Atellica in Software Security White Paper and MDS2 Form

Atellica IN Software Security White Paper and MDS2 Form

The facts about the security of our products and solutions

Siemens/Healthineers 11316482 Rev. 01, 2018-10

Atellica IN Software Security White Paper Foreword

The Siemens Healthineers product Conducting formal threat and risk analysis and solution security program for our medical devices Incorporating secure architecture, design At Siemens Healthineers, we are committed to and coding methodologies in our software working with you to address cybersecurity and development process privacy requirements. Our Product and Performing static code analysis of medical Solution Security Office is responsible for our device software global program that focuses on addressing Conducting security testing of medical cybersecurity throughout the product lifecycle devices under development as well as of our medical devices. medical devices already in the field Tailoring patch management to the Our program targets incorporating state of the medical device and depth of coverage art cybersecurity in our current and future chosen by you products. We seek to protect the security of Monitoring security vulnerability to track your data while, at the same time, providing reported third party components issues in measures to strengthen the resiliency of our our medical devices products from external cybersecurity attackers. Working with suppliers to address security throughout the supply chain We comply with applicable security and privacy Training of employees to provide regulations from the US Department of Health knowledge consistent with their level of and Human Services (HHS), including the Food responsibilities regarding your data and and Drug Administration (FDA) and Office for device integrity. Civil Rights (OCR), to help you meet your IT security and privacy obligations. Contacting Siemens Healthineers about product and solution Vulnerability and incident security management Siemens Healthineers requests that any Siemens Healthineers cooperates with cybersecurity or privacy incidents are reported government agencies and cybersecurity by email to: researchers concerning reported potential [email protected] vulnerabilities. For all other communication with Siemens Our communications policy strives for Healthineers about product and solution coordinated disclosure. security: ProductTechnologyAssurance.dl@siemens- We work in this way with our customers and healthineers.com other parties, when appropriate, in response to potential vulnerabilities and incidents in our medical devices, no matter what the source.

Elements of our product and solution security program

Providing information to facilitate secure Jim Jacobson configuration and use of our medical Chief Product and Solution Security Officer devices in your IT environment Siemens Healthineers

11316482 Rev. 01

Atellica IN Software Security White Paper

Contents

Basic Information ...... 4 Network Information ...... 8 Security Controls ...... 10 Software Bill of Materials ...... 13 Manufacturer Disclosure Statement according to IEC60601-1 ...... 14 Abbreviations ...... 21 Disclaimer according to IEC 80001-1 ...... 23 Statement on FDA Cybersecurity Guidance ...... 23

Atellica IN Software Security White Paper Basic Information

Automated Real-time Inventory information in this document is applicable to all sites management where the product is installed.

The Atellica Inventory Manager (Atellica IN) system® is Supported Operating Systems a laboratory productivity application for managing laboratory consumable inventory. The system uses • Supported operating system for the Atellica radio frequency identification (RFID), including a web- IN Controller PC or Virtual Machine (VM). based user interface, to enable laboratories to manage their inventory from any computer with Internet • Microsoft Windows 7 (Professional or Enterprise) 64-bit system (PC only). connectivity. • Microsoft Windows 10 Enterprise 64-bit The Atellica Inventory Manager system features the system. ability to issue alerts when inventory levels require reordering and to generate orders based on • Microsoft Windows Server 2012 R2 64-bit customized reordering rules. Access to the Internet is system (VM only). required for order and inventory management.

This document provides an overview of the Atellica Inventory of Devices Inventory Manager system and describes the security Siemens server hosts the Atellica Inventory Manager safeguards to protect laboratory data and the Web Application. The server is comprised of the information technology network. Network security is following elements. important to Siemens Healthcare when providing solutions and services to our customers. The

Atellica IN Software Security White Paper

• Customer-provided Controller PC to manage • Motorola FX7500 Reader with 256MB DRAM inventory data flows between the RFID and 512MB Flash Memory Equipment and the Atellica IN Web Application. User Account Information

• Motorola MC3100S Mobile Computer (RFID The Atellica IN Server stores (encrypted) user Handheld scanner) to scan an inventory item information such as Login Credentials, Alias Name, to a storage location, transfer items from and Contact Details (namely e-mail and phone one location to another, perform inventory number). This data is not transmitted to any entity checks, and record inventory items outside of the Atellica IN Server. consumption and RFID labels and tags.

• SATO GL408e Barcode Thermal Printer or Patching Strategy SATO CL4NX Industrial Thermal Printer to print Barcode. Security and operating system patches are applied monthly on the Atellica IN Server. • Motorola FX7400/FX7500 Fixed RFID Reader with 4 RFID Antenna(s) to record inventory Siemens service personnel apply firmware updates to items consumption. the Handheld Scanner, RFID Printer, and RFID Reader whenever applicable. Siemens applies firmware upgrades on the RFID devices at the customer site. Atellica IN system RFID Handheld scanner device The customer is responsible for any and all OS patches on the Atellica IN Controller PC. The device is an OEM version that Motorola deploys. The OEM is a Microsoft Windows Embedded Handheld Cryptography Usage scanner 6.5 Classic CE OS 5.2.29040 or Windows Mobile 6.5 Classic. The Atellica IN Server and Atellica IN Controller software use HTTPS for all communication between Atellica IN System Fixed RFID Reader the server and software. Atellica IN Server ID verification implements communication between the FX7400 Fixed RFID Reader with Firmware Version external system (SAP Webshop, Controller PC) and the 3.6.0 and Microsoft Windows CE 5.0 OS, or FX7500 Atellica IN Server. ID Verification allows the external Fixed RFID Reader with firmware version 2.3.23 and system and the server ID to communicate. Linux All messages inbound to the Atellica IN Server include Hardware Specifications the ServerGUID, CustomerID, and ClientID.

NOTE: Siemens supplies the below hardware for Security protocols TLS 1.1 or 1.2 for the Atellica inventory management. Inventory Manager version 1.03 or later allow the Atellica IN Controller software and the servers to Motorola MC3100 Series Mobile Computer with communicate. 256MB RAM /1GB Flash, Marvell PXA320 processor at 624 MHz and supports USB, Bluetooth and Wi-Fi An AES algorithm with 128 bit key length performs the Connectivity Database encryption. Passwords are stored in the Atellica IN Server database using MD5 hash There are two RFID Printer models: encryption.

• SATO GL408e Barcode Thermal Printer with 32MB SDRAM and B/W Print Resolution of 203 Sensitive Data Handling dpi The Atellica IN system stores the username, password, PIN, email, phone number and activity for each user. • SATO CL4NX Industrial Thermal Printer with Dual CPU (256MB RAM/2GB Flash and 64MB For each supplier/vendor the Atellica IN system stores RAM/4GB Flash) and processes the following information: contact person, email, address and phone number, and There are two Fixed Reader models: account number. The data are stored in encrypted form in the Siemens Data Center in Austria. • Motorola FX7400 Reader with 64MB DRAM and 64MB Flash Memory

Atellica IN Software Security White Paper

The Atellica IN system transmits all personal data using TLS encryption and stores the data in the encrypted database. The Atellica IN system does not process or store Personal Health Information (PHI).

Atellica IN Software Security White Paper

Figure 1 Atellica IN Network Diagram

Atellica IN Software Security White Paper Network Information

The Atellica IN system requires three static IP addresses for the Controller PC, RFID Printer, and the RFID Reader that the customer provides. See the table below to view the system ports.

Port number Service/Function Direction Protocol

9100 sLIMControllerService to RFID Printer Outbound LPDP 5084 sLIMControllerService to RFID Reader Outbound LLRP 443 Atellica Inventory Manager Service to Outbound HTTPS Atellica IN server 443 sLIMControllerService to Atellica IN server Outbound HTTPS 80 (OPTIONAL) sLIMControllerService Outbound HTTP connection to update the Certificate Revocation List (CRL) 12201 sLIMControllerService with RFID Handheld Inbound HTTP scanner 12203 Atellica Inventory Manager Service with Inbound HTTP RFID Handheld scanner 30101 i2i Agent Smart Remote Services (SRS) Inbound i2i File Transfer

20001 i2i Agent to Lab Connectivity Manager Outbound i2i (LCM)

5938 TeamViewer (SRS) Inbound TeamViewer Table 1 Atellica IN Controller network ports and services

Atellica IN Controller Computer Remote connectivity to the Atellica IN Controller is Communications enabled only through the LCM (Lab Connectivity Manager) PC. This LCM PC needs to be setup in the While most of the RFID hardware uses a LAN customer lab. LCM PC is connected to the SRS server connection, Siemens can configure the RFID Handheld over the internet using using VPN over HTTPS. scanner to meet the laboratory’s infrastructure using wireless or Ethernet connectivity. Inventory Management

• Wireless: Transmits information wirelessly to Inventory ordering, management, and reporting the Atellica IN Controller using HTTP or HTTPS. functions are accessible from any Internet-connected computer with a supported web browser (Firefox, • Ethernet: Transmits information through a Internet Explorer, or Chrome). wired Ethernet connection to the laboratory- provided computer when docked in an E-Commerce Ethernet-connected cradle. Siemens can configure the Atellica IN Server to Figure 1 shows how the encrypted communication is communicate an order via email. Also, the Atellica IN implemented between Atellica IN Controller and the system can directly interact with Siemens order Siemens server when using Siemens eCommerce. systems for all Siemens products. Availability is dependent on the country implementation.

Atellica IN Software Security White Paper

Atellica IN Controller RFID Printer

Each laboratory site will have a customer-designated The RFID printer prints RFID labels that are affixed to PC known as the Controller PC located on the each inventory item when an order arrives. customer network that has access to the internet through a secure HTTPS protocol. The Controller The Atellica IN system requires that the printer has a software should be installed on a PC that does not static IP address. Create the static IP address by have any access to Patient Health Information. Also, reserving an IP address for the printer’s MAC address in the RFID devices are attached to the same network. the network infrastructure so that the address can be assigned to the printer via DHCP, or by directly The Controller PC channels all inventory transaction configuring the IP address in the printer using the data that the RFID devices generate to the Atellica IN control panel located on the front of the printer. Server through a secure internet connection and sends needed data from the server to the devices. One RFID Reader and Antennas Controller PC can support one or more of each RFID device type. A customer can have more than one The RFID Reader channels information from RFID labels Controller PC in use to provide redundancy via manual that the RFID Antenna(s) read back to the Atellica IN switching, in case of any network system failures. Controller software and then channels the information to the Atellica IN Server. One Reader can have 4 RFID The Atellica IN system requires that the Controller PC antennas attached to it using coaxial cabling included be given a static IP address. Provide the static IP in the Atellica IN system kit. The antenna(s) are wall or address either by reserving an IP address for the ceiling mounted at strategic locations in the lab or Controller PC’s MAC address in the network waste disposal area to record the inventory infrastructure so that the address can be assigned to consumption. Any RFID-labeled item passing within the Controller PC via DHCP, or by directly configuring the range of an antenna registers as being consumed. the IP address in the Controller PC. Adjust the strength of the RFID Antenna signal as needed so that optimal label reading occurs. There is a controller configuration application that identifies which devices are associated with the Atellica IN system requires that the RFID reader has a Atellica IN Controller, the devices IP addresses, and the static IP address. Create the static IP address by customer’s Atellica IN system URL, etc. The customer reserving an IP address for the reader’s MAC address in must have Administrator rights on the PC to operate the network infrastructure so that the address can be this application. assigned to the reader via DHCP, or by directly configuring the IP address in the reader. Use a web- The Atellica IN controller software operates as a based control panel to configure the RFID reader. background service on the Controller PC and generates log files that record all interactions between the RFID Handheld scanner Controller software and the RFID devices and the Controller software and the Atellica IN server. Send the The RFID handheld scanner scans inventory items into log files to Siemens Support for troubleshooting any storage locations, scans a storage location to count communication or configuration issues. inventory items, and scans inventory items out of storage. The customer can configure the handheld RFID Devices scanner to operate over a local wireless network. If a wireless network is not available, the handheld The RFID Devices are the RFID Printer, the RFID Reader scanner will transmit data when docked in an Ethernet (with up to 4 attached RFID antennas), and the RFID connected cradle. handheld scanner. Optimal performance of the handheld scanner in The RFID Printer and Reader connect to the network wireless mode requires a wireless signal strength of at via RJ45 Ethernet connections. The RFID handheld least -60db. The handheld scanner creates a profile for scanner can be configured to operate over a wireless a wireless network that includes the wireless network network, or to transmit data when docked in an SSID and PSK. If required, Siemens Support personnel Ethernet-connected cradle. can instruct Lab IT personnel to configure the wireless profile.

Atellica IN Software Security White Paper Security Controls

Malware Protection The Atellica IN system software does not include a virus protection solution. Siemens recommends that Siemens recommends installing and maintaining an you install and maintain virus protection software on application white-listing solution on the systems on the systems that include the product software. Deploy which the product software is installed. virus definition and signature updates as they are the virus protection software through which the vendor For white-listing purposes, all product executable files makes the signature updates available. are located in the installation folder specified during product setup in the following installation folder To counter potential security attacks, the Atellica IN paths. Server includes a baseline security configuration that follows best practices (BSI, OWASP, and Microsoft) for • Atellica IN Controller: C:\Program secure web application development and deployment. Files\Siemens Healthineers\Atellica Inventory Manager\Controller. Authentication Authorization Controls

• sLIM Controller: C:\Program Files (x86)\Atos The Atellica IN system provides user roles based on an IT Solutions and Services\sLIM Controller. authorization scheme for the following user groups:

• PostgreSQL: C:\Program • Atellica IN system Administrator Files\PostgreSQL\9.6. • Order Approver SRS Folder Paths • Lab Manager i2i Agent: C:\Program Files\Siemens\i2i Agent • Lab User LCM i2i Manager: C:\Program Files\Siemens Healthineers\Atellica Inventory Manager\LCM i2i • Controller, Accounting, Management Manager Administrator: Administers workflows, account data Team Viewer: C:\Program Files\Siemens (user IDs/passwords), and configuration data (for Healthineers\Atellica Inventory Manager\TeamViewer example, rules) and creates report templates. Log File Paths Approver: Approves/changes orders and views inventory. Atellica IN Controller: C:\ProgramData\Siemens Healthineers\Atellica Inventory Manager\Logs Manager: Creates and changes orders, creates new sLIM Controller: C:\Program Files (x86)\Atos IT products and vendors, and manages inventory. Solutions and Services\sLIM_Logs User: Checks in and checks out goods, views inventory PostgreSQL: C:\Program and orders, executes pre-defined and custom reports. Files\PostgreSQL\9.6\data\pg_log Observer: Views inventory and views orders. Installer: C:\ProgramData\Siemens Healthineers\Atellica Inventory Manager\Logs A facility is given one Administrator account during initial setup. Siemens recommends that the facility SRS Log File Paths create at least one additional Administrator account as a backup. A user must belong to at least one role but i2i Agent: C:\Program Files\Siemens\i2i Agent\Log can have multiple roles assigned to himself or herself.

LCM i2i Manager: C:\ProgramData\Siemens Healthineers\Atellica Inventory Manager\Logs

Atellica IN Software Security White Paper

Table 2: User groups and roles connections other than those the product requires (See Network ports and services in Table 1.). User Group Atellica IN System Role All network communications between the Atellica IN Atellica IN system Administrator Controller software and server software components Administrator are encrypted.

Order Approver Approver The customer owns the Atellica IN Controller PC that is located inside the customer’s network environment Laboratory Manager Manager and is responsible for security of this PC including:

Laboratory User User • Firewall settings

Controller, Accounting, Observer • Network security Management • Wi-Fi security

• Latest security patches

User Authentication on Handheld • Up to date virus and malware protection scanners Communication security on the Atellica IN system is For security and auditing purposes, the Atellica IN based on the standard secured information transport system offers authentication on the Handheld protocol—Transport Layer Security (TLS) and is scanners that the customer configures in the web included in all Atellica IN Server communication application. The authentication is valid for all channels. Handheld scanners that the site uses. A login window appears on the Handheld scanner when the Atellica IN system starts. The user must select his or her Physical Protection username from a drop-down list and enter a PIN. The Atellica IN Servers are hosted in a cloud based infrastructure within the highly secure Siemens data NOTE: User Authentication on the handheld scanners center. can be enabled or disabled. Siemens recommends enabling this feature for an effective audit trail. The Atellica IN Controller PC resides with the customer. The customer is responsible for any physical protection OS Hardening mechanisms that secure the product software systems.

To counter potential security attacks, the Atellica IN Server is configured with a baseline security Data Protection Controls configuration that follows best practices (BSI, OWASP, For security reasons, there is a configurable timeout and Microsoft) for secure web application (10 minutes is the default.) on the Handheld scanner, development and deployment. and the Handheld scanner application. Atellica Inventory Manager automatically signs out inactive • Datacenter: ISO27001:2013, ISO20000, users if idle for the default period and redirects the ISO9001, IOS14001,TUEV Level 3, users to the login page on the RFID handheld scanner EN500001, application.

• Server Security Baseline The Atellica IN system encrypts any outgoing communication from the Customer network based on • Vulnerability scanning with remediation the standard secured information transport protocol— management Transport Layer Security (TLS).

Network Controls The Atellica IN system protects server data via regular backups and an encrypted database. The Atellica IN Controller software does not include a host-based firewall installation. Siemens recommends installing and maintaining a host-based firewall on the systems that include the product software. Configure the firewall to block all incoming and outgoing

Atellica IN Software Security White Paper

Auditing/Logging

The Atellica Inventory Manager system logs all ordering, delivery, and inventory events including configuration changes, into the Atellica IN server log file.

Every audit log record contains the following information:

• Audit log identification number

• Category— such as System, Objects, Workflows, and Jobs

• Name—name of activity (e.g. login, update, failed)

• Severity—info | warning | error

• Message—log text

• Context—the context of change (e.g. object type, web service name)

• Creation Time

• User Name

Audit log Data Retention logs are available on the Atellica IN Server for 7 days.

Siemens recommends that you regularly review the product audit log to identify potential security anomalies.

Remote Connectivity

Atellica IN Controller PC supports remote connectivity via SRS (Smart Remote Services).

Siemens Service Personnel establish a remote connection to the Customer Controller PC via the TeamViewer application. The RSA public/private key exchange and AES (256-bit) session encryption secures the Customer TeamViewer connection with the Controller PC secured using the RSA public/private key exchange and AES (256-bit) session encryption. The customer must launch TeamViewer and provide the TeamViewer session password (a unique 4-digit password) to Siemens Service Personnel. Remote connection exists until the session ends. The customer can end a session at any time.

Atellica IN Software Security White Paper Software Bill of Materials

The following table comprises the most relevant third party technologies the Atellica IN Controller Software uses. Siemens supplies the following software with the Atellica IN Controller software installation.

Vendor name Component name Component version Description/use

Microsoft .NET Framework 4.5.2 or Later Pre-requisite for the Atellica IN Controller Software running on the Customer provided Controller PC Microsoft Windows Mobile Device 6.1.6965 To Facilitate communication between Center the Handheld scanner and Controller PC (requires Microsoft .NET Framework 3.5) PostgreSQL PostgreSQL 9.6.5-1-windows-x64 Database Management allows the local database on the Controller PC to persist the controller software configuration. TeamViewer TeamViewer 10.0 Provides Remote Control Functionality

The customer is responsible for maintaining .Net Framework, the installation of applicable security updates (including security or hardening of the operating system configuration), Up-to-date virus and malware protection, and the Network (Refer to the Network Ports and Services Diagram) maintenance.

Atellica IN Software Security White Paper Manufacturer Disclosure Statement according to IEC60601-1

Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13

1) Network properties required by the system and resulting risks

1-1. The Atellica IN system requires internet connectivity to Atellica IN Server. This connection is secure. Any internet connection can expose the system to previously unidentified security risks from external sources. Siemens recommends that customers apply best practices in network security to secure and limit connection risks . 1-2. The Atellica IN system requires certain ports to be enabled to communicate to the Atellica IN Server and RFID devices and for Remote Connectivity (SRS). This requirement can expose the system to previously unidentified security risks. Siemens recommends that customers apply compensating controls to mitigate the risks. 2) Instructions for the responsible organization

2-1. The Atellica IN system is a software product to be deployed on a cutomer supplied computer in a customer controlled environment. Siemens recommends that the customer applies best practices in security to harden the host computer and its Operating System and uses proper measures in network security, physical security, and security processes. 2-2. The Atellica IN system stores Personally Identifiable Information (PII). Siemens service personnel may request troubleshooting sessions with customer consent. During a remote troubleshooting session, it is possible for personal data be transmitted out of the customer premise. All Siemens service personnel are trained under the Siemens Privacy Policy, which complies with the Health Insurance Portability and Accountability Act (HIPAA) and other applicable regulations on proper management of PII and Protected Health Information (PHI). As the data owner, the customer is responsible for ensuring compliance with applicable privacy regulations. Sensitive data such as PII is stored in the Atellica IN Server with encryption. 3) Risks and hazardous situations

The Atellica IN system is not a medical device and there is no patient health information processed or stored in the Atellica IN system. There is no risk to patient health or device operators.

HN 1-2013 Atellica IN Software Security White Paper

Manufacturer Disclosure Statement for Medical Device Security – MDS2 DEVICE DESCRIPTION Device Category Manufacturer Document ID Document Release Date Inventory Management Siemens Healthineers September, 2018 Device Model Software Revision Software Release Date ® Atellica IN Software v 1.0 October, 2018

Manufacturer or Company Name Manufacturer Contact Information Representative Siemens Healthcare GmbH Contact Representative Name/Position See last page Information For contact information, see last page Intended use of device in network-connected environment: The Atellica IN system is a lab productivity application to support the management of laboratory consumable inventory using cloud and RFID technologies. It includes a web-based user interface to enable Atellica IN system customers to manage their laboratory’s inventory cycle. The Atellica IN system interacts within the customer’s network for managing inventory transactions within the laboratory. It also requires access to the internet for order and inventory management.

MANAGEMENT OF PRIVATE DATA

Yes, No, Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information requested N/A, or # in this form. See NOTE NOTE

A Can this device display, transmit, or maintain private data (including electronic Protected Health Information [ePHI])? ...... No B Types of private data elements that can be maintained by the device: No B.1 Demographic (e.g., name, address, location, unique identification number)? ...... No B.2 Medical record (e.g., medical record #, account #, test or treatment date, device identification number)? No B.3 Diagnostic/therapeutic (e.g., photo/radiograph, test results, or physiologic data with identifying characteristics)? ...... No B.4 Open, unstructured text entered by device user/operator? ...... No B.5 Biometric data? ...... No B.6 Personal financial information? ...... No C Maintaining private data - Can the device: C.1 Maintain private data temporarily in volatile memory (i.e., until cleared by power-off or reset)? ...... No C.2 Store private data persistently on local media? ...... No C.3 Import/export private data with other systems? ...... No C.4 Maintain private data during power service interruptions? ...... No D Mechanisms used for the transmitting, importing/exporting of private data – Can the device: D.1 Display private data (e.g., video display, etc.)? ...... No D.2 Generate hardcopy reports or images containing private data? ...... No D.3 Retrieve private data from or record private data to removable media (e.g., disk, DVD, CD-ROM, tape, CF/SD card, memory stick, etc.)? ...... No D.4 Transmit/receive or import/export private data via dedicated cable connection (e.g., IEEE 1073, serial port, USB, FireWire, etc.)? ...... No D.5 Transmit/receive private data via a wired network connection (e.g., LAN, WAN, VPN, intranet, Internet, etc.)? ...... No D.6 Transmit/receive private data via an integrated wireless network connection (e.g., Wi-Fi, Bluetooth, infrared, etc.)? ...... No D.7 Import private data via scanning? ...... No D.8 Other? ...... No

Management of private data NOTEs:

HN 1-2013 Atellica IN Software Security White Paper

Device Category Manufacturer Document ID Document Release Date Inventory Management see last page September, 2018 Device Model Software Revision Software Release Date ® Atellica IN Software v 1.0 October, 2018

SECURITY CAPABILITIES Yes, No, Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information requested in N/A, or this form. See # NOTE NOTE 1 AUTOMATIC LOGOFF (ALOF) The device's ability to prevent access and misuse by unauthorized users if the device is left idle for a period of time.

1-1 Can the device be configured to force reauthorization of logged-in user(s) after a predetermined length of inactivity (e.g., auto-logoff, session lock, password protected screen saver)? ...... Yes 1-1.1 Is the length of inactivity time before auto-logoff/screen lock user or administrator configurable? (Indicate time [fixed or configurable range] in NOTEs.) ...... Yes 1 1-1.2 Can auto-logoff/screen lock be manually invoked (e.g., via a shortcut key or proximity sensor, etc.) by the user? ...... Yes 1 – The customer cannot configure the length of inactivity time for the website. The website administrator configures the ALOF inactivity time. The length of inactivity time before automatic log off is 15 minutes. The customer determines the length of NOTEs: inactivity time for the Controller PC. 2 AUDIT CONTROLS (AUDT)

The ability to reliably audit activity on the device.

2-1 Can the medical device create an audit trail? ...... Yes 2-2 Indicate which of the following events are recorded in the audit log: See 2-2.1 Login/logout ...... NOTE 2 2-2.2 Display/presentation of data ...... No 2-2.3 Creation/modification/deletion of data ...... Yes 3 See 2-2.4 Import/export of data from removable media ...... NOTE 4 2-2.5 Receipt/transmission of data from/to external (e.g., network) connection ...... Yes 2-2.5.1 Remote service activity ...... Yes See 2-2.6 Other events? (describe in the NOTEs section) ...... NOTE 5 2-3 Indicate what information identifies individual events recorded in the audit log: 2-3.1 User ID ...... Yes 2-3.2 Date/time ...... Yes 2 – Auditing records only the user Login.

3 – Products create/modify. Users create/modify/delete. Locations create/modify/delete. Siemens vendor AUDT create/modify. Non-Siemens vendor create/modify/delete. Labs create/modify/delete. NOTEs: 4 – Audit of Initial Configuration Import.

5 – Hardware (Printer, Reader, Antenna, Handheld scanner) monitoring events. 3 AUTHORIZATION (AUTH)

The ability of the device to determine the authorization of users.

3-1 Can the device prevent access to unauthorized users through user login requirements or other mechanism? Yes 3-2 Can users be assigned different privilege levels within an application based on 'roles' (e.g., guests, regular users, power users, administrators, etc.)? ...... Yes 3-3 Can the device owner/operator obtain unrestricted administrative privileges (e.g., access operating system or application via the local root or admin account)? ...... No AUTH

NOTEs:

HN 1-2013 Atellica IN Software Security White Paper

Yes, No, Refer to Section 2.3. of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information requested in N/A, or this form. See # NOTE NOTE 4 CONFIGURATION OF SECURITY FEATURES (CNFS)

The ability to configure/re-configure device security capabilities to meet users’ needs.

4-1 Can the device owner/operator reconfigure product security capabilities? ...... No 6 CNFS 6 - Only the service can reconfigure the security capabilities. NOTEs:

5 CYBER SECURITY PRODUCT UPGRADES (CSUP) The ability of on-site service staff, remote service staff, or authorized customer staff to install/upgrade device's security patches. 5-1 Can relevant OS and device security patches be applied to the device as they become available? ...... Yes 7 5-1.1 Can security patches or other software be installed remotely? ...... No

CSUP 7 - The customer is responsible for patching the OS of the customer supplied Atellica IN Controller PC. Atellica IN Service NOTEs: Support will deploy or recommend deploying the applicable security patches for the devices. 6 HEALTH DATA DE-IDENTIFICATION (DIDT)

The ability of the device to directly remove information that allows identification of a person.

6-1 Does the device provide an integral capability to de-identify private data? ...... N/A 8 DIDT 8 - The Atellica IN system does not maintain private data. NOTEs:

7 DATA BACKUP AND DISASTER RECOVERY (DTBK)

The ability to recover after damage or destruction of device data, hardware, or software.

7-1 Does the device have an integral data backup capability (i.e., backup to remote storage or removable media such as tape, disk)? ...... Yes 9

9 - The Atellica IN Servers are virtual. The server and database backup occur frequently to prevent data loss. The HW of the VMware farm is separated geographically over 2 datacenters and the VMware farm is always available even if 1 datacenter is destroyed. Additionally the servers have a database backup and a Server image backup of the whole servers. The Server image backup is sent to remote storage that mirrors the backup over the 2 datacenters. DTBK

NOTEs: Server backup frequency: Daily incremental 1x full/week

Database backup frequency: Full Backup all Databases - Occurs every week on Sunday Diff Backup all Databases - Occurs every week on Monday, Tuesday, Wednesday, Thursday, Friday, Saturday Database Transaction Backup all Databases - Occurs daily every hour 8 EMERGENCY ACCESS (EMRG) The ability of device users to access private data in case of an emergency situation that requires immediate access to stored private data. 8-1 Does the device incorporate an emergency access (“break-glass”) feature? ...... No EMRG

NOTEs:

9 HEALTH DATA INTEGRITY AND AUTHENTICITY (IGAU) How the device ensures that data processed by the device has not been altered or destroyed in an unauthorized manner and is received from the originator.

9-1 Does the device ensure the integrity of stored data with implicit or explicit error detection/correction technology? See NOTE 10 IGAU 10 – The Atellica IN system does not process or store any health data. The data is stored in an encrypted database that has NOTEs: page level error detection.

HN 1-2013 Atellica IN Software Security White Paper

Yes, No, Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information requested in N/A, or # this form. See NOTE NOTE

10 MALWARE DETECTION/PROTECTION (MLDP) The ability of the device to effectively prevent, detect and remove malicious software (malware).

10-1 Does the device support the use of anti-malware software (or other anti-malware mechanism)? ...... Yes 11 10-1.1 Can the user independently re-configure anti-malware settings? ...... N/A 12 10-1.2 Does notification of malware detection occur in the device user interface? ...... No 13 10-1.3 Can only manufacturer-authorized persons repair systems when malware has been detected? ...... No 14 10-2 Can the device owner install or update anti-virus software? ...... Yes 10-3 Can the device owner/operator (technically/physically) update virus definitions on manufacturer-installed anti- virus software? ...... 11-14 Atellica IN Controller PC is a Windows based PC. The PC administrator can independently deploy any windows based MLDP security patch. The Atellica IN system handheld application is hosted on a Windows CE based OS. Security patches can be NOTEs: independently deployed on the handheld devices. 11 NODE AUTHENTICATION (NAUT) The ability of the device to authenticate communication partners/nodes.

11-1 Does the device provide/support any means of node authentication that assures both the sender and the recipient of data are known to each other and are authorized to receive transferred information? ...... No 15 NAUT 15 - The Atellica IN system software does not include an integrated endpoint authentication/authorization mechanism. The NOTEs: use of a firewall is strongly recommended in order to ensure the security of the system.

12 PERSON AUTHENTICATION (PAUT) Ability of the device to authenticate users

12-1 Does the device support user/operator-specific username(s) and password(s) for at least one user? ...... Yes 12-1.1 Does the device support unique user/operator-specific IDs and passwords for multiple users? ...... Yes 12-2 Can the device be configured to authenticate users through an external authentication service (e.g., MS Active Directory, NDS, LDAP, etc.)? ...... No 16 12-3 Can the device be configured to lock out a user after a certain number of unsuccessful logon attempts? ...... See NOTE 17 12-4 Can default passwords be changed at/prior to installation? ...... Yes 12-5 Are any shared user IDs used in this system? ...... No 12-6 Can the device be configured to enforce creation of user account passwords that meet established complexity rules? ...... Yes 12-7 Can the device be configured so that account passwords expire periodically? ...... Yes 16 - Authentication/authorization is enforced using Atellica IN system user accounts that must be defined on Atellica IN system web application. PAUT NOTEs: 17- The handheld scanner device cannot be configured to lock a user for failed login attempts. But the web application always locks user after 3 failed login attempts

13 PHYSICAL LOCKS (PLOK) Physical locks can prevent unauthorized users with physical access to the device from compromising the integrity and confidentiality of private data stored on the device or on removable media.

13-1 Are all device components maintaining private data (other than removable media) and physically secure (i.e., cannot remove without tools)? ...... N/A 18 PLOK 18 – The Atellica IN system is a software product intended to be installed on a customer-maintained system. The product NOTEs: does not include physical locks. The product does not maintain private data.

HN 1-2013 Atellica IN Software Security White Paper

Yes, No, Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information requested N/A, or # in this form. See NOTE NOTE

14 ROADMAP FOR THIRD PARTY COMPONENTS IN DEVICE LIFE CYCLE (RDMP)

Manufacturer’s plans for security support of 3rd party components within device life cycle.

14-1 In the NOTEs section, list the provided or required (separately purchased and/or delivered) operating system(s) - including version number(s)...... 14-2 Is a list of other third party applications provided by the manufacturer available? Yes

RDMP The Atellica IN system provides Microsoft Windows CE 5.0 OS with the RFID handheld scanner. NOTEs: Microsoft Windows OS, Windows 7, Windows 10, or Windows 2012 are required.

15 SYSTEM AND APPLICATION HARDENING (SAHD) The device's resistance to cyber attacks and malware.

15-1 Does the device employ any hardening measures? Please indicate in the NOTEs the level of conformance to any industry-recognized hardening standards...... No 15-2 Does the device employ any mechanism (e.g., release-specific hash key, checksums, etc.) to ensure the installed program/update is the manufacturer-authorized program or software update? ...... No 19 15-3 Does the device have external communication capability (e.g., network, modem, etc.)? ...... Yes 20 15-4 Does the file system allow the implementation of file-level access controls (e.g., New Technology File System (NTFS) for MS Windows platforms)? ...... Yes 15-5 Are all accounts that are not required for the intended use of the device disabled or deleted, for both users and applications? ...... N/A 21

15-6 Are all shared resources (e.g., file shares) that are not required for the intended use of the device, disabled? . N/A 21 15-7 Are all communication ports that are not required for the intended use of the device closed/disabled? ...... N/A 21 15-8 Are all services (e.g., telnet, file transfer protocol [FTP], internet information server [IIS], etc.), that are not required for the intended use of the device deleted/disabled? ...... N/A 21 15-9 Are all applications (COTS applications as well as OS-included applications, e.g., MS Internet Explorer, etc.) that are not required for the intended use of the device deleted/disabled? ...... N/A 21 15-10 Can the device boot from uncontrolled or removable media (i.e., a source other than an internal drive or memory component)? ...... N/A 21 15-11 Can software or hardware not authorized by the device manufacturer be installed on the device without the use of tools? ...... N/A 21

19 – The Atellica IN system installer is checksum protected. The binaries are not signed. Use of a whitelisting solution is strongly recommended to enhance system security.

SAHD 20 – The Atellica IN controller software communicates with the Atellica IN Server over the internet. The handheld scanner NOTEs: communicates with the controller software over the site network.

21 – The Atellica IN system is a software product intended for use on customer-maintained systems. Disabling of accounts, services, ports and applications is at the discretion of the customer. See the product security whitepaper for details.

16 SECURITY GUIDANCE (SGUD)

The availability of security guidance for operator and administrator of the system and manufacturer sales and service.

16-1 Are security-related features documented for the device user? ...... Yes 16-2 Are instructions available for device/media sanitization (i.e., instructions for how to achieve the permanent deletion of personal or other sensitive data)? ...... No 22 SGUD 22 – The customer maintains all data storage media that the product uses. The customer is expected to provide the NOTEs: Instructions for how to permanently delete application data.

Atellica IN Software Security White Paper

HN 1-2013

Device Category Manufacturer Document ID Document Release Date Inventory Management see last page September, 2018 Device Model Software Revision Software Release Date Atellica IN Software v 1.0 October, 2018 Yes, No, Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information N/A, or requested in this form. See # NOTE NOTE 17 HEALTH DATA STORAGE CONFIDENTIALITY (STCF) The ability of the device to ensure unauthorized access does not compromise the integrity and confidentiality of private data stored on the device or removable media.

17-1 Can the device encrypt data at rest? ...... Yes 23 23 – The Atellica IN controller software product is intended to be installed on customer maintained system. The product does STCF not include physical locks. The controller software does not maintain or store any private data. NOTEs: The Atellica IN Server stores PII information about application users and stores in encrypted storage on the server. 18 TRANSMISSION CONFIDENTIALITY (TXCF) The ability of the device to ensure the confidentiality of transmitted private data.

18-1 Can private data be transmitted only through a point-to-point dedicated cable? ...... N/A 24 18-2 Is private data encrypted prior to transmission through a network or removable media? (If yes, indicate in the NOTEs which encryption standard is implemented.) ...... N/A 25 18-3 Is private data transmission restricted to a fixed list of network destinations? ...... N/A 26 TXCF 24-26 – The Atellica IN system does not transmit any private data. NOTEs:

19 TRANSMISSION INTEGRITY (TXIG) The ability of the device to ensure the integrity of transmitted private data.

19-1 Does the device support any mechanism that is intended to ensure data is not modified during transmission? (If yes, describe in the NOTEs section how this is achieved.) ...... yes 27 27 – All communication between Atellica IN server and Atellica IN Controller software occurs using HTTPS. The TXIG communication between Atellica IN Controller software and server is achieved through security protocols TLS 1.1 or 1.2.The NOTEs: Atellica IN system does not maintain private data. 20 OTHER SECURITY CONSIDERATIONS (OTHR) Additional security considerations/NOTEs regarding medical device security.

20-1 Can the device be serviced remotely? ...... Yes 20-2 Can the device restrict remote access to/from specified devices or users or network locations (e.g., specific IP addresses)? ...... Yes 28 20-2.1 Can the device be configured to require the local user to accept or initiate remote access? ...... Yes

28 – Siemens Service personnel can connect to the Atellica IN Controller PC using the Siemens Remote Service (SRS) application. This connection is encrypted and an Atellica IN system user must authorize the encryption each time the OTHR service person wants to connect. The customer must open specific network ports on the firewall to enable the SRS remote NOTEs: connection feature. The details are available in the Network Information section of this document (See the i2iAgent and TeamViewer services.).

Atellica IN Software Security White Paper Abbreviations

Acronym Definition

AD Active Directory

AES Advanced Encryption Standard

BIOS Basic Input Output System

DES Data Encryption Standard

DISA Defense Information Systems Agency

DMZ Demilitarized Zone

DoS Denial of Service

PHI e Electronic Protected Health Information

FDA Food and Drug Administration

FIPS Federal Information Processing Standards

HHS Health and Human Services

HIPAA Health Insurance Portability and Accountability Act

HIMSS Healthcare Information and Management Systems Society

HTTP Hypertext Transfer Protocol

HTTPS Hypertext Transfer Protocol (HTTP) Secure

ICS Integrated Communication Services

IEC International Electrotechnical Commission

LDAP Lightweight Directory Access Protocol

MD5 Message Digest 5

MDS2 Manufacturer Disclosure Statement for Medical Device Security

MSTS Microsoft Terminal Server

NEMA National Electrical Manufacturers Association

NTP Network Time Protocol

OCR Office for Civil Rights

OU Organizational Unit

Atellica IN Software Security White Paper

Acronym Definition

PHI Protected Health Information

PII Personally Identifiable Information

RPC Remote Procedure Call

SAM Security Accounts Manager

SHA Secure Hash Algorithm

SQL Structured Query Language

SRS Smart Remote Services

SW Software

TCP Transmission Control Protocol

UltraVNC Ultra Virtual Network Computing

UDP User Datagram Protocol

VPN Virtual Private Network

Disclaimer Statement on according to IEC FDA 80001-1 Cybersecurity

Guidance

1-1 The Device has the capability to be connected to a medical IT-network that the operating responsible Siemens Healthineers will follow cybersecurity organization manages. It is assumed that the guidance issued by the FDA as appropriate. Siemens responsible organization assigns a Medical IT- Healthineers recognizes the principle described in Network Risk Manager to perform IT-Risk FDA cybersecurity guidance that an effective Management (see IEC 80001- 1:2010/EN 80001- cybersecurity framework is a shared responsibility 1:2011) for IT-networks incorporating medical among multiple stakeholders (e.g., medical device devices. manufacturers, health care facilities, patients, and providers), and is committed to drawing on its 1-2 This statement describes Device-specific IT- innovation, engineering and pioneering skills in networking safety and security capabilities. It is not a collective efforts designed to prevent, detect and responsibility agreement according to IEC 80001- respond to new and emerging cybersecurity threats. 1:2010/EN 80001-1:2011. While FDA cybersecurity guidance is informative as to adopting a risk-based approach to addressing 1-3 Any modification of the platform, the software, potential patient harm, it is not binding and or the interfaces of the Device - unless authorized alternative approaches may be used to satisfy FDA and approved by Siemens Healthcare GmbH regulatory requirements. Healthcare - voids all warranties, liabilities, assertions, and contracts. The representations contained in this whitepaper are designed to describe Siemens Healthineers’ approach 1-4 The responsible organization acknowledges that to cybersecurity of its medical devices and to disclose the Device’s underlying standard computer with the the security capabilities of the devices/systems operating system is to some extent vulnerable to described herein. Neither Siemens Healthineers nor typical attacks like e.g. malware or denial-of-service. any medical device manufacturer can warrant that its systems will be invulnerable to cyberattack. Siemens 1-5 Unintended consequences (e.g. data Healthineers makes no representation or warranty misuse/loss/corruption) are not under the control of that its cybersecurity efforts will ensure that its the Device. The responsible organization is medical devices/systems will be error-free or secure accountable for the Device electronic against cyberattack. communications to an IT-network or to storage. Internatinal Electrotechnical Comission Glossary 1-6 Unauthorized external connections use or Device (extract) storage media can cause hazards regarding the availability and information security of all Responsible organization components of the medical IT-network. The responsible organization must ensure – through Entity accountable for the use and maintenance of a technical and/or organizational measures - that only medical IT-network authorized use of the external connections and storage media is permitted. Siemens Healthineers Siemens Healthcare Headquarters Diagnostics Inc. Henkestr. 127 Laboratory Diagnostics 91052 Erlangen, Germany 511 Benedict Avenue Phone: +49 9131 84 0 Tarrytown, NY 10591-5005 Siemens Healthineers.com USA Phone: +1 914-631-8000

Atellica is a trademark of Siemens Healthcare Diagnostics Inc. All other trademarks and brands are the property of their respective owners.