ACUSON Sequoia Ultrasound System, release 2.5 (VA50) Security and MDS² Form

The clinical overlay is not that of the individual pictured. It was modified for better visualization. White paper ACUSON Sequoia™ Ultrasound System and ACUSON Sequoia™ Select Ultrasound System, Release VA50 Security White Paper and MDS2 The facts about the security of our products and solutions. siemens-healthineers.com/cybersecurity HOOD05162003336601 · Effective Date February 24, 2023 SIEMENS Healthineers Unrestricted Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Foreword The Siemens Healthineers Product and Solution Elements of our Product and Solution Security program Security (PSS) program  At Siemens Healthineers, we are committed to working Providing information to facilitate secure configuration with you to address cybersecurity and privacy and use of our medical devices in your IT environment requirements. Our Product and Solution Security Office  Conducting formal threat and risk analysis for our is responsible for our global program that focuses on products addressing cybersecurity throughout the product lifecycle  of our products. Incorporating security-focused architecture, design and coding methodologies in our software Our program targets incorporating state-of-the-art development process cybersecurity into our current and future products. We  Performing static code analysis of our products seek to protect the security of your data while, at the same  time, providing measures to strengthen the resiliency of Conducting security testing of products under our products from cyber threats. development as well as products already in the field  Providing a patch management strategy for the We comply with applicable security and privacy laws and medical device will cooperate with the competent autorities including, but  not limited to, the US Department of Health and Human Monitoring security vulnerabilities to track reported Services (HHS), the US Food and Drug Administration third party component issues in our products (FDA), the US Office for Civil Rights (OCR), the EU General  Working with suppliers to address security throughout Data Protection Regulation (GDPR), the National Medical the supply chain Products Administration (NMPA) in China, and the EU Medical Device Regulation (MDR) to meet IT security and  Training of employees to provide knowledge consistent privacy obligations. with their level of responsibility regarding your data and device integrity. Vulnerability and incident management Siemens Healthineers cooperates with government agencies and cybersecurity researchers concerning Contacting Siemens Healthineers about reported potential vulnerabilities. Our communications Product and Solution Security policy strives for coordinated disclosure. We work in Siemens Healthineers requests that any cybersecurity this way with our customers and other parties, when or privacy incidents are reported by email to: appropriate, in response to potential vulnerabilities and productsecurity@siemens-healthineers.com incidents in our products, no matter what the source. Jim Jacobson Chief Product and Solution Security Officer Siemens Healthineers Siemens Healthcare GmbH © 2023 2 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Contents Foreword 2 Basic Information 4 Network Information 6 Security Controls 16 Shared Responsibilities 18 Software Bill of Materials 18 Manufacturer Disclosure Statement (MDS2) 19 Manufacturer Disclosure Statement (IEC 60601-1) 43 Abbreviations 50 Disclaimer according to IEC 80001-1 51 Statement on FDA Cybersecurity Guidance 51 Siemens Healthcare GmbH © 2023 3 Product and Solution Security White Paper· ACUSON Sequoia VA50 Basic Information Why is cybersecurity important? Keeping patient data safe and secure should typically Domain integration be one of the top priorities of healthcare institutes. In case of domain integration, we recommend putting It is estimated that the cost associated in the recovery the device in its own Organizational Unit (OU). No global of each medical record in the United States can be as policies are allowed. More details will be provided in the high as $380.1 According to the Ponemon Institute Administration Manual. research report,2 39% of medical devices were hacked, with hackers being able to take control of the device. Moreover, 38% of healthcare organizations said that Patching Strategy their patients received inappropriate medical treatment  Security patches will be provided on a regular basis because of an insecure medical device. after validation by Siemens Healthineers to ensure reliability of the clinical function of the medical device.  Our purpose is to help healthcare If the system is connected to a network via a a remote providers succeed service methods, SW updates will be pushed to the The new ACUSON Sequoia ultrasound system and ACUSON system automatically. Downloaded updates need to be Sequoia Select ultrasound system (the systems) are the result confirmed by the system operator before their of more than three decades of experience in ultrasound installation. engineering. A general imaging ultrasound system, it  Technologies and software components are actively was developed in response to one of the most prevalent monitored by Security Vulnerability Monitoring (SVM) challenges in ultrasound imaging today: the imaging for vulnerabilities and availability of security updates. of different-sized patients with consistency and clarity. With the Deep Abdominal Transducer (DAX), a new high-powered architecture, and innovative updates to elastography and contrast-enhanced ultrasound, the systems produce penetration upto 55 cm. With its powerful architecture and innovative features, the systems expand precision medicine by enabling high-resolution imaging that adapts to patients’ size and personal characteristics, contributing to more confident diagnosis. Operating Systems Please refer to the Software Bill of Material chapter. Hardware Specifications Please refer to the corresponding Datasheets for more information. Hardware configuration may vary depending on customer requirements. User Account Information  The systems software provides local user accounts, managed by the administrator of the system, or LDAP- based accounts if the system is part of a Microsoft Windows Domain.  A break-glass mechanism ensures access to the system in emergency scenarios.  The system provides preconfigured Password Policies that can be customized by administrators. Unrestricted 4 Product and Solution Security White Paper· ACUSON Sequoia VA50 Cryptography Usage The systemsuse ciphers and protocols built into Windows 10 for Terms and Conditions encryption and data protection. If needed, hardening measures Please see local terms and conditions for purchasing and limit usage to those that are at least FIPS 140-2-compliant. operating this device within your area. Handling of Sensitive Data  These ultrasound systems are designed for temporary data storage only. Siemens Healthineers recommends storing patient data in a long-term archive, e.g., on a PACS, and data must be deleted using a facility- defined procedure.  Protected Health Information (PHI) is temporarily stored on the ultrasound system, similar to DICOM data, raw data, and metadata for DICOM creation. Note: The time for which PHI is stored is determined by the facility.  Personal Identifiable Information (PII) as part of the DICOM records is also temporarily stored on the ultrasound system, e.g., patient’s name, birthday or age, height and weight, personal identification number, and referring physician’s name. The system provides anonymization of displayed PII for acquired images.  Protected Health Information (PHI) is transmitted via DICOM (encrypted/unencrypted). Data Recovery The ACUSON Sequoia and ACUSON Sequoia Select, VA50 system software uses local data storage for storing application data as configured during installation. There are several scenarios which require a recovery of the system or the database. In case of software errors, the following recovery strategies are available: Recovery of corrupted files • Recovery of partition in case of corrupt Operating • System (OS) or application A secure data backup, including offline backup, is in the responsibility of the customer. Boundary Defense The built-in firewall minimizes the surface of the network attack. For optimized protection of sensitive data and operation of the system, it’s recommended to:  deploy the system in a secure network environment  utilize network segmentation  apply client access control and protection against access from public networks. Please see the related Secure Configuration and Hardening Guide. Boundary defense in the hospital should be multilayered relaying on firewalls, proxies, DMZ and network-based IDS and IPS, as well as physical protections. Additionally, the system provides a PHI removal tool to make the data drive containing patient data unrecoverable when desired by the customer. Unrestricted 5 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Network Information SRS = Router VPN Smart Remote IN, OUT: Services TCP, UDP, RDP Remote Service Access Server IN, OUT: DICOM, UDP PACS/RIS IN, OUT: DICOM, SRS IN, OUT: LDAP, TCP/UDP Domain Controller = OUT: TCP Network Share = IN, OUT: TCP NUANCE Ultrasound Machine Clinical Network Internet Figure 1: System deployment overview with regard to network boundaries Siemens Healthineers recommends operating the ultrasound machine in a dedicated network segment (e.g., VLAN). To minimize the risk of unauthorized network access, Siemens Healthineers recommends operating the ultrasound machine behind a firewall or at least use access control lists on the network switches to limit traffic to identified peers. At minimum, the DICOM Port (see Table 1) needs to be visible for customer DICOM network nodes (e.g., PACS). Port number Service/function Direction (in/out) Protocol 80 Administration Portal – Microsoft IIS In/Out TCP 104 DICOM Communication In/Out TCP / DICOM 137 NetBIOS Name Service (Used for Remote Desktop) In/Out UDP 443 Administration Portal – Remote Service (encrypted) In/Out TCP Siemens Healthcare GmbH © 2023 6 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 2762 Secure DICOM (optional) In/Out TCP 8226 Managed Node Package MNP In/Out TCP 8227 Managed Node Package MNP In/Out TCP 8228 Managed Node Package MNP In/Out TCP 11080 Remote Assist (eSieLink) In/Out TCP 12061 Managed Node Package MNP In/Out TCP 13001 Managed Node Package MNP In/Out TCP Allowed services accessible through network running on the device: Service Description Startup type Log on as AppIDSvc Determines and verifies the identity of an Automatic Local System application AudioEndpointBuilder Manages audio devices for the Windows Automatic Local System Audio service. Audiosrv Manages audio for Windows-based Automatic Local Service programs. BFE Manages firewall and Internet Protocol Automatic Local System security (IPsec) policies. BrokerInfrastructure Windows infrastructure service that controls Automatic Local System which background tasks can run on the system. BrUnvPrnPortPCL Brother Universal Printer port service Automatic Local Service CDPUserSvc This user service is used for Connected Automatic Local System Devices Platform scenarios ControlPanelService Control Panel WCF Service Manual Local System CoreMessaging CoreMessaging manages Automatic Local Service communication between system components. CertPropSvc Copies user certificates and root certificates Automatic Local System from smart cards into the current user's certificate store. cRSP-Teamviewer-Moderator- cRSP Teamviewer Moderator Gateway Automatic Local System Gateway working as proxy for RTC's Cryptographic Services This service provides three Automatic Network Service management services: Catalog Database Service, which confirms the signatures of Windows files and allows Siemens Healthcare GmbH © 2023 7 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. CsaCompMgrInit CsaCompMgrInit provides boot service Automatic Local System for the syngo component manager. DCOM Server Process Launcher The DCOMLAUNCH service launches Automatic Local System COM and DCOM servers in response to object activation requests. If this service is stopped or disabled, programs using COM or DCOM will not function properly. It is strongly recommended that you have the DCOMLAUNCH service running. DeviceAssociationService Enables pairing between the system and Automatic Local System wired or wireless devices DHCP Client This service registers and updates IP Automatic Local Service addresses and DNS records for this computer. If this service is stopped, this computer will not receive dynamic IP addresses and DNS updates. If this service is disabled, any services that explicitly depend on it will fail to start. Diagnostic Policy Service The Diagnostic Policy Service enables Automatic Local Service problem detection, troubleshooting and resolution for Windows components. If this service is stopped, diagnostics will no longer function. Diagnostic Service Host The Diagnostic Service Host is used by Automatic Local Service the Diagnostic Policy Service to host diagnostics that need to run in a Local Service context. If this service is stopped, any diagnostics that depend on it will no longer function. Diagnostic System Host The Diagnostic System Host is used by Manual Local System the Diagnostic Policy Service to host diagnostics that need to run in a Local System context. If this service is stopped, any diagnostics that depend on it will no longer function. Siemens Healthcare GmbH © 2023 8 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Distributed Link Tracking Client This service maintains links between Automatic Local System NTFS files within a computer or across computers in a network. DNS Client The DNS Client service (dnscache) Automatic Network Service caches Domain Name System (DNS) (Trigger Start) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer's name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start. IIS Admin Service This service enables this server to Automatic Local System administer the IIS metabase. The IIS metabase stores configuration for the SMTP and FTP services. If this service is stopped, the server will be unable to configure SMTP or FTP. If this service is disabled, any services that explicitly depend on it will fail to start. IKE and AuthIP IPsec Keying The IKEEXT service hosts the Internet Automatic Local System Modules Key Exchange (IKE) and Authenticated (Trigger Start) Internet Protocol (AuthIP) keying modules. These keying modules are used for authentication and key exchange in Internet Protocol security (IPsec). Stopping or disabling the IKEEXT service will disable IKE and AuthIP key exchange with peer computers. IPsec is typically configured to use IKE or AuthIP; therefore, stopping or disabling the IKEEXT service might result in an IPsec failure and might compromise the security of the system. It is strongly recommended that you have the IKEEXT service running. IpOverUsbSvc Enables communication between the Automatic Local System Windows SDK and a Windows Device Intel(R) HD Graphics Control Panel This service serves for Intel(R) HD Automatic Local System Service Graphics Control Panel. Local Session Manager Core Windows Service that manages Automatic Local System local user sessions. Stopping or disabling this service will result in system instability. LanmanServer Supports file, print, and named-pipe sharing Automatic Local System Siemens Healthcare GmbH © 2023 9 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 over the network for this computer LanmanWorkstation Creates and maintains client network Automatic Network Service connections to remote servers using the SMB protocol LicenseManager Provides infrastructure support for the Manual Local System Windows Store lmhosts Provides support for the NetBIOS over Manual Local System TCP/IP (NetBT) service and NetBIOS name resolution for clients on the network. MpsSvc Windows Firewall helps protect your Automatic Local Service computer by preventing unauthorized users from gaining access to your computer through the Internet or a network MSMQ Provides a messaging infrastructure. Automatic Network Service Network List Service This service identifies the networks to Automatic Local Service which the computer has connected, collects and stores properties for these networks, and notifies applications when these properties change. Network Location Awareness This service collects and stores Automatic Network Service configuration information for the network and notifies programs when this information is modified. If this service is stopped, configuration information might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Network Store Interface Service This service delivers network Automatic Local Service notifications (e.g. interface addition/deleting etc) to user mode clients. Stopping this service will cause loss of network connectivity. If this service is disabled, any other services that explicitly depend on this service will fail to start. NVIDIA Display Container NVIDIA Display Container LS provides Automatic Local System the container service for NVIDIA root features. NVIDIA WMI Provider This service provides WMI objects for Automatic Local System managing NVIDIA components of the system. pla Performance Logs and Alerts Collects Manual Local System performance data from local or remote Siemens Healthcare GmbH © 2023 10 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 computers. Plug and Play This service enables a computer to Manual Local System recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. PolicyAgent Internet Protocol security (IPsec) supports Manul Network Service network-level peer authentication. Power This service manages power policy and Automatic Local System power policy notification delivery. Print Spooler This service spools print jobs and Automatic Local System handles interaction with the printer. If you turn off this service, you won’t be able to print or see your printers. Program Compatibility Assistant This service provides support for the Automatic Local System Service Program Compatibility Assistant (PCA). PCA monitors programs installed and run by the user and detects known compatibility problems. If this service is stopped, PCA will not function properly. Remote Procedure Call (RPC) The RPCSS service is the Service Control Automatic Network Service Manager for COM and DCOM servers. It performs object activations requests, object exporter resolutions and distributed garbage collection for COM and DCOM servers. If this service is stopped or disabled, programs using COM or DCOM will not function properly. It is strongly recommended that you have the RPCSS service running. RPC Endpoint Mapper This service resolves RPC interfaces Automatic Network Service identifiers to transport endpoints. If this service is stopped or disabled, programs using Remote Procedure Call (RPC) services will not function properly. SD_SERVER This service serves for the SD server. Automatic Local System Secondary Logon This service enables starting processes Manual Local System under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Security Accounts Manager The startup of this service signals other Automatic Local System services that the Security Accounts Siemens Healthcare GmbH © 2023 11 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Manager (SAM) is ready to accept requests. Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled. scsrvc McAfee Solidifier Service Automatic Local System Shell Hardware Detection This service provides notifications for Automatic Local System AutoPlay hardware events. State Repository Service The service provides required Manual Local System infrastructure support for the application model. Sync Host This service synchronizes mail, Automatic Local System contacts, calendar and various other (Delayed Start) user data. Mail and other applications dependent on this functionality will not work properly when this service is not running. SysMgmt.WcfService This service serves for Automatic Local System SysMgmt.WcfService in Syngo. System Event Notification Service This service monitors system events Automatic Local System and notifies subscribers to COM+ Event System of these events. System Events Broker This service coordinates execution of Automatic Local System background work for WinRT application. (Trigger Start) If this service is stopped or disabled, then background work might not be triggered. SQLWriter Provides the interface to backup/restore Automatic Local System Microsoft SQL server through the Windows VSS infrastructure Task Scheduler This service enables a user to configure Automatic Local System and schedule automated tasks on this computer. The service also hosts multiple Windows system-critical tasks. If this service is stopped or disabled, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. TCP/IP NetBIOS Helper This service provides support for the Manual (Trigger Local Service NetBIOS over TCP/IP (NetBT) service and Start) NetBIOS name resolution for clients on the network, therefore enabling users to share files, print, and log on to the Siemens Healthcare GmbH © 2023 12 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 network. If this service is stopped, these functions might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Tile Data model server This tile server provides the service for Automatic Local System tile updates. Time Broker This service coordinates execution of Manual (Trigger Local Service background work for WinRT application. Start) If this service is stopped or disabled, then background work might not be triggered. Touch Keyboard and Handwriting This service enables Touch Keyboard Automatic Local System Panel Service and Handwriting Panel pen and ink (Trigger Start) functionality TRANSFERMGR The manager enables TransferMgr Automatic Local System service. User Manager User Manager provides the runtime Automatic Local System components required for multi-user (Trigger Start) interaction. If this service is stopped, some applications may not operate correctly. User Profile Service This service is responsible for loading Automatic Local System and unloading user profiles. If this service is stopped or disabled, users will no longer be able to successfully sign in or sign out, apps might have problems getting to users' data, and components registered to receive profile event notifications won't receive them. VERSANTD This service serves the daemon for Automatic Local System VERSANT in Syngo. Vnc server Enables VNC Viewer users to connect to and Automatic Local System control this computer Windows Audio This service manages audio for Automatic Local Service Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. w3log service Provides W3C logging for Internet Manual Local System Information Services (IIS) Siemens Healthcare GmbH © 2023 13 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 W3SVC Provides Web connectivity and Automatic Local System administration through the Internet Information Services Manager Windows Connection Manager This service makes automatic Automatic Local Service connect/disconnect decisions based on (Trigger Start) the network connectivity options currently available to the PC and enables management of network connectivity based on Group Policy settings. Windows Driver Foundation - User- This service creates and manages user- Manual (Trigger Local System mode Driver Framework mode driver processes. This service Start) cannot be stopped. Windows Event Collector This service manages persistent Automatic Network Service subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI-enabled event sources. The service stores forwarded events in a local Event Log. If this service is stopped or disabled event subscriptions cannot be created and forwarded events cannot be accepted. Windows Event Log This service manages events and event Automatic Local Service logs. It supports logging events, querying events, subscribing to events, archiving event logs, and managing event metadata. It can display events in both XML and plain text format. Stopping this service may compromise security and reliability of the system. Windows Management This service provides a common Automatic Local System Instrumentation interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Windows Modules Installer This service enables installation, Manual Local System modification, and removal of Windows updates and optional components. If this service is disabled, install or uninstall of Windows updates might fail for this computer. Windows Process Activation Service The Windows Process Activation Service Manual Local System (WAS) provides process activation, Siemens Healthcare GmbH © 2023 14 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 resource management and health management services for message- activated applications. Windows Push Notifications System This service runs in session 0 and hosts Automatic Local System Service the notification platform and connection provider which handles the connection between the device and WNS server. Windows Remote Management Windows Remote Management Automatic Network Service (WS-Management) (WinRM) service implements the WS- (Delayed Start) Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS- Management requests and processes them. The WinRM Service needs to be configured with a listener using winrm.cmd command line tool or through Group Policy in order for it to listen over the network. The WinRM service provides access to WMI data and enables event collection. Event collection and subscription to events require that the service is running. WinRM messages use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but is preconfigured to share a port with IIS on the same machine. The WinRM service reserves the /wsman URL prefix. To prevent conflicts with IIS, administrators should ensure that any websites hosted on IIS do not use the /wsman URL prefix. WinHTTP Web Proxy Auto-Discovery WinHTTP implements the client HTTP Manual Local Service Service stack and provides developers with a Win32 API and COM Automation component for sending HTTP requests and receiving responses. In addition, WinHTTP provides support for auto- discovering a proxy configuration via its implementation of the Web Proxy Auto- Discovery (WPAD) protocol. Siemens Healthcare GmbH © 2023 15 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Security Controls Malware Protection Connection to the Internet or private networks for • The systems provide Whitelisting (McAfee® Application patients/guests is not recommended. Control). In case of a denial of service (DoS) or mal-ware attack, • Controlled Use of Administrative Privileges the system can be taken off the network and operated The system distinguishes between clinical and in a stand-alone state. administrative roles. Local users with clinical roles do not require administrative privileges. Authorization as Physical Safeguards Customer is responsible for the physical protection of • administrator is required for administrative tasks. the systems, e.g., by operating them in a room with access control. Please note that the systems contain Authentication patient data and should be protected against The systems support Health Insurance Portability and tampering and theft. • Accountability Act (HIPAA) regulation with role-based • privilege assignment and access control. The systems are protected by Secure Boot, which blocks unsigned boot media. The systems support both: machine local users and • • LDAP defined users. The systems support the ability to change the BIOS password. Please contact Siemens Healthineers The user interface of they systems with VA50 software Service for support. • provides a screen lock functionality that can be engaged manually or automatically after a certain Data Protection Controls The systems are not intended to be an archive (data at • inactivity time. For details, please refer to the User Manual. rest). • Security Scanning and Vulnerability Monitoring PHI is protected by both role-based access control as Regular scanning with Tennable Nessus and monthly well as hard drive encryption (optional). assessment of identified vulnerabilities, as per the FDA • Post-Market Cybersecurity Guidance. Hard drive encryption is an optional feature that is implemented through Microsoft BitLocker technology Hardening and use of the TPM (Trusted Platform Module) chip on The systems with VA50 software hardening is the system’s motherboard. implemented based on the Security Technical The systems provide auditing of PHI access control. • Implementation Guidelines developed by the Defense Information Systems Agency (DISA). The systems support handling of encrypted USB drives • Network Controls (BitLocker to-go feature). The system is designed to make limited use of network • ports and protocols. The Microsoft Windows firewall is Optionally, confidentiality and integrity of PHI/PII data • configured to block unwanted inbound network traffic can be protected by encryption of DICOM except for the ports listed in Table 1. communication with other DICOM nodes. Siemens Healthineers recommends operating the Note: Encrypted DICOM communication on the systems • system in a secured network environment, e.g., a can be used if all connected DICOM nodes support it. separate network segmented or VLAN. Siemens Healthcare GmbH © 2023 16 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Auditing/Logging The system provides HIPAA-compliant auditing of operations on PHI, PII, and user information (i.e., login, read access to PHI, modification of PHI). Remote Connectivity Remote service tools are optionally used for proactive • maintenance. The connection is created using a secured channel (VPN- or IBC-based connection). This remote service based connection is intended for remote diagnostics, downloading security patches and updates. Note: The systems will no longer support IBC based • connections on July 1st 2023. Incident Response and Management The incident handling process is defined and executed on demand to deal with incidents as mandated by the United States FDA Post-Market Guidance documents. Siemens Healthcare GmbH © 2023 17 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Shared Responsibilities Cyber-security of the ACUSON Sequoia ultrasound system and the ACUSON Sequoia Select ultrasound system is shared responsibility covered by the vendor responsibility (e.g., system hardening) as well as the customer responsibility (e.g., network configuration). For detailed description of vendor responsibility – RESPONSIBLE ORGANIZATION obligations see chapter Manufacturer Disclosure Statement – Instructions for the responsible organization. Software Bill of Materials The following table lists relevant third-party technologies used. A comprehensive list is maintained Teamplay Fleet.1 https://fleet.siemens-healthineers.com/welcome Vendor name Component name Component version Description/use Microsoft Windows 10 LTBS IoT Enterprise 2016 LTSB Operating System Intel Integrated Performance Primitives (IPP) 1.6.0, 9.0.4 Signal processing Used by SysCare System Health database for archiving Microsoft Microsoft ODBC Driver for SQL Server 13.2 utilization data ASP.NET Web API is a framework that makes it easy to build HTTP Microsoft NuGet Package: Microsoft.AspNet.WebApi 5.2.6 services Microsoft NuGet Package: Microsoft.AspNet.Cors 5.2.6 Enables the CORS in ASP.NET Owin implementation for Microsoft NuGet Package: Microsoft.Owin 4.0.0 ASP.NET identity Python Software Provides Python runtime Foundation Python 3.7.3 environment Used for compressing service log P7ZIP 7-Zip Command Line Version (p7zip) 19.00 files NVIDIA Graphics Driver 443.18 Video Configuration Software Provides API and runtime for NVIDIA CUDA Toolkit 10.1 CUDA code used in UIF and UBE 1 For supported countries. Requires a customer account in Teamplay Fleet. Please contact your local Siemens Healthineers organization for further details. Siemens Healthcare GmbH © 2023 18 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Manufacturer Disclosure Statement (MDS2 ) Copyright to this MDS2 Form belongs to the National Electrical Manufacturers Association (NEMA) and the Health Information and Management Systems Society (HIMSS) (https://www.nema.org/Standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx) Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ DOC-2 Device Description Diagnostic Ultrasound __ DOC-3 Device Model ACUSON Sequoia VA50 __ and ACUSON Sequoia Select VA50 DOC-4 Document ID 11657862-FPD-023-02 __ DOC-5 Manufacturer Contact Siemens Medical Solutions - __ Information Ultrasound 22010 SE 51st St, Issaquah, WA 98029 DOC-6 Intended use of device in network- Ultrasound general imaging __ connected environment: scanner DOC-7 Document Release Date 16-Jan-2023 __ DOC-8 Coordinated Vulnerability Disclosure: Yes, see Does the manufacturer have a https://new.siemens.com/glo vulnerability disclosure program for this bal/en/products/services/cert device? /vulnerability-process.html DOC-9 ISAO: Is the manufacturer part of an Yes Information Sharing and Analysis Organization? DOC-10 Diagram: Is a network or data flow Yes, see section Network diagram available that indicates Information connections to other system components or expected external resources? Siemens Healthcare GmbH © 2023 19 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ DOC-11 SaMD: Is the device Software as a Medical No __ Device (i.e. software-only, no hardware)? DOC-11.1 Does the SaMD contain an operating N/A __ system? DOC-11.2 Does the SaMD rely on an owner/operator N/A __ provided operating system? DOC-11.3 Is the SaMD hosted by the manufacturer? N/A __ DOC-11.4 Is the SaMD hosted by the customer? N/A __ Management of personally identifiable information (MPII) Question ID Question Answer Note MPII-1 Can this device display, transmit, store, or Yes __ modify personally identifiable information (e.g. electronic Protected Health Information (ePHI))? MPII-2 Does the device maintain personally Yes __ identifiable information? MPII-2.1 Does the device maintain personally Yes __ identifiable information temporarily in volatile memory (i.e., until cleared by power-off or reset)? MPII-2.2 Does the device store personally Yes __ identifiable information persistently on internal media? MPII-2.3 Is personally identifiable information Yes __ preserved in the device’s non-volatile memory until explicitly erased? MPII-2.4 Does the device store personally Yes __ identifiable information in a database? MPII-2.5 Does the device allow configuration to See Notes Exported DICOM studies will automatically delete local personally be deleted automatically identifiable information after it is stored when hard drive utilization to a long term solution? reaches a predefined threshold (65%) or manually by customer. Siemens Healthcare GmbH © 2023 20 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ MPII-2.6 Does the device import/export personally See Notes The DICOM studies (DICOM identifiable information with other data objects) transfer to / systems (e.g., a wearable monitoring from PACS. device might export personally identifiable information to a server)? MPII-2.7 Does the device maintain personally Yes __ identifiable information when powered off, or during power service interruptions? MPII-2.8 Does the device allow the internal media See Notes The device allows removing to be removed by a service technician internal media by trained (e.g., for separate destruction or service personnel. The device customer retention)? cover has to be removed in order to remove internal media. MPII-2.9 Does the device allow personally See Notes The DICOM studies with PII identifiable information records be stored can be anonymized before in a separate location from the device’s exporting and storing to operating system (i.e. secondary internal external USB flash drive or drive, alternate drive partition, or remote DVD. storage location)? MPII-3 Does the device have mechanisms used Yes __ for the transmitting, importing/exporting of personally identifiable information? MPII-3.1 Does the device display personally Yes __ identifiable information (e.g., video display, etc.)? MPII-3.2 Does the device generate hardcopy Yes __ reports or images containing personally identifiable information? MPII-3.3 Does the device retrieve personally Yes __ identifiable information from or record personally identifiable information to removable media (e.g., removable-HDD, USB memory, DVD-R/RW,CD-R/RW, tape, CF/SD card, memory stick, etc.)? MPII-3.4 Does the device transmit/receive or See Notes The DICOM studies with PII import/export personally identifiable can be imported and information via dedicated cable exported via USB. connection (e.g., RS-232, RS-423, USB, FireWire, etc.)? MPII-3.5 Does the device transmit/receive See Notes DICOM transfer to PACS, RIS Siemens Healthcare GmbH © 2023 21 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ personally identifiable information via a (via RJ45) wired network connection (e.g., RJ45, fiber optic, etc.)? MPII-3.6 Does the device transmit/receive See Notes DICOM transfer to PACS, RIS personally identifiable information via a (via WiFi) wireless network connection (e.g., WiFi, Bluetooth, NFC, infrared, cellular, etc.)? MPII-3.7 Does the device transmit/receive See Notes DICOM transfer or remote personally identifiable information over service troubleshooting over an external network (e.g., Internet)? secure SRS IBC / VPN connection. MPII-3.8 Does the device import personally No __ identifiable information via scanning a document? MPII-3.9 Does the device transmit/receive No __ personally identifiable information via a proprietary protocol? MPII-3.10 Does the device use any other No __ mechanism to transmit, import or export personally identifiable information? Management of Private Data notes: Automatic Logoff (ALOF) The device's ability to prevent access and misuse by unauthorized users if device is left idle for a period of time. Question ID Question Answer Note ALOF-1 Can the device be configured to force Yes __ reauthorization of logged-in user(s) after a predetermined length of inactivity (e.g., auto-logoff, session lock, password protected screen saver)? ALOF-2 Is the length of inactivity time before Yes __ auto-logoff/screen lock user or administrator configurable? Siemens Healthcare GmbH © 2023 22 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ Audit Controls (AUDT) The ability to reliably audit activity on the device. Question ID Question Answer Note AUDT-1 Can the medical device create additional Yes __ audit logs or reports beyond standard operating system logs? AUDT-1.1 Does the audit log record a USER ID? Yes __ AUDT-1.2 Does other personally identifiable See Notes User Name information exist in the audit trail? AUDT-2 Are events recorded in an audit log? If Yes __ yes, indicate which of the following events are recorded in the audit log: AUDT-2.1 Successful login/logout attempts? Yes __ AUDT-2.2 Unsuccessful login/logout attempts? Yes __ AUDT-2.3 Modification of user privileges? Yes __ AUDT-2.4 Creation/modification/deletion of users? Yes __ AUDT-2.5 Presentation of clinical or PII data (e.g. Yes __ display, print)? AUDT-2.6 Creation/modification/deletion of data? Yes __ AUDT-2.7 Import/export of data from removable Yes __ media (e.g. USB drive, external hard drive, DVD)? AUDT-2.8 Receipt/transmission of data or Yes __ commands over a network or point-to- point connection? AUDT-2.8.1 Remote or on-site support? Yes __ AUDT-2.8.2 Application Programming Interface (API) No __ and similar activity? AUDT-2.9 Emergency access? Yes __ Siemens Healthcare GmbH © 2023 23 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ AUDT-2.10 Other events (e.g., software updates)? Yes __ AUDT-2.11 Is the audit capability documented in Yes __ more detail? AUDT-3 Can the owner/operator define or select Yes __ which events are recorded in the audit log? AUDT-4 Is a list of data attributes that are Yes __ captured in the audit log for an event available? AUDT-4.1 Does the audit log record date/time? Yes __ AUDT-4.1.1 Can date and time be synchronized by Yes __ Network Time Protocol (NTP) or equivalent time source? AUDT-5 Can audit log content be exported? Yes __ AUDT-5.1 Via physical media? Yes __ AUDT-5.2 Via IHE Audit Trail and Node No __ Authentication (ATNA) profile to SIEM? AUDT-5.3 Via Other communications (e.g., external See Notes The device allows auto- service device, mobile applications)? transfer of collected logs or manul upload of collected logs via remote services. AUDT-5.4 Are audit logs encrypted in transit or on See Notes The audit logs are localy storage media? encrypted. The audit logs are transferred via secure remote service connection. AUDT-6 Can audit logs be monitored/reviewed by Yes __ owner/operator? AUDT-7 Are audit logs protected from See Notes The content of audit logs is modification? encrypted. AUDT-7.1 Are audit logs protected from access? Yes __ AUDT-8 Can audit logs be analyzed by the device? No __ Siemens Healthcare GmbH © 2023 24 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ Authorization (AUTH) The ability of the device to determine the authorization of users. Question ID Question Answer Note AUTH-1 Does the device prevent access to Yes __ unauthorized users through user login requirements or other mechanism? AUTH-1.1 Can the device be configured to use Yes __ federated credentials management of users for authorization (e.g., LDAP, OAuth)? AUTH-1.2 Can the customer push group policies to See Notes The group with specific users the device (e.g., Active Directory)? can be created and added in the Active Director. The device manages custom policies for this group. Custom policies are indipendent form windows AD (custom policies include permision to collect logs, start a study, etc.) AUTH-1.3 Are any special groups, organizational See Notes Local user managmenet relies units, or group policies required? on User Roles. AUTH-2 Can users be assigned different privilege Yes __ levels based on 'role' (e.g., user, administrator, and/or service, etc.)? AUTH-3 Can the device owner/operator grant No __ themselves unrestricted administrative privileges (e.g., access operating system or application via local root or administrator account)? AUTH-4 Does the device authorize or control all See Notes The device integrates McAfee API access requests? Application Control - Whitelisting controls execution of all executable and prevents access to the system for all untrusted SW components. AUTH-5 Does the device run in a restricted access Yes __ mode, or ‘kiosk mode’, by default? Siemens Healthcare GmbH © 2023 25 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ Cybersecurity Product Upgrades (CSUP) The ability of on-site service staff, remote service staff, or authorized customer staff to install/upgrade device's security patches. Question ID Question Answer Note CSUP-1 Does the device contain any software or Yes __ firmware which may require security updates during its operational life, either from the device manufacturer or from a third-party manufacturer of the software/firmware? If no, answer “N/A” to questions in this section. CSUP-2 Does the device contain an Operating Yes __ System? If yes, complete 2.1-2.4. CSUP-2.1 Does the device documentation provide See Notes Remote service based instructions for owner/operator updates (RUH) installation of patches or software updates? CSUP-2.2 Does the device require vendor or See Notes The device requires vendor-authorized service to install assistance for remote service patches or software updates? based updates (RUH) or onsite service updates. CSUP-2.3 Does the device have the capability to Yes __ receive remote installation of patches or software updates? CSUP-2.4 Does the medical device manufacturer No __ allow security updates from any third- party manufacturers (e.g., Microsoft) to be installed without approval from the manufacturer? CSUP-3 Does the device contain Drivers and Yes __ Firmware? If yes, complete 3.1-3.4. CSUP-3.1 Does the device documentation provide Yes The instructions are provided instructions for owner/operator for remote service-based installation of patches or software (RUH) updates. updates? Siemens Healthcare GmbH © 2023 26 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ CSUP-3.2 Does the device require vendor or See Notes The device requires vendor-authorized service to install assistance for remote service patches or software updates? based updates (RUH or onsite service updates. CSUP-3.3 Does the device have the capability to Yes __ receive remote installation of patches or software updates? CSUP-3.4 Does the medical device manufacturer No __ allow security updates from any third- party manufacturers (e.g., Microsoft) to be installed without approval from the manufacturer? CSUP-4 Does the device contain Anti-Malware Yes __ Software? If yes, complete 4.1-4.4. CSUP-4.1 Does the device documentation provide See Notes The instructions are provided instructions for owner/operator for remote service based installation of patches or software (RUH) updates. updates? CSUP-4.2 Does the device require vendor or See Notes The device requires vendor-authorized service to install assistance for remote service patches or software updates? based updates (RUH) or onsite service updates. CSUP-4.3 Does the device have the capability to Yes __ receive remote installation of patches or software updates? CSUP-4.4 Does the medical device manufacturer No __ allow security updates from any third- party manufacturers (e.g., Microsoft) to be installed without approval from the manufacturer? CSUP-5 Does the device contain Non-Operating Yes __ System commercial off-the-shelf components? If yes, complete 5.1-5.4. CSUP-5.1 Does the device documentation provide See Notes The instructions are provided instructions for owner/operator for remote service based installation of patches or software (RUH) updates. updates? CSUP-5.2 Does the device require vendor or See Notes The device requires vendor-authorized service to install assistance for remote service patches or software updates? based updates (RUH) or onsite service updates. Siemens Healthcare GmbH © 2023 27 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ CSUP-5.3 Does the device have the capability to Yes __ receive remote installation of patches or software updates? CSUP-5.4 Does the medical device manufacturer No __ allow security updates from any third- party manufacturers (e.g., Microsoft) to be installed without approval from the manufacturer? CSUP-6 Does the device contain other software No __ components (e.g., asset management software, license management)? If yes, please provide details or refernce in notes and complete 6.1-6.4. CSUP-6.1 Does the device documentation provide N/A __ instructions for owner/operator installation of patches or software updates? CSUP-6.2 Does the device require vendor or N/A __ vendor-authorized service to install patches or software updates? CSUP-6.3 Does the device have the capability to N/A __ receive remote installation of patches or software updates? CSUP-6.4 Does the medical device manufacturer N/A __ allow security updates from any third- party manufacturers (e.g., Microsoft) to be installed without approval from the manufacturer? CSUP-7 Does the manufacturer notify the Yes __ customer when updates are approved for installation? CSUP-8 Does the device perform automatic No __ installation of software updates? CSUP-9 Does the manufacturer have an approved Yes __ list of third-party software that can be installed on the device? CSUP-10 Can the owner/operator install No __ manufacturer-approved third-party software on the device themselves? Siemens Healthcare GmbH © 2023 28 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ CSUP-10.1 Does the system have mechanism in See Notes McAfee Application Control place to prevent installation of prevents access to the system unapproved software? and installation attempts for all unapproved software. CSUP-11 Does the manufacturer have a process in Yes __ place to assess device vulnerabilities and updates? CSUP-11.1 Does the manufacturer provide See Notes Status of the updates is customers with review and approval available via the remote status of updates? service portal. CSUP-11.2 Is there an update review cycle for the See Notes Monthly device? Health Data De-Identification (DIDT) The ability of the device to directly remove information that allows identification of a person. Question ID Question Answer Note DIDT-1 Does the device provide an integral Yes __ capability to de-identify personally identifiable information? DIDT-1.1 Does the device support de-identification See Notes The systems support de- profiles that comply with the DICOM identification profiles. The standard for de-identification? system de-identification capability complies with the GDPR and the FDA guidance. For detailed description of DICOM de-identification profiles supported by the systems, see the product White Paper. Data Backup and Disaster Recovery (DTBK) The ability to recover after damage or destruction of device data, hardware, software, or site configuration information. Question ID Question Answer Note DTBK-1 Does the device maintain long term No __ primary storage of personally identifiable Siemens Healthcare GmbH © 2023 29 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ information / patient information (e.g. PACS)? DTBK-2 Does the device have a “factory reset” See Notes Factory image via Service function to restore the original device Partition or Reset the system settings as provided by the setting to default. manufacturer? DTBK-3 Does the device have an integral data No __ backup capability to removable media? DTBK-4 Does the device have an integral data No __ backup capability to remote storage? DTBK-5 Does the device have a backup capability See Notes The device has a backup for system configuration information, capability for ultrasound patch restoration, and software configuration presets. restoration? DTBK-6 Does the device provide the capability to See Notes The device provides a check the integrity and authenticity of a capability to check the backup? backup integrity. Emergency Access (EMRG) The ability of the device user to access personally identifiable information in case of a medical emergency situation that requires immediate access to stored personally identifiable information. Question ID Question Answer Note EMRG-1 Does the device incorporate an Yes __ emergency access (i.e. “break-glass”) feature? Health Data Integrity and Authenticity (IGAU) How the device ensures that the stored data on the device has not been altered or destroyed in a non-authorized manner and is from the originator. Question ID Question Answer Note IGAU-1 Does the device provide data integrity No __ checking mechanisms of stored health data (e.g., hash or digital signature)? Siemens Healthcare GmbH © 2023 30 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ IGAU-2 Does the device provide error/failure No __ protection and recovery mechanisms for stored health data (e.g., RAID-5)? Malware Detection/Protection (MLDP) The ability of the device to effectively prevent, detect and remove malicious software (malware). Question ID Question Answer Note MLDP-1 Is the device capable of hosting Yes __ executable software? MLDP-2 Does the device support the use of anti- See Notes The device provides malware software (or other anti-malware Whitelisting by McAfee mechanism)? Provide details or reference Application Control as in notes. alternative cybersecurity control. MLDP-2.1 Does the device include anti-malware Yes __ software by default? MLDP-2.2 Does the device have anti-malware See Notes McAfee Application Control is software available as an option? always included and running. The device doesn't provide it as an option. MLDP-2.3 Does the device documentation allow the No __ owner/operator to install or update anti- malware software? MLDP-2.4 Can the device owner/operator No __ independently (re-)configure anti- malware settings? MLDP-2.5 Does notification of malware detection No __ occur in the device user interface? MLDP-2.6 Can only manufacturer-authorized Yes __ persons repair systems when malware has been detected? MLDP-2.7 Are malware notifications written to a Yes __ log? MLDP-2.8 Are there any restrictions on anti- See Notes No additional anti-malware malware (e.g., purchase, installation, can be added to the system. configuration, scheduling)? Siemens Healthcare GmbH © 2023 31 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ MLDP-3 If the answer to MLDP-2 is NO, and anti- N/A __ malware cannot be installed on the device, are other compensating controls in place or available? MLDP-4 Does the device employ application Yes __ whitelisting that restricts the software and services that are permitted to be run on the device? MLDP-5 Does the device employ a host-based No __ intrusion detection/prevention system? MLDP-5.1 Can the host-based intrusion N/A __ detection/prevention system be configured by the customer? MLDP-5.2 Can a host-based intrusion N/A __ detection/prevention system be installed by the customer? Node Authentication (NAUT) The ability of the device to authenticate communication partners/nodes. Question ID Question Answer Note NAUT-1 Does the device provide/support any See Notes Certificate based node means of node authentication that authentication is possible assures both the sender and the recipient only when communicating of data are known to each other and are over DICOM-TLS. authorized to receive transferred information (e.g. Web APIs, SMTP, SNMP)? NAUT-2 Are network access control mechanisms See Notes Windows 10 Firewall supported (E.g., does the device have an internal firewall, or use a network connection white list)? NAUT-2.1 Is the firewall ruleset documented and See Notes Open TCP Ports and protocols available for review? are published. Firewall rules are not published. NAUT-3 Does the device use certificate-based See Notes Only WiFi connections using network connection authentication? EAP-TLS-based connectivity. Siemens Healthcare GmbH © 2023 32 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ Connectivity Capabilities (CONN) All network and removable media connections must be considered in determining appropriate security controls. This section lists connectivity capabilities that may be present on the device. Question ID Question Answer Note CONN-1 Does the device have hardware Yes __ connectivity capabilities? CONN-1.1 Does the device support wireless Yes __ connections? CONN-1.1.1 Does the device support Wi-Fi? Yes __ CONN-1.1.2 Does the device support Bluetooth? No __ CONN-1.1.3 Does the device support other wireless No __ network connectivity (e.g. LTE, Zigbee, proprietary)? CONN-1.1.4 Does the device support other wireless No __ connections (e.g., custom RF controls, wireless detectors)? CONN-1.2 Does the device support physical Yes __ connections? CONN-1.2.1 Does the device have available RJ45 Yes __ Ethernet ports? CONN-1.2.2 Does the device have available USB ports? Yes __ CONN-1.2.3 Does the device require, use, or support Yes __ removable memory devices? CONN-1.2.4 Does the device support other physical See Notes Physio connectors, Siemens connectivity? Ultrasound probes physical interface CONN-2 Does the manufacturer provide a list of Yes __ network ports and protocols that are used or may be used on the device? CONN-3 Can the device communicate with other Yes __ systems within the customer environment? Siemens Healthcare GmbH © 2023 33 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ CONN-4 Can the device communicate with other See Notes The device communicates via systems external to the customer secure remote service environment (e.g., a service host)? connectivity. CONN-5 Does the device make or receive API calls? See Notes The device receives API calls over the remote service network when service interacts with it for troubleshooting purposes. CONN-6 Does the device require an internet No __ connection for its intended use? CONN-7 Does the device support Transport Layer Yes __ Security (TLS)? CONN-7.1 Is TLS configurable? No __ CONN-8 Does the device provide operator control No __ functionality from a separate device (e.g., telemedicine)? Person Authentication (PAUT) The ability to configure the device to authenticate users. Question ID Question Answer Note PAUT-1 Does the device support and enforce Yes __ unique IDs and passwords for all users and roles (including service accounts)? PAUT-1.1 Does the device enforce authentication of See Notes The device can be configured unique IDs and passwords for all users to enforce authentication. and roles (including service accounts)? PAUT-2 Is the device configurable to authenticate Yes __ users through an external authentication service (e.g., MS Active Directory, NDS, LDAP, OAuth, etc.)? PAUT-3 Is the device configurable to lock out a Yes __ user after a certain number of unsuccessful logon attempts? Siemens Healthcare GmbH © 2023 34 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ PAUT-4 Are all default accounts (e.g., technician Yes __ service accounts, administrator accounts) listed in the documentation? PAUT-5 Can all passwords be changed? Yes __ PAUT-6 Is the device configurable to enforce Yes __ creation of user account passwords that meet established (organization specific) complexity rules? PAUT-7 Does the device support account Yes __ passwords that expire periodically? PAUT-8 Does the device support multi-factor Yes The device supports PKI authentication? authentication. PAUT-9 Does the device support single sign-on No __ (SSO)? PAUT-10 Can user accounts be disabled/locked on Yes __ the device? PAUT-11 Does the device support biometric No __ controls? PAUT-12 Does the device support physical tokens See Notes The device supports PKI (e.g. badge access)? (smart cards) authentication. PAUT-13 Does the device support group No __ authentication (e.g. hospital teams)? PAUT-14 Does the application or device store or Yes __ manage authentication credentials? PAUT-14.1 Are credentials stored using a secure Yes __ method? Physical Locks (PLOK) Physical locks can prevent unauthorized users with physical access to the device from compromising the integrity and confidentiality of personally identifiable information stored on the device or on removable media Question ID Question Answer Note PLOK-1 Is the device software only? If yes, No __ answer “N/A” to remaining questions in this section. Siemens Healthcare GmbH © 2023 35 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ PLOK-2 Are all device components maintaining Yes __ personally identifiable information (other than removable media) physically secure (i.e., cannot remove without tools)? PLOK-3 Are all device components maintaining No __ personally identifiable information (other than removable media) physically secured behind an individually keyed locking device? PLOK-4 Does the device have an option for the No __ customer to attach a physical lock to restrict access to removable media? Roadmap for Third Party Applications and Software Components in Device Life Cycle (RDMP) Manufacturer’s plans for security support of third-party components within the device’s life cycle. Question ID Question Answer Note RDMP-1 Was a secure software development Yes __ process, such as ISO/IEC 27034 or IEC 62304, followed during product development? RDMP-2 Does the manufacturer evaluate third- Yes __ party applications and software components included in the device for secure development practices? RDMP-3 Does the manufacturer maintain a web See Notes Siemens Healthineers page or other source of information on Teamplay Fleet software support dates and updates? RDMP-4 Does the manufacturer have a plan for Yes __ managing third-party component end-of- life? Software Bill of Materials (SBoM) Siemens Healthcare GmbH © 2023 36 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ A Software Bill of Material (SBoM) lists all the software components that are incorporated into the device being described for the purpose of operational security planning by the healthcare delivery organization. This section supports controls in the RDMP section. Question ID Question Answer Note SBOM-1 Is the SBoM for this product available? Yes __ SBOM-2 Does the SBoM follow a standard or Yes __ common method in describing software components? SBOM-2.1 Are the software components identified? Yes __ SBOM-2.2 Are the developers/manufacturers of the Yes __ software components identified? SBOM-2.3 Are the major version numbers of the Yes __ software components identified? SBOM-2.4 Are any additional descriptive elements Yes __ identified? SBOM-3 Does the device include a command or No __ process method available to generate a list of software components installed on the device? SBOM-4 Is there an update process for the SBoM? Yes __ System and Application Hardening (SAHD) The device’s inherent resistance to cyber attacks and malware. Question ID Question Answer Note SAHD-1 Is the device hardened in accordance See Notes DISA STIGS with any industry standards? SAHD-2 Has the device received any cybersecurity See Notes Precident version VA30C has certifications? DoD IA accreditation. The Sequoia VA50 as of the publish date has not been submitted. SAHD-3 Does the device employ any mechanisms See Notes Application whitelisting is for software integrity checking configured to write-protect Siemens Healthcare GmbH © 2023 37 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ installed software, and enforce checksum validation for all SW components before their start. SAHD-3.1 Does the device employ any mechanism See Notes The device employs digital (e.g., release-specific hash key, signature verification prior to checksums, digital signature, etc.) to the installation. ensure the installed software is manufacturer-authorized? SAHD-3.2 Does the device employ any mechanism See Notes The device employs digital (e.g., release-specific hash key, signature verification checksums, digital signature, etc.) to (enforced by application ensure the software updates are the whitelisting software). manufacturer-authorized updates? SAHD-4 Can the owner/operator perform No __ software integrity checks (i.e., verify that the system has not been modified or tampered with)? SAHD-5 Is the system configurable to allow the See Notes File-level access control is implementation of file-level, patient applied when “Data access level, or other types of access controls? check” is enabled in the service page. SAHD-5.1 Does the device provide role-based access Yes __ controls? SAHD-6 Are any system or user accounts No __ Unrestricted or disabled by the manufacturer at system delivery? SAHD-6.1 Are any system or user accounts Yes __ configurable by the end user after initial configuration? SAHD-6.2 Does this include restricting certain No __ system or user accounts, such as service technicians, to least privileged access? SAHD-7 Are all shared resources (e.g., file shares) Yes __ which are not required for the intended use of the device disabled? SAHD-8 Are all communication ports and Yes __ protocols that are not required for the intended use of the device disabled? SAHD-9 Are all services (e.g., telnet, file transfer Yes __ protocol [FTP], internet information Siemens Healthcare GmbH © 2023 38 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ server [IIS], etc.), which are not required for the intended use of the device deleted/disabled? SAHD-10 Are all applications (COTS applications as Yes __ well as OS-included applications, e.g., MS Internet Explorer, etc.) which are not required for the intended use of the device deleted/disabled? SAHD-11 Can the device prohibit boot from See Notes Booting from external media uncontrolled or removable media (i.e., a is password protected. source other than an internal drive or memory component)? SAHD-12 Can unauthorized software or hardware No __ be installed on the device without the use of physical tools? SAHD-13 Does the product documentation include No __ information on operational network security scanning by users? SAHD-14 Can the device be hardened beyond the No __ default provided state? SAHD-14.1 Are instructions available from vendor for N/A __ increased hardening? SHAD-15 Can the system prevent access to BIOS or Yes __ other bootloaders during boot? SAHD-16 Have additional hardening methods not No __ included in 2.3.19 been used to harden the device? Security Guidance (SGUD) Availability of security guidance for operator and administrator of the device and manufacturer sales and service. Question ID Question Answer Note SGUD-1 Does the device include security Yes __ documentation for the owner/operator? SGUD-2 Does the device have the capability, and Yes __ provide instructions, for the permanent Siemens Healthcare GmbH © 2023 39 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ deletion of data from the device or media? SGUD-3 Are all access accounts documented? Yes __ SGUD-3.1 Can the owner/operator manage Yes __ password control for all accounts? SGUD-4 Does the product include documentation No __ on recommended compensating controls for the device? Health Data Storage Confidentiality (STCF) The ability of the device to ensure unauthorized access does not compromise the integrity and confidentiality of personally identifiable information stored on the device or removable media. Question ID Question Answer Note STCF-1 Can the device encrypt data at rest? Yes __ STCF-1.1 Is all data encrypted or otherwise Yes __ protected? STCF-1.2 Is the data encryption capability No __ configured by default? STCF-1.3 Are instructions available to the customer See Notes The instructions are available to configure encryption? for Service. STCF-2 Can the encryption keys be changed or No __ configured? STCF-3 Is the data stored in a database located Yes __ on the device? STCF-4 Is the data stored in a database external No __ to the device? Transmission Confidentiality (TXCF) The ability of the device to ensure the confidentiality of transmitted personally identifiable information. Question ID Question Answer Note Siemens Healthcare GmbH © 2023 40 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ TXCF-1 Can personally identifiable information No __ be transmitted only via a point-to-point dedicated cable? TXCF-2 Is personally identifiable information See Notes The PII is encrypted only encrypted prior to transmission via a when encrypted DICOM network or removable media? protocol used for data transmition. TXCF-2.1 If data is not encrypted by default, can No __ the customer configure encryption options? TXCF-3 Is personally identifiable information See Notes Specific network destination transmission Unrestricted to a fixed list of has to be specified prior network destinations? DICOM transmition start. TXCF-4 Are connections limited to authenticated No __ systems? TXCF-5 Are secure transmission methods See Notes Encrypted DICOM is supported/implemented (DICOM, HL7, supported. IEEE 11073)? Transmission Integrity (TXIG) The ability of the device to ensure the integrity of transmitted data. Question ID Question Answer Note TXIG-1 Does the device support any mechanism No __ (e.g., digital signatures) intended to ensure data is not modified during transmission? TXIG-2 Does the device include multiple sub- No __ components connected by external cables? Remote Service (RMOT) Remote service refers to all kinds of device maintenance activities performed by a service person via network or other remote connection. Question ID Question Answer Note Siemens Healthcare GmbH © 2023 41 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Question ID Question Answer See Note DOC-1 Manufacturer Name Siemens Healthineers __ RMOT-1 Does the device permit remote service Yes __ connections for device analysis or repair? RMOT-1.1 Does the device allow the owner/operator See Notes The operator on the to initiative remote service sessions for ultrasound system can device analysis or repair? initiate remote service session (SRS). RMOT-1.2 Is there an indicator for an enabled and Yes __ active remote session? RMOT-1.3 Can patient data be accessed or viewed Yes from the device during the remote session? RMOT-2 Does the device permit or use remote Yes __ service connections for predictive maintenance data? RMOT-3 Does the device have any other remotely Yes Remote updates, Remote accessible functionality (e.g. software training, Remote assistance. updates, remote training)? Other Security Considerations (OTHR) NONE Notes NONE Siemens Healthcare GmbH © 2023 42 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Manufacturer Disclosure Statement (IEC 60601-1) Z1 Instructions for the responsible Organization Z1-1 Connection of the system to a NETWORK / DATA COUPLING that includes other equipment could result in previously unidentified risks to patients operators or third parties; the RESPONSIBLE ORGANIZATION should identify, evaluate and control these risks Z1-2 Subsequent changes to the NETWORK / DATA COUPLING could introduce new RISKS and require additional analysis. Z1-3 Changes to the network include: changes in NETWORK/DATA COUPLING configuration; • connection to additional items to the NETWORK/DATA COUPLING; • disconnecting items from the NETWORK/DATA COUPLING; • update of equipment connected to the NETWORK/DATA COUPLING; • upgrade of equipment connected to the NETWORK/DATA COUPLING; Z1-4 The RESPONSIBLE ORGANIZATION is fully responsible for the security of the network to which the device is connected. Z1-5 The RESPONSIBLE ORGANIZATION is fully responsible to ensure staff who have access to the device do not have the opportunity to provide any harm to the system. Z1-6 The RESPONSIBLE ORGANIZATION has to ensure that the internal network cannot be accessed physically by non-authorized persons. Z1-7 Staff of the RESPONSIBLE ORGANIZATION has to be trained in security. The RESPONSIBLE ORGANIZATION is responsible for providing this. Z1-8 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that only authorized medical/administrative staff shall have access to the device. Z1-9 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that visitors/patients do not have unsupervised physical access to the system. Z1-10 The RESPONSIBLE ORGANIZATION shall provide access to the system for device administrators and device service engineers. Z1-11 The RESPONSIBLE ORGANIZATION has at least one staff person with administrative rights who has access to the system. Z1-12 The RESPONSIBLE ORGANIZATION shall ensure that neither access from the public internet or the organization’s intranet to the device is possible. Z1-13 The RESPONSIBLE ORGANIZATION is responsible to ensure physical security for the device. Z1-14 The RESPONSIBLE ORGANIZATION shall ensure that access to services for the device from other equipment is possible only on a need-to-do basis. An adequate network topology with appropriate firewall settings shall be used. Siemens Healthcare GmbH © 2023 43 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Z1-15 The RESPONSIBLE ORGANIZATION is responsible for a secure infrastructure that makes it impossible to change, prevent, or tamper with data in transit in any way. Z1-16 RECOMMENDATION: It is highly recommended that the RESPONSIBLE ORGANIZATION monitors the network for unusual traffic. Z1-17 The RESPONSIBLE ORGANIZATION is responsible for the hard drive encryption keys and for preventing the theft or loss of those keys. Z1 notes: None Z2 Intended purpose of integrating the Device into an IT-Network Z2-1 To integrate the system into the clinical workflow, the whole ultrasound system will interact as a DICOM node in the clinical network. Z2-2 The system is DICOM-compliant, allowing it to be connected to a network with other compliant devices for the exchange of images. Networking allows the transmission of images acquired to other DICOM- compatible review stations or PACS. A list of all patients ever imaged can be kept on the Radiology PACS making future retrievals fast and easy. Z2-3 The system connects to the network through an Ethernet cable or a wireless protocol. The network interfaces allow DICOM connections to specific clinical systems such as a Radiology PACS or printer. Patient demographic data will be received via DICOM; acquired images will be sent to the Radiology PACS or DICOM workstations for detailed viewing and long-term storage. Z2 notes: None Z3 Network Properties required by the System and resulting risks Z3-1 The device is connected via Ethernet cable or wireless protocol to the hospital using a TCP/IP network with 1Gb/s performance: if the network is down, the network services (see below) are not available which can lead to the risks • stated below. if the network is unavailable, medical images cannot be transferred for remote - consultation. if the wireless network is incorrectly protected (for example, open Wi-Fi configuration), the - attack surface of all the connected devices is much larger, which can lead to the risks stated below. if the recommended network performance (1Gbit/s) is not provided, the transfer of images - is extended, and availability of images at destinations (e.g., for consulting) is delayed. only the protocols shown in the table of used ports are needed for communication. Z3-2 PACS system for archiving images/results If the PACS is not available: • images cannot be archived after the examination. In case of a system hardware failure, all - non-archived images can be lost. images cannot be archived after the examination. Examinations may no longer be possible - because the hard drive is full as non-archived images cannot be automatically removed. Siemens Healthcare GmbH © 2023 44 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 images cannot be archived after the examination. In case of manual deletion of images, - unarchived images can be lost. images are not available for remote consultation via PACS consoles. - prior images are not available. - If the recommended network performance (1Gbit/s) is not provided, the transfer time to PACS is extended, and the wait for switching off the system consecutive to the last transfer operations is prolonged. Z3-3 DICOM printer If the DICOM printer is not available, film is not available for diagnosis/archive. Z3-4 RIS system If the RIS system is not available: • the modality worklist is not available. This can lead to data inconsistencies as well as - unavailability of images when sent to the PACS until they are manually coerced with the RIS data in the PACS. in the case a Worklist Query time-out due to poor network transfer, there is a possibility - that non-actual RIS data is used when registering a patient from the list of schedules on the system. Z3-5 Network connection to the SRS server If the connection to the Smart Remote Services server is not available, then support from Siemens Healthineers service is limited. Z3-6 Common medical protocol properties Protocols used in medical environments are typically unsecure, with the exception of secure Smart Remote Services (using HTTPS). Z3-7 Unsuccessful data transfer not recognized Function: Archiving and Networking • Hazard: Wrong diagnosis/loss of acquisition data • Caution: Data transfers between systems are not verified automatically. Loss of data, if data is • deleted locally before it has been successfully transferred to another system. Measure: Since not all systems support automatic storage commitment, verify the correctness of the • data transfer at the remote system before deleting the local data. Effect on: Patient Z3-8 Incorrect or incomplete data transfer Function: Data Exchange – Network • Hazard: Wrong diagnosis, wrong examination/loss of acquisition data, loss of post processing results, • corrupted data, inconsistent data Cause: DICOM objects are sent/received/retrieved. While objects are being prepared or during • transfer, not all DICOM objects that are not considered are deleted, corrupted or unintentionally manipulated. Data on the sender and receiver side is not consistent. Failure of transfer not recognized. Measure: It has to be verified by testing, that there is no object loss during sending, which means: • Verify that exception scenarios result in a failed job (and check for other exceptions in log - files). Verify that error cases, which result in data not complying with the DICOM standard, are - covered by exception scenarios. Effect on: Patient Siemens Healthcare GmbH © 2023 45 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Z3-9 Insecure or incorrectly configured clinical network Function: Network Security • Hazard: Incorrect diagnosis basis, wrong diagnosis, wrong treatment, delayed diagnosis, delayed • therapy, wrong examination, repetition of examination/loss of acquisition data, corrupted data, system DoS Caution: Unauthorized access may affect system performance and data security. • Cause: Any unauthorized access to the system may affect the system performance and data security • and may lead to: Lowered system performance and/or non-operational system - Loss of data security including loss of all patient data - • Measure: Enable your system administrator to ensure network security and the security of the operational - infrastructure Consult manuals for secure setup - Perform system updates as required - Run your medical device only in protected network environments, and do not connect it directly - to public networks Set up firewalls - Prevent configuration files from being changed by users - Update and patch networked systems as required - Effect on: Patient Z3-10 Bitlocker recovery keys not available when needed Function: Hard drive encryption • Hazard: loss of patient data, system DoS • Caution: Customer should keep Bitlocker recovery keys safe • Cause: In the case the customer opted for hard drive encryption and if BitLocker fails to access the • encrypted drive for whatever reason, then the recovery keys will be needed by Siemens Healthineers Service to pause encryption and have offline access to the hard drive and the patient data stored in it. Effect on: Patient, System Z3 notes: None ACUSON Sequoia and ACUSON Sequoia Select DICOM Anonymization DICOM Tags Affected by Anonymization: Attribute Name DICOM Tag Value Patient Name (0010,0010) User Entered String + Current Date Time String Patient ID (0010,0020) “Anonymous” Patient Birth Date (0010,0030) Empty Patient Birth Time (0010,0032) Removed Siemens Healthcare GmbH © 2023 46 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Patient Sex (0010,0040) Other Other Patient IDs (0010,1000) Removed Other Patient Names (0010,1001) Removed Patient’s Birth Name (0010,1005) Removed Patient’s Mother’s Birth Name (0010,1060) Removed Patient’s Telephone Numbers (0010,2154) Removed SOP Instance UID (0008,0018) New value generated Referenced Patient Sequence (0008,1120) Removed Instance Creator UID (0008,0014) Removed Accession Number (0008,0050) Empty Institution Name (0008,0080) Removed Institution Address (0008,0081) Removed Referring Physician Name (0008,0090) Empty Referring Physician Address (0008,0092) Removed Referring Physician Telephone Number (0008,0094) Removed Station Name (0008,1010) Removed Study Description (0008,1030) Removed Study Date (0008,0020) Current date Study Time (0008,0030) Current date Series Description (0008,103E) Removed Series Date (0008,0021) Empty Series Time (0008,0031) Empty Performed Procedure Step Start Date (0040,0244) Empty Siemens Healthcare GmbH © 2023 47 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Performed Procedure Step Start Time (0040,0245) Empty Institutional Department Name (0008,1040) Removed Physicians of Record (0008,1048) Removed Performing Physician Name (0008,1050) Removed Name of Physician Reading Study (0008,1060) Removed Operator Name (0008,1070) Removed Admitting Diagnosis Description (0008,1080) Removed References SOP Instance UID (0008,1155) New value generated Derivation Description (0008,2111) “Force Anonymity” Patient Age (0010,1010) Removed Patient Size (0010,1020) Removed Patient Weight (0010,1030) Removed Medical Record Locator (0010,1090) Removed Ethnic Group (0010,2160) Removed Occupation (0010,2180) Removed Additional Patient History (0010,21B0) Removed Patient Comments (0010,4000) Removed Device Serial Number (0018,1000) Removed Protocol Name (0018,1030) Removed Study Instance UID (0020,000D) New value generated Series Instance UID (0020,000E) New value generated Study ID (0020,0010) Empty Frame of Reference UID (0020,0052) New value generated Siemens Healthcare GmbH © 2023 48 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Synchronization Frame of Reference (0020,0200) New value generated UID Image Comments (0020,4000) Empty Request Attribute Sequence (0040,0275) Empty UID (0040,A124) New value generated Content Sequence (0040,A730) New value generated Storage Media FileSet UID (0088,0140) Removed Referenced Frame of Reference UID (3006,0024) New value generated Related Frame of Reference UID (3006,00C2) New value generated Content Date (0008,0023) Current date Content Time (0008,0033) Current date Instance Creation Date (0008,0012) Empty Instance Creation Time (0008,0013) Empty Acquisition Date (0008,0022) Empty Acquisition Time (0008,0032) Empty Siemens Healthcare GmbH © 2023 49 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Abbreviations AD Active Directory AES Advanced Encryption Standard BIOS Basic Input Output System DES Data Encryption Standard DISA Defense Information Systems Agency DMZ Demilitarized Zone DoS Denial of Service ePHI Electronic Protected Health Information FDA Food and Drug Administration FIPS Federal Information Processing Standards HHS Health and Human Services HIPAA Health Insurance Portability and Accountability Act HIMSS Healthcare Information and Management Systems Society HTTP Hypertext Transfer Protocol HTTPS HTTP Secure IEC International Electrotechnical Commission LDAP Lightweight Directory Access Protocol MD5 Message Digest 5 MDS2 Manufacturer Disclosure Statement for Medical Device Security NEMA National Electrical Manufacturers Association NTP Network Time Protocol OCR Office for Civil Rights PHI Protected Health Information PII Personally Identifiable Information RPC Remote Procedure Call SHA Secure Hash Algorithm SQL Structured Query Language SRS Smart Remote Services SW Software TCP Transmission Control Protocol UDP User Datagram Protocol VPN Virtual Private Network Siemens Healthcare GmbH © 2023 50 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 Disclaimer according to Statement on FDA IEC 80001-1 Cybersecurity Guidance 1-1 The Device has the capability to be connected to a Siemens Healthineers will follow cybersecurity guidance medical IT-network which is managed under full issued by the FDA as appropriate. Siemens Healthineers responsibility of the operating responsible organization. It recognizes the principle described in FDA cybersecurity is assumed that the responsible organization assigns a guidance that an effective cybersecurity framework is a Medical IT-Network Risk Manager to perform IT-Risk shared responsibility among multiple stakeholders (e.g., Management (see IEC 80001- 1:2010/EN 80001-1:2011) medical device manufacturers, health care facilities, for IT-networks incorporating medical devices. patients and providers), and is committed to drawing on its innovation, engineering and pioneering skills in collective 1-2 This statement describes Device-specific IT-networking efforts designed to prevent, detect and respond to new safety and security capabilities. It is not a responsibility and emerging cybersecurity threats. While FDA agreement according to IEC 80001-1:2010/EN 80001- cybersecurity guidance is informative as to adopting a risk- 1:2011. based approach to addressing potential patient harm, it is not binding and alternative approaches may be used to 1-3 Any modification of the platform, the software or the satisfy FDA regulatory requirements. interfaces of the Device - unless authorized and approved by Siemens Healthcare GmbH Healthcare - voids all The representations contained in this white paper are warranties, liabilities, assertions and contracts. designed to describe Siemens Healthineers’ approach to cybersecurity of its medical devices and to disclose the 1-4 The responsible organization acknowledges that the security capabilities of the devices/systems described Device’s underlying standard computer with operating herein. Neither Siemens Healthineers nor any medical system is to some extent vulnerable to typical attacks like device manufacturer can warrant that its systems will be e.g. malware or denial-of-service. invulnerable to cyberattack. Siemens Healthineers makes no representation or warranty that its cybersecurity efforts 1-5 Unintended consequences (like e.g. will ensure that its medical devices/systems will be error- misuse/loss/corruption) of data not under control of the free or secure against cyberattack. Device e.g. after electronic communication from the Device to some IT-network or to some storage, are under the responsibility of the responsible organization. 1-6 Unauthorized use of the external connections or storage media of the Device can cause hazards regarding the availability and information security of all components of the medical IT-network. The responsible organization must ensure – through technical and/or organizational measures – that only authorized use of the external connections and storage media is permitted. International Electrotechnical Commission Glossary (extract) Responsible organization: Entity accountable for the use and maintenance of a medical IT-network. Siemens Healthcare GmbH © 2023 51 Product and Solution Security White Paper· ACUSON Sequoia VA50 and ACUSON Sequoia Select VA50 On account of certain regional limitations of sales rights In the interest of complying with legal requirements and service availability, we cannot guarantee that all concerning the environmental compatibility of our products included in this brochure are available through products (protection of natural resources and waste the Siemens sales organization worldwide. Availability and conservation), we recycle certain components. Using the packaging may vary by country and are subject to change same extensive quality assurance measures as for factory- without prior notice. new components, we ensure the quality of these recycled components. Some/All of the features and products described herein may not be available in the United States or other Note: Any technical data contained in this document may countries. vary within defined tolerances. Original images always lose a certain amount of detail when reproduced. The information in this document contains general technical descriptions of specifications and options as well Caution: Federal law restricts this device to sale by or on as standard and optional features that do not always have the order of a physician. to be present in individual cases. Siemens reserves the right to modify the design, packaging, specifications and options described herein without prior no-tice. Please contact your local Siemens sales representative for the most current information. Siemens Healthineers Headquarters Legal Manufacturer Siemens Healthcare GmbH Siemens Medical Solutions USA, Inc. Henkestr. 127 Ultrasound 91052 Erlangen, Germany 22010 S.E. 51st Street Phone: +49 9131 84-0 Issaquah, WA 98029, USA siemens-healthineers.com Phone: 1-888-826-9702 siemens- healthineers.com/ultrasound Published by Siemens Medical Solutions USA, Inc. · HOOD05162003336601 · Effective Date February 24, 2023 52 Siemens Healthcare GmbH © 2023