Rapidpoint 500E Blood Gas System V5.0.1 Security White Paper and MDS2 the Facts About the Security of Our Products and Solutions
Total Page:16
File Type:pdf, Size:1020Kb
White Paper RAPIDPoint 500e Blood Gas System V5.0.1 Security White Paper and MDS2 The facts about the security of our products and solutions siemens-healthineers.com White Paper · Product and Solution Security RAPIDPoint 500e Blood Gas System V5.0.1 Foreword The Siemens Healthineers Elements of our product and solution security program Product and Solution • Providing information to facilitate secure Security (PSS) program configuration and use of our medical devices in your IT environment • Conducting formal threat and risk analysis for At Siemens Healthineers, we are committed to our products working with you to address cybersecurity and • Incorporating secure architecture, design, privacy requirements. Our Product and and coding methodologies in our software Solution Security Office is responsible for our development process global program that focuses on addressing • Performing static code analysis of our cybersecurity throughout the product lifecycle. products • Conducting security testing of products Our program targets incorporating state-of- under development as well as products the-art cybersecurity into our current and already in the field future products. We seek to protect the • Tailoring patch management to the medical security of your data while providing measures device and depth of coverage chosen by you to strengthen the resiliency of our products • Monitoring security vulnerability to track from cyber threats. reported third-party component issues in our products • Working with suppliers to address security We comply with applicable security and privacy throughout the supply chain regulations from the U.S. Department of • Training of employees to provide knowledge Health and Human Services (HHS), including consistent with their level of responsibilities the Food and Drug Administration (FDA) and regarding your data and device integrity Office for Civil Rights (OCR), to help you meet your IT security and privacy obligations. Contacting Siemens Healthineers about product and solution security Vulnerability and incident management Siemens Healthineers requests that you report Siemens Healthineers cooperates with any cybersecurity or privacy incidents by email government agencies and cybersecurity to: [email protected] researchers concerning reported potential vulnerabilities. Our communications policy strives for coordinated disclosure. We work in this way with our customers and other parties, when appropriate, in response to potential vulnerabilities and incidents in our products, no matter the source. 2 White Paper · Product and Solution Security RAPIDPoint 500e Blood Gas System V5.0.1 Contents Foreword 2 Basic Information 4 Network Information 5 Security Controls 6 Shared Responsiblities 7 Software Bill of Materials 7 Manufacturer Disclosure Statement (MDS2) 8 Abbreviations 28 Disclaimer according to IEC 80001-1 30 Statement on FDA Cybersecurity Guidance 31 3 White Paper · Product and Solution Security RAPIDPoint 500e Blood Gas System V5.0.1 Basic Information Depend on the RAPIDPoint® 500e Blood Gas System to demographic entry fields, limited to 15 characters per raise the bar in blood gas IT security at your facility by label and 15 characters per value. providing the latest defenses to guard confidential Demographic data associated with samples can be patient data coupled with the leading built-in technology configured in Setup to deselect fields (so data is not to protect your institution from external cybersecurity collected), select fields (so data can be collected), threats. or indicated as required fields (so data must be collected Operating systems prior to releasing sample results). • WINDOWS 10 IoT Enterprise (1809) Raw (second-by-second) and reportable result data is (user interface processor) stored in a combination of database entries augmented • pSOS+ Version 2.3 (real-time processor) with binary “sideband” files. No sensitive information is included in diagnostic logs. Hardware specifications When data is exported for reliability analysis by • BlueChip Technology AMD GLX ETX module with Siemens Healthineers, the patient and sample 1 GB RAM (user interface processor) demographic database tables are omitted from the • Motorola 68332 (real-time processor) export files. However, traceability of data to patient User account information ID or accession number is included in case it is needed • Single operating system local administrator-level for field issue investigations. account (auto-login) for running instrument Data is purged in first-in, first-out (FIFO) order. For application. Note: Account has no privileges beyond patient samples, the instrument maintains the last the boundaries of the instrument. 1250 samples (allowing up to 100 additional records • Operators of the system can be created (up to 5000 prior to triggering the purge operation). However, unique operators) and granted one of four levels of only the most recent 250 patient samples are viewable access privileges. on the instrument by the operator. Patching strategy Data recovery Operating system updates are evaluated and included as The RAPIDPoint 500e system is a data producer and is part of application software updates. not intended for long-term storage of data. As such, it provides limited data backup options and no data Cryptography usage restore capability. • Patient data export files can (optionally) be encrypted using AES-256 encryption provided by 7-Zip. Long-term data storage is provided by external data management systems, such as the POCcelerator Data • Data on the hard drive is encrypted via BitLocker using Management System. the Trusted Platform Module (TPM). Device configuration (setup) data can be saved to • Communication with the POCcelerator™ Data and restored from removable USB media by level 1 Management System can be configured to encrypt (administrator-level) operators. LIS communication. Boundary defense Handling of sensitive data The WINDOWS Firewall, enabled by default, is used Patient and sample demographic data can be entered via to limit network traffic to the device. Additionally, the on-screen data entry forms. Additionally, some endpoint identification can be used to further restrict patient demographic data can be retrieved from data laboratory information system (LIS) and Remote Viewer management systems based on matching patient ID. (VNC) communication to a user-defined list of IP Patient demographic data consists of the following addresses or subnets. It is anticipated that the device entries: Patient ID (used as a key that links to all other will be operated on an internal, non-public-facing patient demographic fields), Last Name, First Name, network to further reduce the risk of network intrusion. Gender, and Date of Birth. Terms and conditions Sample demographic data consists of the following See local terms and conditions for purchasing and entries: Location, Physician ID, Sample Draw Date, operating this device within your area. Sample Draw Time, Accession Number, Operator ID, Temperature, entered tHb (available only when measured tHb is turned off), FIO2, Flow, Respiratory Rate, Barometric Pressure, CPAP, PEEP, PIP, Tidal Volume, and Allen Test result. In addition, the system can be configured to support up to 10 user-defined 4 White Paper · Product and Solution Security RAPIDPoint 500e Blood Gas System V5.0.1 Network Information Laboratory Healthcare Center Information System(s) – Information System(s) – Orders and/or Results ADT or Patient Query POC Informatics • Physical or Virtual Server • Remote or Local Database PEP Admin Healthcare Center Internet Site Email System Clients Workstations Network Connectivity Serial Connectivity RAPIDPoint 500e System The server requires no static IP addresses but may be configured in static IP address mode if desired by the facility. The following ports are used by the system: Port Number Service/function Direction (in/out) Protocol 25 SMTP email (optional) Out SMTP Unencrypted LIS communication with data manager 3001* In LIS3/LIS4 (*Port number is user-configurable) Encrypted LIS communication with Siemens Healthineers 3001* Out LIS3/LIS4 data manager (*Port number is user-configurable) Link-Local Multicast Name Resolution 5355 Out LLMNR (used by some SMTP servers for email negotiation) 5900 Remote Viewer In VNC Allowed services accessible through network: Service Description Startup Type Log on as: Virtual Network Computing used User-configurable. Startup is deferred VNC for Remote View (available only on until connection to Siemens Healthineers User-configurable Siemens Healthineers data managers) data manager has been established. 5 White Paper · Product and Solution Security RAPIDPoint 500e Blood Gas System V5.0.1 Security Controls Malware protection Network controls McAfee Embedded Control (whitelisting solution) creates • WINDOWS Firewall enabled by default. a list of trusted programs necessary for day-to-day • Endpoint identification can be applied to limit addresses operations and ensures that only those specific allowed to connect for LIS and Remote Viewer traffic. applications are allowed to run. • ICMP protocol is limited to a subset of supported Controlled use of administrative privileges messages (ping request/reply only). • System runs in kiosk mode, preventing user access to Physical safeguards the underlying operating system. • The RAPIDPoint 500e instrument should reside and be • System automatically logs in using administrative operated in a physically controlled environment. account, but account has privileges