Siemens Healthineers Academy and Siemens Healthineers Academy Admin Security White Paper

18 Whitepaper Siemens Healthineers Academy & Siemens Healthineers Academy Admin Version 20230421.5 & Later Security Whitepaper The facts about the security of our products and solutions. siemens-healthineers.com/cybersecurity Unrestricted Effective Date 18 SEP 2025 | QR700028981 SIEMENS Healthineers Security Whitepaper· Siemens Healthineers Academy & Siemens Healthineers Academy Admin Version 20230421.5 & Later Foreword The Siemens Healthineers Cybersecurity program Elements of our Cybersecurity program At Siemens Healthineers, we are committed to working with • you to address cybersecurity and privacy requirements. Our Providing information to facilitate secure configuration Cybersecurity Office and use of our medical devices in your IT environment is responsible for our global program that focuses on • Conducting formal threat and risk analysis for our addressing cybersecurity throughout the supported period products of our products. • Incorporating secure architecture, design, and coding Our program targets incorporating state-of-the-art methodologies in our software development process cybersecurity into our current and future products. We seek • Performing static code analysis of our products to enable you to protect the security of data while, at the • same time, offering measures to strengthen the resiliency of Conducting security testing of products under our products from cyber threats. development as well as products already in the field • Patch management strategies for our medical devices We prioritize compliance with applicable security and • privacy laws and cooperate with the relevant authorities. Monitoring security vulnerabilities to track reported third-party component issues in our products Vulnerability and incident management • Working with suppliers to address security throughout Siemens Healthineers cooperates with government agencies the supply chain and cybersecurity researchers concerning reported potential • vulnerabilities. Our communications policy strives for Training of our employees regarding cybersecurity and coordinated vulnerability disclosure. data privacy • Securing the product development environment Contacting Siemens Healthineers about Cybersecurity Report any cybersecurity incident affecting Siemens Healthineers infrastructure or any of our products to your customer support contact (eg. CCC, country-specific, or platform-specific hotlines). For your further information: https://www.siemens-healthineers.com/support- documentation/cybersecurity Carlos Arglebe Corporate Cybersecurity Officer Siemens Healthineers 15_V_24, Version 1.1 Unrestricted Siemens Healthineers AG © 2025 2 Security Whitepaper· Siemens Healthineers Academy & Siemens Healthineers Academy Admin Version 20230421.5 & Later Contents Foreword N Basic Information Network Information 5 Security Controls 6 Shared Responsibilities 8 Certifications 9 Abbreviations 10 Disclaimers 11 15_V_24, Version 1.1 Unrestricted Siemens Healthineers AG © 2025 3 Security Whitepaper· Siemens Healthineers Academy & Siemens Healthineers Academy Admin Version 20230421.5 & Later Basic Information Siemens Healthineers Academy is the industry’s first Cryptography Usage personalized education and performance experience for To protect data in transit, Siemens Healthineers Academy healthcare professionals – designed to increase staff uses SSL/TLS during data transfer, creating a secure tunnel competency, efficiency, and productivity. protected by 128-bit or higher AES encryption. Siemens Healthineers Academy utilizes HSTS header to its web With the premium subscription Siemens Healthineers connections directing modern browsers to connect to Academy Admin1, our customers can easily manage their Siemens Healthineers Academy over an encrypted clinical institution’s performance growth with integrated connection. Additionally, Siemens Healthineers Academy group management and administration features. flags all authentication cookies as secure. Data is stored at rest using the industry-standard AES-256 algorithm. Operating Systems For Desktop, Windows 10 and higher or macOS (Current Handling of Confidential Data Version) Siemens Healthineers Academy does not include patient or For Mobile devices, Android (Current Version), iOS (Current sensitive data. When using Siemens Healthineers Academy Version) or iPadOS (Current Version) and Siemens Healthineers Academy Admin, our Special Terms of Use, Privacy Policy, and Special Terms of Use for For an optimized experience, the following browser Siemens Healthineers Groups2 apply. recommendations should be followed: • Google Chrome (Current Version) Data Recovery • Microsoft Edge (Current Version) Siemens Healthineers Academy servers are hosted with • Mobile Safari (Current Version) Amazon Web Services and are not prone to failure due to AWS’s EBS architecture which is redundant and fault Hardware Specifications tolerant (http://aws.amazon.com/ebs/). Siemens Healthineers Academy was designed to function on the customers’ Desktop and Mobile devices meeting the All customer data is backed up regularly to guard against Operating System criteria above. data loss. All backups are encrypted and stored in high resiliency, geographically diverse, locations to prevent loss User Account Information • Each person must have a unique email address. due to natural disaster or location-specific failures. Servers • Individual users are required to use their Healthineers are regularly imaged and geographically distributed to allow for low downtime in the case of a datacenter failure. ID to authenticate with Siemens Healthineers Academy and Siemens Healthineers Academy Admin. Terms and Conditions Patching Strategy When using Siemens Healthineers Academy and Siemens The Siemens Healthineers Academy site is updated: Healthineers Academy Admin, our Special Terms of • Monthly for software updates Use, Privacy Policy, and Special Terms of Use for Siemens • As needed for Non-Scheduled Emergency security Healthineers Academy Groups2 apply. patching See local terms and conditions that may apply when purchasing Siemens Healthineers Academy Admin. 1 Subscription required. Availability of subscription depends on country. The products/features and/or service offerings (here mentioned) are not commercially available in all countries and/or for all modalities. If the services are not marketed in countries due to regulatory or other reasons, the service offering cannot be guaranteed. Please contact your local Siemens Healthineers organization for further details. 2 Special Terms of Use: https://academy.siemens-healthineers.com/special-terms-of-use Privacy Policy: https://academy.siemens-healthineers.com/privacy Special Terms of Use for Siemens Healthineers Academy Groups: https://academy.siemens-healthineers.com/special-terms Unrestricted Siemens Healthineers AG © 2025 4 Security Whitepaper· Siemens Healthineers Academy & Siemens Healthineers Academy Admin Version 20230421.5 & Later Network Information & Firewall End Users Hospital internet End Users Amazon Services VPC Legend Legend Subtitle Symbol Description Data center Cloud AWS CloudFront Content Delivery Web server Siemens Web Server Siemens DB Server Network (CDN) Database server.14 Content Delivery Network (CDN) 9 Data AWS S3 8 User Cloud Storage Firewall The server requires 4 static IP addresses and specific ports for automated email communication, such as receipt of registrant activation email, which must be available to the customer. The customer may need to contact their Local IT to see if the facility SPAM filter caught the automated email on the mail server (quarantined folder). If the email was caught by the SPAM filter, their Local IT needs to: 1. ”Whitelist" (allow) the following IP addresses and ports (see table below) 2. Allow emails from admin@siemens-healthineers-academy.com, noreply.healthineers-id@siemens- healthineers.com and sense.team@siemens-healthineers.com IP Address Port Number(s) Service/Function Direction (In/Out) Protocol 198.2.128.180 25, 465, 587, 2525 Sending of transactional emails Out SMTP + TLS 168.245.57.23 587 Sending of transactional emails Out SMTP + TLS 167.89.88.97 587 Sending of transactional emails Out SMTP + TLS 149.72.231.96 25, 465, 587, 2525 Sending of transactional emails Out SMTP + TLS Unrestricted Siemens Healthineers AG © 2025 5 Security Whitepaper· Siemens Healthineers Academy & Siemens Healthineers Academy Admin Version 20230421.5 & Later Security Controls Malware Protection Security Scanning All servers are protected using a multilayered Each individual server has ESET File Security for approach. The infrastructure is protected from the Windows Server in addition to Trend Micro Cloud One outside utilizing a VPC on Amazon Web Services along intrusion detection software, which is managed with AWS Security Groups that limit the types of through a cloud interface and alerts. internet traffic that can reach the servers and what Continuous Vulnerability Monitoring networks can reach the servers. A suite of third-party software is used to periodically scan Siemens Healthineers Academy to test for Controlled Use of Administrative Privileges vulnerabilities. The following administrative privileges apply to Siemens Healthineers Academy and Siemens Network Controls Healthineers Academy Admin Group Owners: Siemens Healthineers Academy network security and • Manage group members monitoring techniques are designed to provide • Monitor activity feed posts multiple layers of protection and defense. Firewalls • Redeem virtual wallet points for group are used to prevent its network from unauthorized subscriptions access and undesirable traffic and its systems are segmented into separate networks to protect data. Users in Siemens Healthineers Academy can become Group Owners by: Incident Response and Management • Creating a group Systems are monitored by 3rd party software to notify • Being invited to a group as a Group Owner by an engineers proactively to prevent possible outages as existing owner of the group and accepting the well as allow immediate response in the case of an invitation outage. • Being invited to a group as a Group Owner by a Siemens Healthineers Administrator and Customers can report incidents via the Siemens accepting the invitation Healthineers Academy Support link in the footer of the site, and scheduled outage messages are displayed The following administrative privileges apply to directly on the Siemens Healthineers Academy site. Siemens Healthineers Academy Admin Group Owners, who have the premium subscription Siemens Siemens Healthineers Academy integrated diagnostics Healthineers Academy Admin: and global technical support is provided during • Manage and administer group members’ normal business hours EST, CET and SST excluding education holidays. • Access group members’ transcripts and reporting • Upload page links and files (e.g., video, pdf, Physical Safeguards documents) to the Virtual Library accessible only The Siemens Healthineers Academy site and all other to members of the Siemens Healthineers back-end services includes data storage run on Academy Admin group Amazon Web Services. The AWS platform is designed and built to run on a shared security responsibility Authentication model. This means that AWS is responsible for Individual users are required to use their providing the underlying infrastructure that supports Healthineers ID to authenticate with Siemens the Siemens Healthineers Academy platform, Healthineers Academy and Siemens Healthineers including facilities, network, hardware, and Academy Admin. operational software. The infrastructure that Amazon provides is designed and managed in alignment with security best practices and a variety of IT security Unrestricted Siemens Healthineers AG © 2025 6 Security Whitepaper· Siemens Healthineers Academy & Siemens Healthineers Academy Admin Version 20230421.5 & Later standards, including SOC 1, 2 and 3, PCI DSS level 1, and ISO 27001. Further Data Protection Controls Auditing/Logging To protect data in transit, Siemens Healthineers Siemens Healthineers Academy has comprehensive Academy uses SSL/TLS during data transfer, creating logging and auditing at all levels, including our a secure tunnel protected by 128-bit or higher AES application and infrastructure. Application logs are encryption. Siemens Healthineers Academy utilizes centrally managed for troubleshooting and analyzing HSTS header to all its web connections telling all user and system events. Software developers use modern browsers to only connect to Siemens analytics tools for safe and efficient access to required Healthineers Academy over an encrypted connection. data while maintaining security best practices. Additionally, on the web Siemens Healthineers Academy flags all authentication cookies as secure. Remote Connectivity Data is stored at rest using the industry-standard A small number of privileged accounts are authorized AES-256 algorithm. for access to Siemens Healthineers Academy physical assets. All other access is expressly forbidden. Siemens Healthineers Academy offers customers complete control over their data on a self-serve basis, Administrative Controls with the ability to delete data within their accounts Access to the production servers and data is protected and, for Siemens Healthineers Academy Admin using network isolation and strong authentication customers, the ability to remove end user accounts mechanisms. from their Groups and content from their Virtual Library. Customers may also request assistance from Hardening Siemens Healthineers Academy Support to support All servers provisioned for development and testing any of these actions. activities are hardened (by disabling unused ports and accounts, removing default passwords, etc.). The Siemens Healthineers Academy adheres to GDPR and base Operating System image has server hardening CCPA requirements and guidelines. For information built into it, and this OS image is provisioned in the about our data retention practices, please see our servers, to improve consistency across servers. Privacy Policy. Siemens Healthineers maintains a comprehensive written data protection plan that covers key aspects of our data protection practices, policies, and procedures. Unrestricted Siemens Healthineers AG © 2025 7 Shared Responsibilities Personal Account Management Siemens Healthineers Academy provides a lifelong learning record for each registered user. As a registered user on Siemens Healthineers Academy, it is important to observe the following practices. Account Security • You will automatically be logged out of Siemens Healthineers Academy after 4 hours. If you are using a shared computer, log out of Siemens Healthineers Academy to end your session before leaving the workstation. Password Security • Do not share your password with others • Make your password hard to guess but easy to remember • Your password can be updated at any time using the Forgot Password link on the Healthineers ID login page Siemens Healthineers Academy Group Security • Update your group participation by removing yourself from groups that are no longer relevant on the group settings page • If you are a group owner, routinely monitor your group’s activity feed and members. Remove members who are no longer authorized to participate in your group or access your group information Unrestricted Siemens Healthineers AG © 2025 8 Certifications Siemens Healthineers has received independent certification have ushered in a new level of cybersecurity and data for its Cybersecurity Management System (CYSMS) privacy regulation and compliance. according to ISO/IEC 27001:2022 and extended by ISO/IEC 27701:2019 for Cybersecurity including Data Protection. As a result, organizations must implement policies and This sets an important strategic milestone for our customers procedures to ensure compliance with the growing number and the MedTech Market. The Siemens Healthineers global of data privacy regulations in a sustainable manner. Cybersecurity Management System covers Governance and Assurance by the central groups for Cybersecurity, Data In addition, organizations are facing rapid digital Protection, IT Security, and IT Operations from its Erlangen transformation, in which data processing is increasing headquarter locations. dramatically. The growth in data volumes and regulatory requirements related to this data at the same time makes The European Union's General Data Protection Regulation compliance increasingly complex for organizations of all (GDPR) and other data protection laws around the world types. SYSTEM CERTIFICATION How do our customers benefit from the certification? •Provides assurance regarding the customers' obligation to regularly check their service providers •Builds trust between the customer and Siemens Healthineers •Reduces the risk that their personal information is misused and processed differently than contractually agreed SGSI JOOLZ OSI Unrestricted Siemens Healthineers AG © 2025 9 Abbreviations AD Active Directory AES Advanced Encryption Standard BIOS Basic Input Output System DES Data Encryption Standard DISA Defense Information Systems Agency DMZ Demilitarized Zone DoS Denial of Service ePHI Electronic Protected Health Information FDA Food and Drug Administration FIPS Federal Information Processing Standards HHS Health and Human Services HIPAA Health Insurance Portability and Accountability Act HIMSS Healthcare Information and Management Systems Society HTTP Hypertext Transfer Protocol HTTPS HTTP Secure IEC International Electrotechnical Commission LDAP Lightweight Directory Access Protocol MD5 RSA Data Security, Inc. MD5 Message-Digest Algorithm MDS2 Manufacturer Disclosure Statement for Medical Device Security NEMA National Electrical Manufacturers Association NTP Network Time Protocol OCR Office for Civil Rights PII Personally Identifiable Information RPC Remote Procedure Call SHA Secure Hash Algorithm SHS Siemens Healthineers SQL Structured Query Language SRS Smart Remote Services SW Software TCP Transmission Control Protocol UDP User Datagram Protocol UID Unique Identifier VPN Virtual Private Network Unrestricted Siemens Healthineers AG © 2025 10 Disclaimers Statement on FDA Cybersecurity The information in this document contains general technical Guidance descriptions of specifications and options as well as standard and optional features that do not always have to be Siemens Healthineers will reasonably consider present in individual cases. cybersecurity guidance issued by the FDA. Siemens Healthineers also recognizes the principle described in FDA Siemens Healthineers reserves the right to modify the cybersecurity guidance that an effective cybersecurity design, packaging, specifications, and options described framework is a shared responsibility among multiple herein without prior notice. Please contact your local stakeholders (e.g., medical device manufacturers, health care Siemens Healthineers sales representative for the most facilities, patients and providers), and is committed to current information. drawing on its innovation, engineering, and pioneering skills in collective efforts designed to prevent, detect, and respond In the interest of complying with legal requirements to new and emerging cybersecurity threats. While FDA concerning the environmental compatibility of our products cybersecurity guidance is informative as to adopting a risk- (protection of natural resources and waste conservation), based approach to addressing potential patient harm, it is we recycle certain components. Using the same extensive not binding and alternative approaches may be used to quality assurance measures as for factory-new components, satisfy FDA regulatory requirements. we guarantee the quality of these recycled components. The statements contained in this whitepaper are intended to Note: Any technical data contained in this document may describe Siemens Healthineers’ approach to cybersecurity of vary within defined tolerances. Original images always lose a its medical devices and to disclose the security capabilities certain amount of detail when reproduced. of the devices/systems described herein. Neither Siemens Healthineers nor any medical device manufacturer can Caution: Federal law restricts this device to sale by or on the warrant that its systems will be invulnerable to cyberattack. order of a physician. Siemens Healthineers makes no representation or warranty that its cybersecurity efforts will ensure that its medical devices/systems will be error-free or secure against cyberattack. On account of certain regional limitations of sales rights and service availability, we cannot guarantee that all products included in this brochure are available through the Siemens sales organization worldwide. Availability and packaging may vary by country and are subject to change without prior notice. Not all features or products are available in all markets and are subject to change. Siemens Healthineers Headquarters Siemens Healthineers AG Siemensstr. 3 91301 Forchheim, Germany Phone: +49 9191 18-0 siemens-healthineers.com Unrestricted Siemens Healthineers AG © 2025 11