Securview 6-0-6 Cybersecurity Product Report

SecurView® 6-0-6 Cybersecurity Product Report

1. A Message to Our Customers Hologic, Inc. continues its dedication and commitment to provide the highest quality products and services to help treat your patients with the best possible experience we can offer. We at Hologic are aware of the threat malicious users and viruses pose. We want you to know about the efforts that we have put forth in evaluating the risks to our products caused by these malicious attacks and computer vulnerabilities, and the countermeasures we take to combat them. Hologic’s Response to Malicious Attacks, Viruses, and Malware Hologic recognizes the need to react quickly to new vulnerabilities that may affect your systems. Of greatest concern to us are ‘Zero Day’ exploits. These are exploits that have not yet been acknowledged by vendors (via a patch or fix method). Hologic has introduced a number of actions to deal with existing and future malicious attacks. They include: • Cybersecurity Team. This team regularly convenes to assess how recent security patch releases may affect our products. • Release of a Best Practices Guide to further minimize any harmful exposure. • On-going monitoring of the information security industry for new vulnerabilities. • Periodic Vulnerability Assessments of Hologic products.

2. Products Affected This document pertains to all SecurView 6-0-6 workstations.

3. Antivirus Protection Hologic acknowledges your concern for obtaining antivirus protection. Therefore, we have evaluated SecurView with several commercial antivirus products. Please review the ‘Antivirus installation instructions’ document specific for each product at http://www.hologic.com/product-support-link/overview/. Please contact your Hologic Customer Service Representative for assistance with installation of these products if you have any questions. Please ensure that you follow our installation and configuration guide to ensure optimal performance and security. We strongly encourage customers to use only antivirus products that we have officially validated, to ensure the continual safety and reliability of our medical related product in order to provide optimal patient care. However, if you insist on using an untested antivirus solution, you use it at your own risk. . In the event of system corruption, Hologic will restore the system to the factory default state and will charge for time and materials.

4. Operating System Updates and Security Patches Hologic performs risk analysis to determine the potential consequences of published exploits. We also analyze any risk to the system from applying a security patch. Your Hologic workstation is a medical device and as such, recommended security patches are validated by Hologic for effectiveness. Only Hologic-validated security patches should be installed on your Hologic workstations. If you install these security patches, please follow

MAN-01213 Rev 007, January 2011 Page 1 of 9 SecurView 6-0-6 Cybersecurity Product Report

the Customer Validation Form provided to ensure the workstation operates properly after installation. Service Packs must be installed and validated by Hologic and cannot be customer validated. The security patches issued in the following Microsoft bulletins have been validated to work with SecurView 6-0-6 running on Windows XP Professional (SP3) and Windows 2003 Server Standard Edition (SP2): MS06-033: Vulnerability in ASP.NET Could Allow Information Disclosure http://www.microsoft.com/technet/security/bulletin/MS06-033.mspx MS06-056: Vulnerability in ASP.NET 2.0 Could Allow Information Disclosure http://www.microsoft.com/technet/security/bulletin/MS06-056.mspx MS07-040: Vulnerabilities in .NET Framework Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS07-040.mspx MS08-032: Cumulative Security Update of ActiveX Kill Bits http://www.microsoft.com/technet/security/bulletin/MS08-032.mspx MS08-036: Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service http://www.microsoft.com/technet/security/bulletin/MS08-036.mspx MS08-048: Security Update for Outlook Express and Windows Mail http://www.microsoft.com/technet/security/bulletin/MS08-048.mspx MS08-050: Vulnerability in Windows Messenger Could Allow Information Disclosure http://www.microsoft.com/technet/security/bulletin/MS08-050.mspx MS08-067: Vulnerability in Server Service Could Allow Remote Code Execution http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx MS08-069: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS08-069.mspx MS08-076: Vulnerabilities in Windows Media Components Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS08-076.mspx MS09-006: Vulnerabilities in Windows Kernel Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-006.mspx MS09-007: Vulnerability in SChannel Could Allow Spoofing http://www.microsoft.com/technet/security/bulletin/MS09-007.mspx MS09-010: Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-010.mspx MS09-011: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-011.mspx MS09-012: Vulnerabilities in Windows Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx MS09-013: Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-013.mspx MS09-014: Cumulative Security Update for Internet Explorer http://www.microsoft.com/technet/security/bulletin/MS09-014.mspx MS09-015: Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/MS09-015.mspx MS09-020: Vulnerabilities in IIS Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/MS09-020.mspx

Page 2 of 9 MAN-01213 Rev 007 SecurView 6-0-6 Cybersecurity Product Report

MS09-022: Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-022.mspx MS09-025: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/MS09-025.mspx MS09-026: Vulnerability in RPC Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/MS09-026.mspx MS09-028: Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-028.mspx MS09-029: Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-029.mspx MS09-032: Cumulative Security Update of ActiveX Kill Bits http://www.microsoft.com/technet/security/bulletin/MS09-032.mspx MS09-034: Cumulative Security Update for Internet Explorer http://www.microsoft.com/technet/security/bulletin/MS09-034.mspx MS09-035: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx MS09-037: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-037.mspx MS09-038: Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-038.mspx MS09-041: Vulnerability in Workstation Service Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/MS09-041.mspx MS09-042: Vulnerability in Telnet Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-042.mspx MS09-044: Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-044.mspx MS09-045: Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-045.mspx MS09-046: Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-046.mspx MS09-047: Vulnerabilities in Windows Media Format Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-047.mspx MS09-051: Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-051.mspx MS09-052: Vulnerability in Windows Media Player Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-052.mspx MS09-054: Cumulative Security Update for Internet Explorer http://www.microsoft.com/technet/security/bulletin/MS09-054.mspx MS09-055: Cumulative Security Update of ActiveX Kill Bits http://www.microsoft.com/technet/security/bulletin/MS09-055.mspx MS09-056: Vulnerabilities in Windows CryptoAPI Could Allow Spoofing http://www.microsoft.com/technet/security/bulletin/MS09-056.mspx MS09-057: Vulnerability in Indexing Service Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-057.mspx

MAN-01213 Rev 007 Page 3 of 9 SecurView 6-0-6 Cybersecurity Product Report

MS09-058: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/MS09-058.mspx MS09-059: Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service http://www.microsoft.com/technet/security/bulletin/MS09-059.mspx MS09-062: Vulnerabilities in GDI+ Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS09-062.mspx MS09-069: Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service http://www.microsoft.com/technet/security/bulletin/MS09-069.mspx MS09-071: Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms09-071.mspx MS09-073: Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution http://www.microsoft.com/technet/security/Bulletin/MS09-073.mspx MS10-001: Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS10-001.mspx MS10-002: Cumulative Security Update for Internet Explorer http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx MS10-005: Vulnerability in Microsoft Paint Could Allow Remote Code Execution http://www.microsoft.com/technet/security/Bulletin/ms10-005.mspx MS10-006: Vulnerabilities in SMB Client Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS10-006.mspx MS10-007: Vulnerability in Windows Shell Handler Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/MS10-007.mspx MS10-008: Cumulative Security Update of ActiveX Kill Bits http://www.microsoft.com/technet/security/Bulletin/MS10-008.mspx MS10-011: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/Bulletin/MS10-011.mspx MS10-012: Vulnerabilities in SMB Server Could Allow Remote Code Execution http://www.microsoft.com/technet/security/Bulletin/MS10-012.mspx MS10-013: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution http://www.microsoft.com/technet/security/Bulletin/Ms10-013.mspx MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/Bulletin/MS10-015.mspx MS10-016: Vulnerability in Windows Movie Maker Could Allow Remote Code Execution [Not for SecurView 6-0-6 Manager] http://www.microsoft.com/technet/security/bulletin/ms10-016.mspx MS10-019: Vulnerabilities in Windows Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-019.mspx MS10-020: Vulnerabilities in SMB Client Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-020.mspx MS10-021: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/ms10-021.mspx MS10-022: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution [Not for SecurView 6-0-6 Manager] http://www.microsoft.com/technet/security/bulletin/ms10-022.mspx MS10-026: Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-026.mspx

Page 4 of 9 MAN-01213 Rev 007 SecurView 6-0-6 Cybersecurity Product Report

MS10-027: Vulnerability in Windows Media Player Could Allow Remote Code Execution [Not for SecurView 6-0-6 Manager] http://www.microsoft.com/technet/security/bulletin/ms10-027.mspx MS10-029: Vulnerability in Windows ISATAP Component Could Allow Spoofing http://www.microsoft.com/technet/security/bulletin/ms10-029.mspx MS10-030: Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-030.mspx MS10-032: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/ms10-032.mspx MS10-033: Vulnerabilities in Media Decompression Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-033.mspx MS10-034: Cumulative Security Update of ActiveX Kill Bits http://www.microsoft.com/technet/security/bulletin/ms10-034.mspx MS10-035: Cumulative Security Update for Internet Explorer http://www.microsoft.com/technet/security/bulletin/ms10-035.mspx MS10-037: Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/ms10-037.mspx MS10-041: Vulnerability in Microsoft .NET Framework Could Allow Tampering [SecurView 6-0-6 Manager only] http://www.microsoft.com/technet/security/bulletin/ms10-041.mspx MS10-042: Vulnerability in Help and Support Center Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-042.mspx MS10-046: Vulnerability in Windows Shell Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/ms10-047.mspx (SecurView Manager is not vulnerable) MS10-048: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/ms10-048.mspx MS10-049: Vulnerabilities in SChannel could allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-049.mspx MS10-050: Vulnerability in Windows Movie Maker Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-050.mspx (SecurView Manager is not vulnerable) MS10-051: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-051.mspx MS10-052: Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-052.mspx MS10-054: Vulnerabilities in SMB Server Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-054.mspx MS10-055: Vulnerability in Cinepak Codec Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-055.mspx (SecurView Manager is not vulnerable) MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-061.mspx MS10-062: Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-062.mspx

MAN-01213 Rev 007 Page 5 of 9 SecurView 6-0-6 Cybersecurity Product Report

MS10-063: Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-063.mspx MS10-065: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-065.mspx (SecurView Manager is not vulnerable) MS10-067: Vulnerability in WordPad Text Converters Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-067.mspx MS10-069: Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/ms10-069.mspx MS10-071: Cumulative Security Update for Internet Explorer http://www.microsoft.com/technet/security/bulletin/ms10-071.mspx MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/ms10-073.mspx MS10-074: Vulnerability in Microsoft Foundation Classes Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-074.mspx MS10-076: Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-076.mspx MS10-078: Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/ms10-078.mspx MS10-081: Vulnerability in Windows Common Control Library Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-081.mspx MS10-082: Vulnerability in Windows Media Player Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-082.mspx MS10-083: Vulnerability in COM Validation in Windows Shell and WordPad Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-083.mspx MS10-084: Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/ms10-084.mspx MS10-090: Cumulative Security Update for Internet Explorer http://www.microsoft.com/technet/security/bulletin/ms10-090.mspx MS10-091: Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-091.mspx MS10-096: Vulnerability in Windows Address Book Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-096.mspx MS10-097: Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms10-097.mspx MS10-098: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/ms10-098.mspx MS10-099: Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege http://www.microsoft.com/technet/security/bulletin/ms10-099.mspx MS11-002: Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution http://www.microsoft.com/technet/security/bulletin/ms11-002.mspx

Page 6 of 9 MAN-01213 Rev 007 SecurView 6-0-6 Cybersecurity Product Report

5. Patch Installation Instructions & Customer Validation Form 5.1. Prior to Installing Patches Benchmark system performance as follows: 1 Select several exams to be reviewed as part of this benchmarking study. 2 While stepping through the exams, have someone send five studies to the Hologic SecurView workstation from an external source (e.g., Selenia Acquisition Workstation). 3 Note here the approximate time period to receive all studies:

______4 Note the performance time related to stepping through the exams:

______5 Note any unusual environmental conditions such as an unusually light or heavy patient volume while the benchmarking is being performed. 5.2. Installing Patches m Note: Ensure the system has access to Microsoft’s update web page before proceeding. If the system does not have Internet access to Microsoft’s update web page, then download each patch individually from another system, transfer it onto this system via a removable medium, and install each patch individually by double-clicking on it. 1 On the workstation, log into Windows as Customer. 2 Browse to: http://windowsupdate.microsoft.com. 3 You may get a prompt to install a new version of the software before you can begin using the Windows Update. If so, click Install now. 4 On some systems you may get a fail error message. If so, manually start up Microsoft Windows’ ‘Background Intelligent Transfer Service’ and try again. Please contact your local IT person if you need assistance. 5 At the screen where you are presented with ‘Express’ or ‘Custom’ install, click Custom. Windows Update may take several minutes to scan for missing patches depending on your Internet connection speed. 6 Upon completion of the scan, the ‘Customize your results’ screen appears. Select the Clear All button and manually place a check next to the box for each patch that has been approved by Hologic. 7 Click Review and Install updates. 8 Click Install Updates to proceed. 9 If windows appear prompting with questions, click Accept. 10 After the patches have downloaded and upon completion of the self-install process, select Restart Now when prompted to reboot the system.

MAN-01213 Rev 007 Page 7 of 9 SecurView 6-0-6 Cybersecurity Product Report

5.3. System Testing The objective of this section is to ensure patch installation did not compromise system stability. The user should complete the system regression tests outlined in this section successfully after the patches have been installed. If the following performance tests are inconclusive or fail, please contact Hologic Customer Service before placing the system in use. It is recommended that baseline performance of the existing systems is recorded before proceeding.

Receiving Images 1 Select the same patients to be reviewed from the benchmarking study (see section 5.1. Prior to Installing Patches). 2 While stepping through the images, have someone send five studies to the SecurView system from an external source (e.g., Selenia Acquisition Workstation). 3 Note here the approximate time period to receive all studies:

______4 Note the performance time related to stepping through the exams:

______5 Note any unusual environmental conditions such as an unusually light or heavy patient volume while the benchmarking is being performed. 6 Compare the above performance results to the results in the benchmarking study. The performance need not be identical, only acceptable per your local conditions. If performance is not acceptable, contact Hologic Customer Service for assistance.

Loading Images 1 From an external source (e.g., Selenia Acquisition Workstation) send five studies to the SecurView system. 2 While the studies are being received, open a patient for review. 3 Note here the approximate time period to display the images for the opened patient:

______4 Note here the approximate time period to receive all studies:

______

CPU Monitoring 1 Log into Windows as scr. 2 Log into the application as admin. 3 Click Exit to Windows. 4 Press the Windows key and right-click the taskbar. 5 Select Task Manager. 6 Once the Task Manager is present, click Options > and select Always on Top.

Page 8 of 9 MAN-01213 Rev 007 SecurView 6-0-6 Cybersecurity Product Report

7 Restart the application and log in as review. 8 With the Task Manager window open, open a patient to review images. 9 Ensure CPU usage is below 30%. 5.4. Questions and Concerns Hologic is here to help. We understand you have both a financial responsibility and operational responsibility to protect your networks and computer systems from malicious harm. If you have any questions or concerns, please contact Hologic Customer Service.

Hologic Inc. Hologic N.V. For more information about Hologic 35 Crosby Drive Authorized Representative products, services, and facilities, visit Bedford, MA 01730-1401 USA Leuvensesteenweg 250A www.hologic.com. Tel: +1.781.999.7300 1800 Vilvoorde, Belgium Sales: +1.781.999.7453 Tel: +32.2.711.4680 Fax: +1.781.280.0668 Fax: +32.2.725.2087

MAN-01213 Rev 007 Page 9 of 9