network. 3-2 The system is DICOM-compliant, allowing it to be connected to a network with other compliant devices for the exchange of images. Networking allows the transmission of images acquired to other DICOM-compatible review stations or PACS. A list of all patients ever imaged can be kept on the Radiology PACS making future retrievals fast and easy. 3-3 The system connects to the network through an Ethernet cable or a wireless protocol. The network interfaces allow DICOM connections to specific clinical systems such as a Radiology PACS or printer. Patient demographic data will be received via DICOM; acquired images will be sent to the Radiology PACS or DICOM workstations for detailed viewing and long-term storage. 4. Network properties required by the system and resulting risks 4-1 Unsuccessful data transfer not recognized Function: Archiving and Networking Hazard: Wrong diagnosis / loss of acquisition data Caution: Data transfers between systems are not verified automatically. Loss of data, if data is deleted locally before it has been successfully transferred to another system. Measure: Since not all systems support automatic storage commitment, verify the correctness of the data transfer at the remote system before deleting the local data. Effect on: Patient 4-2 Incorrect or incomplete data transfer Function: Data Exchange – Network Hazard: Wrong diagnosis, wrong examination / loss of acquisition data, loss of post processing results, corrupted data, inconsistent data Cause: DICOM objects are sent/received/retrieved. While objects are being prepared or during transfer, not all DICOM objects that are not considered are deleted, corrupted or unintentionally manipulated. Data on the sender and receiver side is not consistent. Failure of transfer not recognized. Measure: It has to be verified by testing, that there is no object loss during sending, which means: • Verify that exception scenarios result in a failed job (and check for other exceptions in log files). • Verify that error cases, which result in data not complying with the DICOM standard, are covered by exception scenarios. Effect on: Patient 60 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper 4-3 Insecure or incorrectly configured clinical network Function: Network Security Hazard: Incorrect diagnosis basis, wrong diagnosis, wrong treatment, delayed diagnosis, delayed therapy, wrong examination, repetition of examination / loss of acquisition data, corrupted data, system DoS Caution: Unauthorized access may affect system performance and data security. Cause: Any unauthorized access to the system may affect the system performance and data security and may lead to: • Lowered system performance and/or non-operational system • Loss of data security including loss of all patient data Measure: • Enable your system administrator to ensure network security and the security of the operational infrastructure • Consult manuals for secure setup • Perform system updates as required • Run your medical device only in protected network environments, and do not connect it directly to public networks • Set up firewalls • Prevent configuration files from being changed by users • Update and patch networked systems as required Effect on: Patient, System 4-4. Bitlocker recovery keys not available when needed Function: Hard drive encryption Hazard: Loss of patient data, system DoS Caution: Customer should keep Bitlocker recovery keys safe Cause: In the case the customer opted for hard drive encryption and if BitLocker fails to access the encrypted drive for whatever reason, then the recovery keys will be needed by Siemens Healthineers Service to pause encryption and have offline access to the hard drive and the patient data stored in it. Effect on: Patient, System siemens-healthineers.com/acuson-redwood 61 Product and Solution Security White Paper · ACUSON Redwood VA20 Abbreviations AD Active Directory JPEG Joint Photographic Experts Group AES Advanced Encryption Standard LDAP Lightweight Directory Access Protocol ASU Anytime Software Updates MD5 Message Digest 5 BIOS Basic Input Output System MDS2 Manufacturer Disclosure Statement COM Component Object Model for Medical Device Security DCOM Distributed Component Object Model MSTS Microsoft Terminal Server DES Data Encryption Standard NEMA National Electrical Manufacturers Association DHCP Dynamic Host Configuration Protocol NTP Network Time Protocol DICOM Digital Imaging andCommunications in Medicine OCR Office for Civil Rights DISA Defense Information Systems Agency OS Operating System DMZ Demilitarized Zone OU Organization Unit DNS Domain Name System PACS Picture Archiving and Communication System DoS Denial of Service PHI Protected Health Information ePHI Electronic Protected Health Information PII Personally Identifiable Information FDA Food and Drug Administration PNRP Peer Name Resolution Protocol FIPS Federal Information Processing Standards RIS Radiology Information System HD High Density RPC Remote Procedure Call HDCP High-bandwidth Digital Content RUH Remote Update Handling Protection SAM Security Accounts Manager HECI Host Embedded Controller Interface SBoM Software Bill of Materials HHS Health and Human Services SHA Secure Hash Algorithm HIPAA Health Insurance Portability and SMP Spaces Management Provider Accountability Act SQL Structured Query Language HIMSS Healthcare Information and SRS Smart Remote Services Management Systems Society SSL HTTP Hypertext Transfer Protocol Secure Socket Layer STIG Security Technical Implementation HTTPS HTTP Secure Guideline ICS Integrated Communication Services SW Software IDS Intrusion Detection System TCP Transmission Control Protocol IEC International Electrotechnical TLS Transport Layer Security Commission TPM Trusted Platform Module IIS Internet Information Services UltraVNC Intrusion Prevention System Ultra Virtual Network Computing IPS UDP User Datagram Protocol IPsec Internet Protocol Security UI User Interface iSCSI Internet Small Computer System Interface VLAN Virtual Local Area Network IKE Internet Key Exchange VPN Virtual Private Network IVM Intervention Module WMI Windows Management Instrumentation WWW World Wide Web 62 siemens-healthineers.com/acuson-redwood ACUSON Redwood VA20 · Product and Solution Security White Paper Disclaimer According to Statement on FDA Cybersecurity IEC 80001-1 Guidance 1-1 The Device has the capability to be connected Siemens Healthineers will follow cybersecurity guidance to a medical IT-network which is managed under issued by the FDA as appropriate. Siemens Healthineers full responsibility of the operating responsible recognizes the principle described in FDA cybersecurity organization. It is assumed that the responsible guidance that an effective cybersecurity framework organization assigns a Medical IT-Network is a shared responsibility among multiple stakeholders Risk Manager to perform IT-Risk Management (e.g., medical device manufacturers, health care (see IEC 80001-1:2010/EN 80001-1:2011) for facilities, patients and providers), and is committed to IT-networks incorporating medical devices. drawing on its innovation, engineering and pioneering skills in collective efforts designed to prevent, detect 1-2 This statement describes Device-specific IT- and respond to new and emerging cybersecurity threats. networking safety and security capabilities. While FDA cybersecurity guidance is informative as to It is not a responsibility agreement according adopting a risk-based approach to addressing potential to IEC 80001-1:2010/EN 80001-1:2011. patient harm, it is not binding, and alternative approaches may be used to satisfy FDA regulatory 1-3 Any modification of the platform, the software or requirements. the interfaces of the Device – unless authorized and approved by Siemens Healthcare GmbH The representations contained in this whitepaper are Healthcare – voids all warranties, liabilities, designed to describe Siemens Healthineers’ approach to assertions and contracts. cybersecurity of its medical devices and to disclose the security capabilities of the devices/systems described herein. Neither Siemens Healthineers nor any medical 1-4 The responsible organization acknowledges that the Device’s underlying standard computer with device manufacturer can warrant that its systems will be operating system is to some extent vulnerable invulnerable to cyberattack. Siemens Healthineers makes to typical attacks like e.g. malware or denial- no representation or warranty that its cybersecurity of-service. efforts will ensure that its medical devices/systems will be error-free or secure against cyberattack. 1-5 Unintended consequences (like e.g. misuse/loss/ corruption) of data not under control of the Device, e.g., after electronic communication from the Device to some IT-network or to some storage, are under the responsibility of the responsible organization. 1-6 Unauthorized use of the external connections or storage media of the Device can cause hazards regarding the availability and information security of all components of the medical IT-network. The responsible organization must ensure – through technical and/or organizational measures - that only authorized use of the external connections and storage media is permitted. International Electrotechnical Commission Glossary (extract) Responsible organization: Entity accountable for the use and maintenance of a medical IT-network. siemens-healthineers.com/acuson-redwood 63 On account of certain regional limitations of sales rights ACUSON Redwood is a trademark of Siemens Medical and service availability, we cannot guarantee that all Solutions, USA, Inc. products included in this brochure are available through the Siemens Healthineers sales organization worldwide. syngo is a trademark of Siemens Healthineers GmbH. Availability and packaging may vary by country and are Adobe is either a trademark or registered trademark of subject to change without prior notice. Adobe Systems Incorporated in the United States and/or Some/All the features and products described herein may other countries. not be available in the United States or other countries. Intel is a trademark of Intel Corporation in the United The information in this document contains general States and other countries. technical descriptions of specifications and options as Microsoft and Windows are registered trademarks of well as standard and optional features that do not always Microsoft Corporation in the United States and other have to be present in individual cases. countries. Siemens Healthineers reserves the right to modify the McAfee is a registered trademark of McAfee, LCC or design, packaging, specifications, and options described its subsidiaries in the US and other countries. herein without prior notice. Please contact your local Siemens Healthineers sales representative for the most NVIDIA is a registered trademark of NVIDIA Corporation. current information. PowerScribe® 360 | Reporting is a registered trademark In the interest of complying with legal requirements of Nuance Communications, Inc. concerning the environmental compatibility of our products (protection of natural resources and waste conservation), we recycle certain components. Using the same extensive quality assurance measures as for factory-new components, we guarantee the quality of these recycled components. Note: Any technical data contained in this document may vary within defined tolerances. Original images always lose a certain amount of detail when reproduced. Caution: Federal law restricts this device to sale by or on the order of a physician. Siemens Healthineers Headquarters Manufacturer Siemens Healthcare GmbH Siemens Medical Solutions USA, Inc. Henkestr. 127 Ultrasound 91052 Erlangen, Germany 22010 S.E. 51st Street Phone: +49 9131 84-0 Issaquah, WA 98029, USA siemens-healthineers.com Phone: 1-888-826-9702 siemens-healthineers.com/ultrasound Published by Siemens Medical Solutions USA, Inc. · 11245 1221 online · ©Siemens Medical Solutions USA, Inc., 2021