White paper

ACUSON Redwood ultrasound system, release VA10

Security and MDS2 Form

Facts about security and privacy requirements
[Link]/redwood
Product and solution security white paper · ACUSON Redwood VA10

The Siemens Healthineers

product and solution
security program
At Siemens Healthineers, we are committed to • Performing static code analysis of medical device
working with you to address cybersecurity and privacy software.
requirements. Our Product and Solution Security Office
• Conducting security testing of medical devices under
is responsible for our global program that focuses
development as well as medical devices already in
on addressing cybersecurity throughout the product
the field.
lifecycle of our medical devices.
• Tailoring patch management to the medical device
Our program targets incorporating state-of-the-art
and depth of coverage chosen by you.
cybersecurity in our current and future products.
We seek to protect the security of your data while, at • Monitoring security vulnerability to track reported
the same time, providing measures to strengthen the third party components issues in our medical devices.
resiliency of our products from external cybersecurity
• Working with suppliers to address security throughout
attackers.
the supply chain.
We comply with applicable security and privacy
• Training of employees to provide knowledge consistent
regulations­from the US Department of Health and
with their level of responsibilities regarding your data
Human Services (HHS), including the Food and Drug
and device integrity.
Administration (FDA) and Office for Civil Rights
(OCR), to help you meet your IT security and privacy
Contacting Siemens Healthineers about product
obligations.
and solution security

Vulnerability and incident management Siemens Healthineers requests that any cybersecurity
or privacy incidents are reported by email to:
Siemens Healthineers cooperates with government
productsecurity@[Link]
agencies and cybersecurity researchers concerning
reported potential vulnerabilities. Our communications For all other communication with Siemens Healthineers
policy strives for coordinated disclosure. We work in about product and solution security:
this way with our customers and other parties, when [Link]@
appropriate, in response to potential vulnerabilities [Link]
and incidents in our medical devices, no matter what
the source. Yours sincerely,

Elements of our product and solution

security program

• Providing information to facilitate secure configuration

and use of our medical devices in your IT environment.

• Conducting formal threat and risk analysis for our

medical devices.
Jim Jacobson
• Incorporating secure architecture, design and coding Chief Product and Solution Security
methodologies in our software development process. Officer Siemens Healthineers

2 [Link]/redwood
ACUSON Redwood VA10 · Product and solution security white paper

Contents
Basic Information ����������������������������������������������������� 4

Network Information ����������������������������������������������� 6

Security Controls ������������������������������������������������������ 8

Software Bill of Materials ����������������������������������������� 9

Manufacturer Disclosure Statement

According to IEC 60601-1 ���������������������������������������� 22

Manufacturer Disclosure Statement

for Medical Device Security – MDS2 ������������������������� 26

Abbreviations ���������������������������������������������������������� 33
Disclaimer According to IEC 80001-1 ����������������������� 34

International Electrotechnical Commission

Glossary (extract) ���������������������������������������������������� 34

Statement on FDA Cybersecurity Guidance ������������� 35

[Link]/redwood 3
Product and solution security white paper · ACUSON Redwood VA10

Basic Information

Why is cybersecurity important? Healthineers provides a robust set of remote platforms

and services designed to help you maximize system
Keeping patient data safe and secure typically should be performance, stay secure and enhance uptime.
one of the top priorities of healthcare institutions. It is Smart Remote Services (SRS), powered by eSieLink,
estimated that the cost associated in the recovery of is your rapid, secure connection to technical and
each medical record in the United States can be as high clinical support.
as $380.1 According to the Ponemon Institute research
report,2 39% of medical devices were hacked, with Operating systems
hackers able to take control of the device. Moreover,
38% of healthcare organizations said that their patients Refer to the Software Bill of Materials chapter.
received inappropriate medical treatment because of
an insecure medical device. User account information
The Siemens Healthineers product • ACUSON Redwood system VA10 software user
security program accounts can be local Windows accounts, managed
by the administrator of the system.
Cybersecurity is essential for digitalizing healthcare. • A break-glass mechanism ensures access to the
At Siemens Healthineers, we build secure products, system in emergency scenarios.
keep them protected throughout their lifecycle, and
continuously refine our cybersecurity safeguards for • The system provides preconfigured Password Policies
every product generation. We communicate proactively that can be customized by administrators.
about the security controls of our equipment. We inform
about vulnerabilities and how we have addressed them. Patching strategy
We deliver solutions that help keep the equipment as
secure as possible. We follow the FDA’s post-market • Security patches will be provided on regular basis
guidance and are aligned with industry best practices after validation by Siemens Healthineers to maintain
to continuously monitor all security-relevant components the clinical function of the medical device.
for newly identified vulnerabilities.
• If connected to Smart Remote Services (SRS) formerly
Siemens Remote Service, updates will be pushed to
Foundation and purpose of the products the system automatically. They need to be confirmed/
executed by the actual user.
Our purpose is to help healthcare providers succeed.
ACUSON Redwood™ Ultrasound system is the result • Alternatively, you can manually install updates by
of more than three decades of experience in ultrasound using the Siemens Healthineers ASU service provided
engineering. Meeting the demand for early detection, in the LifeNet platform.
diagnosis and timely treatment of a variety of chronic
diseases is tremendously challenging for a physician. • Technologies and software components are actively
Ultrasound imaging must enable answers to a breadth monitored for vulnerabilities and availability of
of important clinical questions – fast. To do that in most security updates.
accurate and reproducible way, the ACUSON Redwood
system offers a comprehensive suite of advanced
applications. To reduce system downtime, Siemens

1
[Link]
2
[Link]

4 [Link]/redwood
 ACUSON Redwood VA10 · Product and solution security white paper

Cryptography usage • Protected Health Information (PHI) is temporarily

stored on the ultrasound system, similar to DICOM
The ACUSON Redwood system VA10 software uses data, raw data, and metadata for DICOM creation.
ciphers and protocols built into Windows 10 for Note: The time for which PHI is stored is determined
encryption and data protection. If needed, hardening by the facility.
measures limit usage to those that are at least FIPS • Personally Identifiable Information (PII) as part of
140-2-compliant. the DICOM records is also temporarily stored on the
ultrasound system, e.g., patient’s name, birthday
Handling of sensitive data or age, height and weight, personal identification
number, and referring physician’s name. Additional
• This ultrasound system is designed for temporary sensitive information might be present in user-
data storage only. Siemens Healthineers recommends editable input fields or in the images acquired.
storing patient data in a long-term archive, e.g.,
• Protected Health Information (PHI) Is transmitted
on a PACS, and data must be deleted using a facility-
via DICOM (encrypted/ unencrypted).
defined procedure.

[Link]/redwood 5
Product and solution security white paper · ACUSON Redwood VA10

Network Information

SRS
Smart
Router Remote
Services
VPN
IN, OUT:
TCP, UCP Remote Service

Access Server

IN, OUT:
DICOM

IN, OUT: PACS/RIS

DICOM,
Smart Remote Services

OUT:
TCP
Network Share

Ultrasound Machine Clinical Network Internet

Figure 1: Security boundaries

for system deployment

Siemens Healthineers recommends

operating the ultrasound machine in a
dedicated network segment (e.g., VLAN).

To minimize the risk of unauthorized network access,

Siemens Healthineers recommends operating the
ultrasound machine behind a firewall and/or use
access control lists on the network switches to limit
traffic to identified peers. At minimum, the DICOM Port
(see Table 1) needs to be visible for customer DICOM
network nodes (e.g., PACS, syngo®.via etc).

Please contact the Siemens Healthineers Service

organization for further information.

6 [Link]/redwood
 ACUSON Redwood VA10 · Product and solution security white paper

The following ports are used by the system.

All the ports are closed except for the ports listed in Table 1.

Port number Service/Function Direction Protocol

80 Administration Portal – Remote Service Inbound TCP

104 DICOM Communication (unencrypted) In/outbound TCP

443 Administration Portal – Remote Service Inbound TCP

(encrypted)

2762 Secure DICOM (optional) In/outbound TCP

8226 Managed Node Package MNP Inbound TCP

8227 Managed Node Package MNP Inbound TCP

8228 Managed Node Package MNP Inbound TCP

11080 Remote Assist (SieLink) Inbound TCP

12061 Managed Node Package MNP Inbound TCP

13001 Managed Node Package MNP Inbound TCP Table 1:

Used Port Numbers

[Link]/redwood 7
Product and solution security white paper · ACUSON Redwood VA10

Security Controls

Malware protection Physical protection

• Whitelisting (Microsoft Device Guard) • You are responsible for the physical protection of the
ACUSON Redwood system VA10 software, e.g., by
Controlled use of administrative privileges operating it in a room with access control. Please note
that the system contains patient data and should be
• The system distinguishes between clinical and
protected against tampering and theft.
administrative roles. Clinical users do not require
administrative privileges. • The system is protected by Secure Boot, which blocks
unsigned boot media.
• Authorization as administrator is required for
administrative tasks. • It is possible to change the BIOS password. Please
contact Siemens Healthineers Service for support.
Authentication authorization controls
Data protection controls
• The ACUSON Redwood system VA10 software supports
Health Insurance Portability and Accountability • The system is not intended to be an archive (data at rest).
Act (HIPPA) regulation with role-based privilege
• PHI is protected by both role-based access control as
assignment and access control.
well as hard drive encryption (optional).
• The user interface of the ACUSON Redwood system
• Hard drive encryption is an optional feature that is
VA10 software provides a screen lock functionality that
implemented through Microsoft Bitlocker technology
can be engaged manually or automatically after a
and use of the TPM (Trusted Platform Module) chip
certain inactivity time. For details, please refer to the
on the system’s motherboard.
User Manual.
• The system provides auditing of PHI access control.
Continuous vulnerability assessment and remediation
• Optionally, confidentiality and integrity of PHI/PII data
• Continuous vulnerability assessment and remediation can be protected by encryption of DICOM nodes.
is performed. Note: In the VA10 software release for the ACUSON
Redwood system, encrypted communication can be
Hardening used if all connected DICOM nodes support it.

• ACUSON Redwood system VA10 software hardening

Auditing/logging
is implemented based on the Security Technical
Implementation Guidelines developed by the Defense • The system provides HIPPA-compliant auditing
Information Systems Agency (DISA). of operations on PHI, PII, and user information
(i.e., login, read access to PHI, modification of PHI).
Network controls
Remote connectivity
• The system is designed to make limited use of network
ports and protocols. Microsoft Windows firewall is • SRS is optionally used for proactive maintenance.
configured to block unwanted inbound network traffic The connection is created using a secured channel
except for the ports listed in Table 1. (VPN- or IBC-based connection). It is used, for example,
to download security patches and updates.
• Siemens Healthineers recommends operating the
system in a secured network environment, e.g., a • Alternatively, you can use the Siemens Healthineers
separate network segmented or VLAN. LifeNet platform to download available hotfixes and
install them in offline machines that are not connected
• Connection to the Internet or private networks for
to the SRS network.
patients/guests is not recommended.

• In case of a denial of service (DoS) or malware attack, Incident response and management
the system can be taken off the network and operated
• The incident handling process is defined and executed
in a stand-alone state.
on demand to deal with incidents as mandated by the
United States FDA Post-Market Guidance documents.

8 [Link]/redwood
 ACUSON Redwood VA10 · Product and solution security white paper

Software Bill of Materials

The following table comprises the most relevant third-party technologies used (general drivers not included).

Vendor name / URL Component Component Description / use

name version

Open Source
Jpeg image codec used by RendererVOB and
[Link] libjpeg-turbo 1.5.2
PIMS to encode/decode image data.
[Link]

To compress overlay image when

Open Source
transferring from Orchid to UBE renderer.
[Link] Snappy [Link]
Snappy is designed to do both fast
[Link]/
compression and decompression.

Microsoft DirectX is a group of technologies

designed to make Windows-based computers
an ideal platform for running and displaying
Microsoft Corporation DirectX 11
applications rich in multi­media elements such
as full-color graphics, video, 3D animation,
and rich audio.

Library for Open Inventor™ implemen­tation.

This library is used as creating Open Inventor
Visualization Science Group objects framework for running Open
Coin Inventor 4.0
[Link] Inventor graphs which aid and rendering and
organizing the Renderer application Comes
with Singapore.

Open Source Library for setting OpenGL Extension

GLEW 1.7.0
[Link] Pointers.

Library used in RendererVOB for parsing XML

Open Source
files and load scenegraph. In xsg scenegraph
[Link] [Link] 2.0
parsing. Source code is imported and built
projects/tinyxml/
with msbuild by USD.

Library used in RendererVOB for interpreting

Open Source
LuaJIT 2.0.0 and executing Lua script languages (.lua).
[Link]
Source code is imported and built by SCR.

Intel An extensive library of performance profiler

Intel Performance 9.0.4 tools and software functions for multi­media
Primitives processing and data processing applications.

Parallel programming of heterogeneous

[Link] OpenCL 2.0
systems.

Library used by the UDV for clip

Open Source
[Link] 8.0 decompression from jpeg to rgb in Review
[Link]
application.

[Link]/redwood 9
Product and solution security white paper · ACUSON Redwood VA10

Software Bill of Materials

The following table comprises the most relevant third-party technologies used (general drivers not included).

Vendor name / URL Component Component Description / use

name version

Open Source
(Apache Software Log4net [Link] Logging library
Foundation)

Microsoft's Enhanced Mitigation Experience

Toolkit (EMET) is a free Windows-based
EMET 5.52 security tool that adds supplemental security
Microsoft Corporation defenses to defend potentially vulnerable
legacy and third-party applications.

Internet Explorer Used as a web browser to display Service

11.0
(x86/x64) screen.

Siemens AG Healthcare Providing remote software installation and

MNP VI40B
Sector support.

WinPcap is the industry-standard tool for

link-layer network access in Windows
environments: it allows applications to
capture and transmit network packets
Riverbed Technology, Inc. WinPcap 4.1.3 bypassing the protocol stack, and has
additional useful features, including kernel-
level packet filtering, a network statistics
engine and support for remote packet
capture.

Network protocol analyzer. It is needed to

[Link] Wireshark [Link]
isolate nework-related problems.

Ultrasound
Siemens Ultrasound TeamViewer
[Link] Remote service tool
USA Core VA10B
(ver [Link])

syngo – Typical Siemens base medical layer: providing

Siemens Healthcare GmbH 09.01.0001.0001
Developer 9.1 service related features

Scan for Wi-Fi / WLAN Access Points and

monitor their signal strength. Use the
detected access points with Google
Geolocation, Mozilla Location Service and
The SZ development Homedale 1.75 Open WLAN Map Service to locate yourself.
It works with 802.11a/b/g/n/ac wireless
networks in the 2.4 GHz and 5 GHz
frequency bands using 20, 40, 80 and
160 MHz width channels.

10 [Link]/redwood
 ACUSON Redwood VA10 · Product and solution security white paper

Vendor name / URL Component Component Description / use

name version

NumPy is the fundamental package for

scientific computing with Python. It
contains among other things: a powerful
Open Source N-dimensional array object, sophisticated
numpy 1.14.3
[Link] (broadcasting) functions, tools for inte­
grating C/C++ and Fortran code, useful linear
algebra, Fourier transform, and random
number capabilities.

Open Source
cycler 0.10.0 A data processing framework.
[Link]

The pyparsing module is an alternative

approach to creating and executing simple
Open Source grammars, vs. the traditional lex/yacc
[Link] pyparsing 2.1.4 approach, or the use of regular expressions.
pyparsing/pyparsing/ The pyparsing module provides a library of
classes that client code uses to construct the
grammar directly in Python code.

Open Source The dateutil module provides powerful

[Link] python-dateutil 2.5.3 extensions to the standard datetime module,
[Link]/en/stable/ available in Python.

pytz brings the Olson tz database into

Python. This library allows accurate and cross
platform timezone calculations using Python
2.4 or higher. It also solves the issue of
Open Source
pytz 2016.4 ambiguous times at the end of daylight
[Link]
saving time, which you can read more about
in the Python Library Reference (datetime.
tzinfo). Almost all of the Olson timezones are
supported.

Open Source
[Link] SIP2 Python Client: Simple Interchange
sip 4.19.8
[Link]/ Protocol Client for Python
software/sip/download

Matplotlib strives to produce publication

quality 2D graphics for interactive graphing,
Open Source scientific publishing, user interface develop­
matplotlib 2.2.2
[Link] ment and web application servers targeting
multiple user interfaces and hardcopy output
formats.

Open Source
This package contains some modules used
[Link] logilab-common 1.2.0
by different Logilab projects.
project/logilab-common

[Link]/redwood 11
Product and solution security white paper · ACUSON Redwood VA10

Software Bill of Materials

The following table comprises the most relevant third-party technologies used (general drivers not included).

Vendor name / URL Component Component Description / use

name version

Open Source
Character encoding auto-detection in
[Link] chardet 2.3.0
Python. As smart as your browser.
[Link]/en/latest/

rllib3 is a powerful, sanity-friendly HTTP

client for Python. Much of the Python
Open Source
ecosystem already uses urllib3 and you
[Link] urllib3 1.15.1
should too. urllib3 brings many critical
io/en/latest/
features that are missing from the Python
standard libraries .

Windows Management Instrumentation

(WMI) is Microsoft’s implementation of
Open Source
Web-Based Enterprise Management (WBEM),
[Link] wmi 1.4.9
an industry initiative to provide a Common
python/wmi/[Link]
Information Model (CIM) for pretty much any
information about a computer system.

Open Source
Requests is the only Non-GMO HTTP library
[Link] Python requests 2.10.0
for Python, safe for human consumption.
kennethreitz/requests

Python extensions for Microsoft Windows

Open Source
Provides access to much of the Win32 API,
[Link] Pywin32 version 223
the ability to create and use COM objects,
mhammond/pywin32
and the Pythonwin environment.

Open Source Pip is the package installer for Python. You

[Link] Pip 10.0.1 can use pip to install packages from the
stable/ Python Package Index and other indexes.

Qt is set of cross-platform C++ libraries that

implement high-level APIs for accessing
many aspects of modern desktop and mobile
systems. These include location and
Riverbank Computing PyQt 5.10.1
positioning services, multimedia, NFC and
Bluetooth connectivity, a Chromium based
web browser, as well as traditional UI
development.

Open Source
Installed automatically when pywin32 (220)
[Link] adodbapi 2.0
is installed.
projects/adodbapi/files/

Open Source
Installed automatically when matplotlib
[Link] mpl_toolkits N/A
(1.5.1) is installed.
1.5.1/users/[Link]

12 [Link]/redwood
 ACUSON Redwood VA10 · Product and solution security white paper

Vendor name / URL Component Component Description / use

name version

Installed automatically when pywin32 (220)

Open Source isapi N/A
is installed.

CFFI, the Common Foreign Function Interface,

purports to be a portable foreign function
Open Source
interface for Common Lisp. The CFFI library
[Link] cffi 1.11.5
is composed of a Lisp-implementation-
cffi/cffi
specific backend in the CFFI-SYS package,
and a portable frontend in the CFFI package.

Kiwi is an efficient C++ implementation of

the Cassowary constraint solving algorithm.
Kiwi is an implementation of the algorithm
based on the seminal Cassowary paper. It is
Open Source not a refactoring of the original C++ solver.
[Link] kiwisolver 1.0.1 Kiwi has been designed from the ground
nucleic/kiwi up to be lightweight and fast. Kiwi ranges
from 10x to 500x faster than the original
Cassowary solver with typical use cases
gaining a 40x improvement. Memory savings
are consistently > 5x.

Open Source Makes ANSI escape character sequences (for

[Link] colorama 0.3.7 producing colored terminal text and cursor
project/colorama/ positioning) work under MS Windows.

gevent is a coroutine-based Python

Open Source networking library that uses greenlet to
gevent 1.3.2.post0
[Link] provide a high-level synchronous API on top
of the libev or libuv event loop.

The greenlet package is a spin-off of

Stackless, a version of CPython that supports
Open Source
micro-threads called “tasklets”. Tasklets run
[Link] greenlet 0.4.13
pseudo-concurrently (typically in a single or
python-greenlet/greenlet
a few OS-level threads) and are synchronized
with data exchanges on “channels”.

pycparser is a complete parser of the C

Open Source language, written in pure Python using the
[Link] pycparser 2.18 PLY parsing library. It parses C code into an
eliben/pycparser AST and can serve as a front-end for C
compilers or analysis tools.

Open Source
Easily download, build, install, upgrade, and
[Link] setuptools 39.2.0
uninstall Python packages.
pypa/setuptools

[Link]/redwood 13
Product and solution security white paper · ACUSON Redwood VA10

Software Bill of Materials

The following table comprises the most relevant third-party technologies used (general drivers not included).

Vendor name / URL Component Component Description / use

name version

Six is a Python 2 and 3 compatibility library.

It provides utility functions for smoothing
Open Source over the differences between the Python
[Link] six 1.10.0 versions with the goal of writing Python
benjaminp/six code that is compatible on both Python
versions. See the documentation for more
information on what is provided.

This is a Python client library for iterating

over http Server Sent Event (SSE) streams
Open Source (also known as EventSource, after the name
[Link] sseclient 0.0.14 of the Javascript interface inside browsers).
btubbs/sseclient The SSEClient class accepts a url on init, and
is then an iterator over messages coming
from the server.

websocket-client module is WebSocket client

Open Source
for Python. This provides the low-level APIs
[Link] websocket_client 0.37.0
for WebSocket. All APIs are the synchronous
val-labs/websocket-client2
functions.

Microsoft Visual
The Microsoft Visual C++ 2012
Microsoft Corporation C++ 2015 2015
Redistributable
Redistributable

Open Source Nunit 2.6.2 Unit-testing framework

Microsoft SQL
Microsoft Corporation 12.0.4232.1 PIMS Database Engine
Server

A DICOM viewer. ShowCase viewer is for

ShowCase
Trillium Technology, Inc. [Link] displaying full color, still and cineloop
Onboard Viewer
ultrasound studies.

Merge Healthcare A comprehensive API that conforms to the

DICOM Toolkit 5.6.0
Incorporated latest DICOM standards.

Cariac SR
Tomtec [Link]
(DicomConverter)

TLS Toolkit OpenSSL 1.0.2k Library for Secure Connection

64 Bit HP CIO
HP Inc. Components 20.2.1 HP Print Driver
Installer

14 [Link]/redwood
 ACUSON Redwood VA10 · Product and solution security white paper

Vendor name / URL Component Component Description / use

name version

7-Zip 18.05 7-Zip is a file archiver with a high

Igor Pavlov [Link]
(x64edition) compression ratio.

Adobe Reader software is the global standard

for electronic document sharing. It is the
Adobe Systems Adobe Reader XI only PDF file viewer that can open and
11.0.21
Incorporated (11.0.21) MUI interact with all PDF documents. Use Adobe
Reader to view, search, digitally sign, verify,
print, and collaborate on Adobe PDF files.

Camtasia is a software suite, created and

published by TechSmith, for creating video
TechSmith Corporation Camtasia Studio 1.1 tutorials and presentations directly via
screencast, or via a direct recording plug-in
to Microsoft PowerPoint.

congatec CGOS congatec Operating System Application

Congatec 07.28.2012
API Program Interface.

URL Rewrite Module 2.0 provides a rule-

based rewriting mechanism for changing
IIS URL Rewrite
Microsoft Corporation 7.2.1952 requested URLs before they get processed by
Module 2
the web server and for modifying response
content before it gets served to HTTP clients.

Intel® Chipset
[Link] Chipset
Device Software
Intel Corporation
Intel® Processor
1.20.16.4599 Graphic driver
Graphics

Microsoft Application Request Routing (ARR)

Microsoft for IIS 7 and above is a proxy-based routing
Application module that forwards HTTP requests to
3.0.1952
Request Routing content servers based on HTTP headers,
3.0 server variables, and load balance
algorithms.

Microsoft ODBC
Driver 11 for SQL 12.1.4232.0 SQL Server
Microsoft Corporation Server

Microsoft SQL
Server 2008
10.3.5500.0 SQL Server
Setup Support
Files

Microsoft SQL
Server 2012 11.0.2100.60 SQL Server
Native Client

[Link]/redwood 15
Product and solution security white paper · ACUSON Redwood VA10

Software Bill of Materials

The following table comprises the most relevant third-party technologies used (general drivers not included).

Vendor name / URL Component Component Description / use

name version

Microsoft SQL
Server 2014 12.1.4232.0 SQL Server
Express LocalDB

Microsoft SQL
Server 2014 RsFx 12.1.4100.1 SQL Server
Driver

Microsoft SQL
Server 2014 12.1.4232.0 SQL Server
Setup (English)

Microsoft SQL
Server 2014
12.1.4100.1 SQL Server
Transact-SQL
ScriptDom

A security issue has been identified that

Microsoft Visual could allow an attacker to compromise your
C++ 2005 8.0.61001 Windows-based system with Microsoft Visual
Redistributable C++ 2005 Service Pack 1 Redistributable
Package.

A security issue has been identified that

Microsoft Corporation Microsoft Visual
could allow an attacker to compromise your
C++ 2005
8.0.61000 Windows-based system with Microsoft Visual
Redistributable
C++ 2005 Service Pack 1 Redistributable
(x64)
Package.

A security issue has been identified that

Microsoft Visual
could allow an attacker to compromise your
C++ 2008 9.0.30729.4148
Windows-based system with Microsoft Visual
Redistributable
C++ 2008 Service Pack 1 Redistributable
(x86)
Package.

A security issue has been identified leading

Microsoft Visual
to a vulnerability in MFC applications that
C++ 2008
9.0.30729.6161 are built with Visual Studio 2008 and ship
Redistributable
the Microsoft Visual C++ 2008 Service Pack 1
(x86)
Redistributable Package.

The Microsoft Visual C++ 2008 SP1

Microsoft Visual Redistributable Package (x86) installs
C++ 2008 SP1 runtime components of Visual C++ Libraries
9.0.30729.17
Redistributable required to run applications developed with
Package (x86) Visual C++ SP1 on a computer that does
not have Visual C++ 2008 SP1 installed.

16 [Link]/redwood
 ACUSON Redwood VA10 · Product and solution security white paper

Vendor name / URL Component Component Description / use

name version

The Microsoft Visual C++ 2008 SP1

Microsoft Visual
Redistributable Package (x86) installs
C++ 2008
runtime components of Visual C++ Libraries
Redistributable 9.0.30729.4148
required to run applications developed with
-x86
Visual C++ SP1 on a computer that does
9.0.30729.4148
not have Visual C++ 2008 SP1 installed.

The Microsoft Visual C++ 2008 SP1

Microsoft Visual
Redistributable Package (x86) installs
C++ 2008
runtime components of Visual C++ Libraries
Redistributable 9.0.30729.6161
required to run applications developed with
-x86
Visual C++ SP1 on a computer that does
9.0.30729.6161
not have Visual C++ 2008 SP1 installed.

The Microsoft Visual C++ 2010 SP1

Microsoft Visual
Redistributable Package (x86) installs
C++ 2010 SP1
runtime components of Visual C++ Libraries
Redistributable 10.0.40219
required to run applications developed with
Package
Visual C++ 2010 SP1 on a computer that
(x86/x64)
does not have Visual C++ 2010 SP1 installed.

Microsoft Visual
Microsoft Corporation
C++ 2012
The Microsoft Visual C++ 2012
Redistributable 11.0.61030.0
Redistributable
(x64) –
11.0.61030

Microsoft Visual
C++ 2012 x64
The Microsoft Visual C++ 2012
Additional 11.0.61030
Redistributable
Runtime –
11.0.61030

Microsoft Visual
C++ 2012 x64
The Microsoft Visual C++ 2012
Minimum 11.0.61030
Redistributable
Runtime –
11.0.61030

Microsoft Visual
C++ 2013
The Microsoft Visual C++ 2013
Redistributable 12.0.30501.0
Redistributable
(x64) –
12.0.30501

[Link]/redwood 17
Product and solution security white paper · ACUSON Redwood VA10

Software Bill of Materials

The following table comprises the most relevant third-party technologies used (general drivers not included).

Vendor name / URL Component Component Description / use

name version

Microsoft Visual
C++ 2013 x64
The Microsoft Visual C++ 2013
Additional 12.0.21005
Redistributable
Runtime –
12.0.21005

Microsoft Visual
C++ 2013 x64
The Microsoft Visual C++ 2013
Minimum 12.0.21005
Redistributable
Runtime –
12.0.21005

Microsoft Visual
C++ 2015
The Microsoft Visual C++ 2015
Redistributable 14.0.24215.1
Redistributable
(x64/x64) –
14.0.24215

Microsoft Visual
C++ 2015 x64
The Microsoft Visual C++ 2015
Additional 14.0.24215
Redistributable
Microsoft Corporation Runtime –
14.0.24215

Microsoft Visual
C++ 2015 x64
The Microsoft Visual C++ 2015
Minimum 14.0.24215
Redistributable
Runtime –
14.0.24215

Microsoft VSS
Writer for SQL 12.1.4100.1 Database Engine
Server 2014

Microsoft Web
2.0.1070 WebDriver
Deploy 2.0

Microsoft Web
Farm Framework 2.2.1341 WebDriver
Version 2.2

Microsoft Web
Platform Installer 3.0.5 WebDriver
3.0

NVIDIA Graphics
NVIDIA Corporation 425.31 Graphics Driver
Driver 425.31

18 [Link]/redwood
 ACUSON Redwood VA10 · Product and solution security white paper

Vendor name / URL Component Component Description / use

name version

Open Source
Python Software Python 3.6.5 Python Script
Foundation

The .NET Framework 2.0 Service Pack 2

provides cumulative roll-up updates for
customer reported issues found after the
.NET Framework
release of the .NET Framework 2.0. In
2.0 Service 2.0.50727.8745
addition, this release provides performance
Pack 2
improvements, and prerequisite feature
support for the .NET Framework 3.5 Service
Pack 1.

Microsoft .NET Framework 3.5 Service Pack 1

is a full cumulative update that contains
Microsoft Corporation
.NET Framework many new features building incrementally
3.5 Service 3.5.30729.8763 upon .NET Framework 2.0, 3.0, 3.5, and
Pack 1 includes cumulative servicing updates to the
.NET Framework 2.0 and .NET Framework
3.0 subcomponents.

The Microsoft .NET Framework 4.6 Server

Core installer package downloads the .NET
.NET Framework
4.6.1586.0 Framework 4.6 components required to run
4.6.1
on Windows Server 2008 R2 SP1 and higher
for Server Core role installation.

The IT Machine
Blue Elephant Systems
with correlation 1.2.5
GmbH
module

Windows 10
Microsoft Corporation Enterprise 2016 2016 LTSB Operation System
lTSB

Realtek High
Realtek 6.0.1.8036 HD audio driver
Definition Audio

Open Source
muParser 2.2.5 Math expression parser library
(Ingo Berg)

Windows Driver This package contains a Virtual COM Port

Package – Silicon Universal driver for Microsoft Windows 10
Silicon Laboratories Inc. 10.1.7.2399
Laboratories Inc. for use with Silicon Labs VCP USB Serial
(silabser) Ports Bridges.

NVIDIA CUDA 9.1 A development environment for creating

high performance GPU-accelerated
applications.

[Link]/redwood 19
Product and solution security white paper · ACUSON Redwood VA10

Software Bill of Materials

The following table comprises the most relevant third-party technologies used (general drivers not included).

Vendor name / URL Component Component Description / use

name version

FTDI drivers FTDI chip driver to communicate with CPM

ftdchip [Link]
(VCP and D3XX) (Core Physio Module)

CrashRpt is a free open-source library

designed for intercepting exceptions in your
Open Source
C++ program, collecting technical
[Link] CrashRpt 1.4.3
information about the crash and sending
crashrpt/
error reports over the Internet to software
vendor.

Intel® Compilers The compiler runtime libraries to dynamically

Redistributable 17.0 Update 4 link applications built with the Intel® C++
Libraries Compiler.

Intel® Integrated An extensive library of performance profiler

Performance 9.0 Update 4 tools and software functions for multimedia
Primitives processing and data processing applications.
Intel
A library of optimized math routines for
Intel® Math
11.3 Update 4 science, engineering, and financial
Kernel Library
applications.

A C++ template library developed by Intel for

Intel® Threading
4.4 Update 4 parallel programming on multi-core
Building Blocks
processors.

A PC tool for programming flash based

Embedded Systems microcontrollers from NXP using a serial or
Flash Magic 10.50
Academy Ethernet protocol while in the target
hardware.

MSXML Parser
Microsoft Corporation 4.20.9849.0 Microsoft XML Parser
and SDK 4 SP2

Moq is the most popular and friendly

Open Source 4.0
mocking framework for .NET.
[Link] Moq
packages/moq/ Moq is the most popular and friendly
4.2
mocking framework for .NET.

Apache log4cxx is a logging framework for

C++ patterned after Apache log4j, which
uses Apache Portable Runtime for most
platform-specific code and should be usable
Open Source Log4cxx [Link]
on any platform supported by APR. Apache
log4cxx is licensed under the Apache
License, an open source license certified by
the Open Source Initiative.

20 [Link]/redwood
 ACUSON Redwood VA10 · Product and solution security white paper

Vendor name / URL Component Component Description / use

name version

Open Source
Multimedia framework, able to decode,
[Link]
encode, transcode, mux, demux, stream,
[Link]/blog/2015/01/20/ ffmpeg 2.7.2
filter and play pretty much anything that
compiling-ffmpeg-with-
humans and machines have created.
windows-tools/

Lightweight database engine for managing

SQLite SQLite [Link]
i18n strings.

Application framework for building rich

internet applications. Provides frameworks
implemented using proven software design
Microsoft Corporation Prism framework 4.0
and development best practices. Used as
common presentation layer framework
to build vertical applications in Frosk.

Sony
Sony UP-D711MD BW [Link] Black and white thermal printer driver
Printer Driver

Intel® Ethernet
Intel Connection [Link] Gigabit ethernet adapter driver
I218-LM

[Link]/redwood 21
Product and solution security white paper · ACUSON Redwood VA10

Manufacturer Disclosure Statement

According to IEC 60601-1
Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13

1. Network properties required by the system and resulting risks

1-1 The device is connected via Ethernet cable or wireless protocol to the hospital using a TCP/IP network with
1Gb/s performance:
• If the network is down, the network services (see below) are not available which can lead to the risks stated
below.
• If the network is unavailable, medical images cannot be transferred for remote c­ onsultation.
• If the wireless network is incorrectly protected (for example, open Wi-Fi configuration), the attack surface of
all the connected devices is much larger, which can lead to the risks stated below.
• If the recommended network performance (1Gbit/s) is not provided, the transfer of images is extended, and
availability of images at destinations (e.g., for consulting) is delayed.
• Only the protocols shown in the table of used ports are needed for communication.

1-2 PACS system for archiving images/results

• If the PACS is not available:
– images cannot be archived after the examination. In case of a system hardware failure, all non-archived
images can be lost.
– images cannot be archived after the examination. Examinations may no longer be possible because the
hard drive is full as non-archived images cannot be automatically removed.
– images cannot be archived after the examination. In case of manual deletion of images, unarchived images
can be lost.
– images are not available for remote consultation via PACS consoles.
– prior images are not available.
• If the recommended network performance (1Gbit/s) is not provided, the transfer time to PACS is extended,
and the wait for switching off the system consecutive to the last transfer operations is prolonged.

1-3 DICOM printer

• If the DICOM printer is not available, film is not available for diagnosis/archive.

1-4 RIS system

• If the RIS system is not available:
– the modality worklist is not available. This can lead to data inconsistencies as well as unavailability of
images when sent to the PACS until they are manually coerced with the RIS data in the PACS.
– In case of a Worklist Query time-out due to poor network transfer, there is a possibility that non-actual RIS
data is used when registering a patient from the list of schedules on the system.

1-5 Network connection to the SRS server

• If the connection to the Smart Remote Services server is not available, then support from Siemens
Healthineers service is limited.

1-6 Common medical protocol properties

• Protocols used in medical environments are typically unsecure, with the exception of secure Smart Remote
Services (using HTTPS).

22 [Link]/redwood
 ACUSON Redwood VA10 · Product and solution security white paper

2. Instructions for the responsible organization

2-1 Connection of the system to a network that includes other equipment could result in previously unidentified
risks to patients, operators or third parties. The RESPONSIBLE ORGANIZATION should identify, evaluate and
control these risks.

2-2 Subsequent changes to the network could introduce new RISKS and require additional analysis.

2-3 Changes to the network include:

• changes in network configuration
• connection to additional items to the network
• disconnecting items from the network
• update of equipment connected to the network
• upgrade of equipment connected to the network

2-4 The RESPONSIBLE ORGANIZATION is fully responsible for the security of the network to which the device is
connected.

2-5 The RESPONSIBLE ORGANIZATION is fully responsible to ensure staff who have access to the device do not
have the opportunity to provide any harm to the system.

2-6 The RESPONSIBLE ORGANIZATION has to ensure that the internal network cannot be accessed physically by
non-authorized persons.

2-7 Staff of the RESPONSIBLE ORGANIZATION has to be trained in security. The RESPONSIBLE ORGANIZATION is
responsible for providing this.

2-8 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that only authorized medical/administrative
staff shall have access to the device.

2-9 The RESPONSIBLE ORGANIZATION is fully responsible to ensure that visitors/patients do not have unsupervised
physical access to the system.

2-10 The RESPONSIBLE ORGANIZATION shall provide access to the system for device administrators and device
service engineers.

2-11 The RESPONSIBLE ORGANIZATION has at least one staff person with administrative rights who has access to
the system.

2-12 The RESPONSIBLE ORGANIZATION shall ensure that neither access from the public internet or the
organization’s intranet to the device is possible.

2-13 The RESPONSIBLE ORGANIZATION is responsible to ensure physical security for the device.

2-14 The RESPONSIBLE ORGANIZATION shall ensure that access to services for the device from other equipment is
possible only on a need-to-do basis. An adequate network topology with appropriate firewall settings shall be
used.

2-15 The RESPONSIBLE ORGANIZATION is responsible for a secure infrastructure that makes it impossible to
change, prevent, or tamper with data in transit in any way.

2-16 RECOMMENDATION: It is highly recommended that the RESPONSIBLE ORGANIZATION m

­ onitors the network
for unusual traffic.

2-17 The RESPONSIBLE ORGANIZATION is responsible for the hard drive encryption keys and for preventing the
theft or loss of those keys.

[Link]/redwood 23
Product and solution security white paper · ACUSON Redwood VA10

Manufacturer Disclosure Statement

According to IEC 60601-1
Statement according to IEC 60601-1, 3rd Edition, Chapter 14.13

3. Intended purpose of integrating the device into an IT network

3-1 To integrate the system into the clinical workflow, the whole ultrasound system will interact as a DICOM node
in the clinical network.

3-2 The system is DICOM-compliant, allowing it to be connected to a network with other compliant devices for
the exchange of images. Networking allows the transmission of images acquired to other DICOM-compatible
review stations or PACS. A list of all patients ever imaged can be kept on the Radiology PACS making future
retrievals fast and easy.

3-3 The system connects to the network through an Ethernet cable or a wireless protocol. The network interfaces
allow DICOM connections to specific clinical systems such as a Radiology PACS or printer. Patient demographic
data will be received via DICOM; acquired images will be sent to the Radiology PACS or DICOM workstations
for detailed viewing and long-term storage.

4. Network properties required by the system and resulting risks

Unsuccessful data transfer not recognized

4-1 
Function: Archiving and Networking
Hazard: Wrong diagnosis / loss of acquisition data
Caution: Data transfers between systems are not verified automatically. Loss of data, if data is deleted
locally before it has been successfully transferred to another system.
Measure: Since not all systems support automatic storage commitment, verify the correctness of the data
transfer at the remote system before deleting the local data.
Effect on: Patient

4-2 I ncorrect or incomplete data transfer

Function: Data Exchange – Network
Hazard: Wrong diagnosis, wrong examination / loss of acquisition data, loss of post processing results,
corrupted data, inconsistent data
Cause: DICOM objects are sent/received/retrieved. While objects are being prepared or during transfer,
not all DICOM objects that are not considered are deleted, corrupted or unintentionally
manipulated. Data on the sender and receiver side is not consistent. Failure of transfer not
recognized.
Measure: It has to be verified by testing, that there is no object loss during sending, which means:
• Verify that exception scenarios result in a failed job (and check for other exceptions in log files).
• Verify that error cases, which result in data not complying with the DICOM standard, are covered
by exception scenarios.
Effect on: Patient

24 [Link]/redwood
 ACUSON Redwood VA10 · Product and solution security white paper

4. Network properties required by the system and resulting risks

4-3 Insecure or incorrectly configured clinical network

Function: Network Security
Hazard: Incorrect diagnosis basis, wrong diagnosis, wrong treatment, delayed diagnosis, delayed therapy,
wrong examination, repetition of examination / loss of acquisition data, corrupted data, system DoS
Caution: Unauthorized access may affect system performance and data security.
Cause: Any unauthorized access to the system may affect the system performance and data security and
may lead to:
• Lowered system performance and/or non-operational system
• Loss of data security including loss of all patient data
Measure: • Enable your system administrator to ensure network security and the security of the operational
infrastructure
• Consult manuals for secure setup
• Perform system updates as required
• Run your medical device only in protected network environments, and do not connect it directly
to public networks
• Set up firewalls
• Prevent configuration files from being changed by users
• Update and patch networked systems as required
Effect on: Patient

Bitlocker recovery keys not available when needed

4-4 
Function: Hard drive encryption
Hazard: loss of patient data, system DoS
Caution: Customer should keep Bitlocker recovery keys safe
Cause: In the case the customer opted for hard drive encryption and if BitLocker fails to access the
encrypted drive for whatever reason, then the recovery keys will be needed by Siemens Healthineers
Service to pause encryption and have offline access to the hard drive and the patient data stored in it.
Effect on: Patient, System

[Link]/redwood 25
Product and solution security white paper · ACUSON Redwood VA10

Manufacturer Disclosure Statement

for Medical Device Security – MDS2

Manufacturer Disclosure Statement for Medical Device Security – MDS2

Device Description
Device Category Manufacturer Document ID Document
Diagnostic Ultrasound Siemens Medical Solutions 502955-FPD-001 Release Date
USA, Inc. 18-Sep-19
Device Model Software Revision Software Release Date
ACUSON Redwood r1.0 21-Aug-19

Manufacturer or Company Name Manufacturer Contact Information

Representative Contact Siemens Medical Solutions USA, Inc. Siemens Medical Solutions – Ultrasound
Information 685 E Middlefield Rd, Mountain View, CA 94043
Representative Name / Position
YoungChul Kim/Senior Engineer

Intended use of device in network-connected environment

Optionally, the ACUSO Redwood Ultrasound System can be configured to communicate to a hospital Patient Archival Communication
System (PACS). The following DICOM Services are supported: Store SCP/SCU, Modality Worklist SCU, Query/Retrieve SCU, Storage
Commitment SCU, Print SCU and DICOM Structured Reporting SCU.

26 [Link]/redwood
 ACUSON Redwood VA10 · Product and solution security white paper

Management of Private Data

Refer to Section 2.3.2 of HIMSS/NEMA HN 1-2013 standard for the proper interpretation of information Yes, No, Note #
requested in this form. N/A, or
See Note

A Can this device display, transmit, or maintain private data (including electronic Protected Health Yes
Information [ePHI])?

B Types of private data elements that can be maintained by the device:

B.1 Demographic (e.g., name, address, location, unique identification number)? Yes –

B.2 Medical record (e.g., medical record #, account #, test or treatment date, device identification number)? Yes –

B.3 Diagnostic/therapeutic (e.g., photo/radiograph, test results, or physiologic data with identifying Yes –
characteristics)?

B.4 Open, unstructured text entered by device user/operator? Yes –

B.5 Biometric data? Yes –

B.6 Personal financial information? No –

C Maintaining private data ‒ Can the device:

C.1 Maintain private data temporarily in volatile memory (i.e., until cleared by power-off or reset)? Yes –

C.2 Store private data persistently on local media? Yes –

C.3 Import/export private data with other systems? Yes –

C.4 Maintain private data during power service interruptions? Yes –

D Mechanisms used for the transmitting, importing/exporting of private data – Can the device:

D.1 Display private data (e.g., video display, etc.)? Yes –

D.2 Generate hardcopy reports or images containing private data? Yes –

D.3 Retrieve private data from or record private data to removable media (e.g., disk, DVD, CD-ROM, tape, Yes –
CF/SD card, memory stick, etc.)?

D.4 Transmit/receive or import/export private data via dedicated cable connection (e.g., IEEE 1073, Yes –
serial port, USB, FireWire, etc.)?

D.5 Transmit/receive private data via a wired network connection (e.g., LAN, WAN, VPN, intranet, Yes –
Internet, etc.)?

D.6 Transmit/receive private data via an integrated wireless network connection (e.g., WiFi, Bluetooth, Yes –
infrared, etc.)?

D.7 Import private data via scanning? No –

D.8 Other? N/A –

Management The system can store height, weight and BSA.

of private
data notes:

[Link]/redwood 27
Product and solution security white paper · ACUSON Redwood VA10

Device Category Manufacturer Document ID Document

Diagnostic Ultrasound Siemens Medical Solutions 11502955-FPD-001 18-Sep-19
USA, Inc.

Device Model Software Revision Software Release Date

ACUSON Redwood r1.0 21-Aug-19

Security capabilities
Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note #
N/A, or
See Note

1 Automatic logoff (ALOF)

The device’s ability to prevent access and misuse by unauthorized users if device is left idle
for a period of time.

1-1 Can the device be configured to force reauthorization of logged-in user(s) after a predetermined Yes –
length of inactivity (e.g., auto-logoff, session lock, password protected screen saver)?

1-1.1 Is the length of inactivity time before auto-logoff/screen lock user or administrator configurable? Yes 1
(Indicate time [fixed or configurable range] in notes.)

1-1.2 Can auto-logoff/screen lock be manually invoked (e.g., via a shortcut key or proximity sensor, etc.) Yes –
by the user?

ALOF notes: The auto-logoff can be configured from 1 to 60 minutes.

2 Audit controls (AUDT)

The ability to reliably audit activity on the device.

2-1 Can the medical device create an audit trail? Yes –

2-2 Indicate which of the following events are recorded in the audit log:

2-2.1 Login/logout Yes –

2-2.2 Display/presentation of data Yes –

2-2.3 Creation/modification/deletion of data Yes –

2-2.4 Import/export of data from removable media Yes –

2-2.5 Receipt/transmission of data from/to external (e.g., network) connection Yes –

2-2.51 Remote service activity Yes –

2-2.6 Other events? (describe in the notes section) No –

2-3 Indicate what information is used to identify individual events recorded in the audit log:

2-3.1 User ID Yes –

2-3.2 Date/time Yes –

AUTH notes: Log items are encrypted as they are added to the audit log.

3 Authorization (AUTH)
The ability of the device to determine the authorization of users.

3-1 Can the device prevent access to unauthorized users through user login requirements or other Yes –
mechanism?

3-2 Can users be assigned different privilege levels within an application based on ‘roles’ (e.g., guests, Yes –
regular users, power users, administrators, etc.)?

3-3 Can the device owner/operator obtain unrestricted administrative privileges (e.g., access operating No –
system or application via local root or admin account)?

AUTH notes: N/A

28 [Link]/redwood
 ACUSON Redwood VA10 · Product and solution security white paper

Device Category Manufacturer Document ID Document

Diagnostic Ultrasound Siemens Medical Solutions 11502955-FPD-001 18-Sep-19
USA, Inc.

Device Model Software Revision Software Release Date

ACUSON Redwood r1.0 21-Aug-19

Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note #
N/A, or
See Note

4 Configuration of security features (CNFS)

The ability to configure/re-configure device security capabilities to meet user’s needs.

4-1 Can the device owner/operator reconfigure product security capabilities? Yes –

CNFS notes: The admin via the security system configuration screen can configure the security system such as
firewall. In addition, only the admin can configure data export capabilities including: DICOM and
Network Share

5 Cyber security product upgrades (CSUP)

The ability of on-site service staff, remote service staff, or authorized customer staff to
install/upgrade device’s security patches.

5-1 Can relevant OS and device security patches be applied to the device as they become available? Yes 1

5-1.1 Can security patches or other software be installed remotely? Yes 2

CSUP notes: 1. Only security patches that become available through Siemens are subject to be installed in the
system.
2. Siemens Remote Service can push patches to system which are then installed once approved
by the user.

6 Health data DE-identification (DIDT)

The ability of the device to directly remove information that allows identification of a person.

6-1 Does the device provide an integral capability to de-identify private data? Yes –

DIDT notes: There is a feature in Patient Browser which will clear the patient banner and clear the DICOM tags
identifying a specific patient.

7 Data backup and disaster recovery (DTBK)

The ability to recover after damage or destruction of device data, hardware, or software.

7-1 Does the device have an integral data backup capability (i.e., backup to remote storage or Yes –
removable­ media such as tape, disk)?

DTBK notes: A patient data is uploaded to PACS either during or after each exam. A patient data can be backed up to
USB or DVD. The system configuration can be backed up to USB.

8 Emergency access (EMRG)

The ability of device users to access private data in case of an emergency situation that requires
immediate access to stored private data.

8-1 Does the device incorporate an emergency access (“break-glass”) feature? Yes –

EMRG notes: The system will allow for an emergency exam to be performed. Access to main aspects of the system
other than that required to perform the exam are restricted.

9 Health data integrity and authenticity (IGAU)

How the device ensures that data processed by the device has not been altered or destroyed in an
unauthorized manner and is from the originator.

9-1 Does the device ensure the integrity of stored data with implicit or explicit error detection/correction No –
technology?

IGAU notes: N/A

[Link]/redwood 29
Product and solution security white paper · ACUSON Redwood VA10

Device Category Manufacturer Document ID Document

Diagnostic Ultrasound Siemens Medical Solutions 11502955-FPD-001 18-Sep-19
USA, Inc.

Device Model Software Revision Software Release Date

ACUSON Redwood r1.0 21-Aug-19

Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note #
N/A, or
See Note

10 Malware detection/protection (MLDP)

The ability of the device to effectively prevent, detect and remove malicious software (malware).

10-1 Does the device support the use of anti-malware software (or other anti-malware mechanism)? Yes –

10-1.1 Can the user independently re-configure anti-malware settings? No –

10-1.2 Does notification of malware detection occur in the device user interface? Yes –

10-1.3 Can only manufacturer-authorized persons repair systems when malware has been detected? Yes –

10-2 Can the device owner install or update anti-virus software? No –

10-3 Can the device owner/operator (technically/physically) update virus definitions on N/A –
manufacturer-installed antivirus software?

MLDP notes: DeviceGuard is incorporated into the system. Only software signed by Siemens can execute.

11 Node authentication (NAUT)

The ability of the device to authenticate communication partners/nodes.

11-1 Does the device provide/support any means of node authentication that assures both the sender and Yes –
the recipient of data are known to each other and are authorized to receive transferred information?

NAUT notes:  ommunication to a PACS can be configured to use TLS certificates. Only if encrypted DICOM
C
functionality is being used.

12 Person authentication (PAUT)

Ability of the device to authenticate users

12-1 Does the device support user/operator-specific username(s) and password(s) for at least one user? Yes –

12-1.1 Does the device support unique user/operator-specific IDs and passwords for multiple users? Yes –

12-2 Can the device be configured to authenticate users through an external authentication service No –
(e.g., MS Active Directory, NDS, LDAP, etc.)?

12-3 Can the device be configured to lock out a user after a certain number of unsuccessful logon Yes –
attempts?

12-4 Can default passwords be changed at/prior to installation? Yes –

12-5 Are any shared user IDs used in this system? No –

12-6 Can the device be configured to enforce creation of user account passwords that meet established Yes –
complexity rules?

12-7 Can the device be configured so that account passwords expire periodically? Yes –

PAUT notes: Accounts and passwords for those accounts are configured by the administrator of the system. The
password aging can be configured from 0 (never expires) to 999 days. The default setting is 42 days.

13 Physical locks (PLOK)

Physical locks can prevent unauthorized users with physical access to the device from compromising
the integrity and confidentiality of private data stored on the device or on removable media

13-1 Are all device components maintaining private data (other than removable media) physically Yes –
secure (i.e., cannot remove without tools)?

PLOK notes: N/A

30 [Link]/redwood
 ACUSON Redwood VA10 · Product and solution security white paper

Device Category Manufacturer Document ID Document

Diagnostic Ultrasound Siemens Medical Solutions 11502955-FPD-001 18-Sep-19
USA, Inc.

Device Model Software Revision Software Release Date

ACUSON Redwood r1.0 21-Aug-19

Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note #
N/A, or
See Note

14 Roadmap for third party components in device life cycle (RDMP)

Manufacturer’s plans for security support of 3rd party components within device life cycle.

14-1 In the notes section, list the provided or required (separately purchased and/or delivered) See Note –
operating system(s) – including version number(s).

14-2 Is a list of other third party applications provided by the manufacturer available? Yes –

RDMP notes: Microsoft Windows 10 64 bit

15 System and application hardening (SAHD)

The device’s resistance to cyber-attacks and malware.

15-1 Does the device employ any hardening measures? Please indicate in the notes the level of Yes 1
conformance to any industry-recognized hardening standards.

15-2 Does the device employ any mechanism (e.g., release-specific hash key, checksums, etc.) to ensure Yes –
the installed program/update is the manufacturer-authorized program or software update?

15-3 Does the device have external communication capability (e.g., network, modem, etc.)? Yes –

15-4 Does the file system allow the implementation of file-level access controls (e.g., New Technology Yes –
File System (NTFS) for MS Windows platforms)?

15-5 Are all accounts which are not required for the intended use of the device disabled or deleted, Yes –
for both users and applications?

15-6 Are all shared resources (e.g., file shares) which are not required for the intended use of the device, disabled? Yes –

15-7 Are all communication ports which are not required for the intended use of the device closed/disabled? Yes –

15-8 Are all services (e.g., telnet, file transfer protocol [FTP], internet information server [IIS], etc.), which Yes –
are not required for the intended use of the device deleted/disabled?

15-9 Are all applications (COTS applications as well as OS-included applications, e.g., MS Internet Explorer, Yes –
etc.) which are not required for the intended use of the device deleted/disabled?

15-10 Can the device boot from uncontrolled or removable media (i.e., a source other than an internal Yes 2
drive or memory component)?

15-11 Can software or hardware not authorized by the device manufacturer be installed on the device No –
without the use of tools?

SAHD notes: 1. DISA STIGS

2. Booting from uncontrolled removable media requires BIOS password

16 Security guidance (SGUD)

The availability of security guidance for operator and administrator of the system and
manufacturer sales and service.

16-1 Are security-related features documented for the device user? Yes –

16-2 Are instructions available for device/media sanitization (i.e., instructions for how to achieve Yes –
the permanent deletion of personal or other sensitive data)?

SGUD notes: The manual of Service Configuration explains how to delete study data

[Link]/redwood 31
Product and solution security white paper · ACUSON Redwood VA10

Device Category Manufacturer Document ID Document

Diagnostic Ultrasound Siemens Medical Solutions 11502955-FPD-001 18-Sep-19
USA, Inc.

Device Model Software Revision Software Release Date

ACUSON Redwood r1.0 21-Aug-19

Refer to Section 2.3.2 of this standard for the proper interpretation of information requested in this form. Yes, No, Note #
N/A, or
See Note

17 Health data storage confidentiality (STCF)

The ability of the device to ensure unauthorized access does not compromise the integrity and
confidentiality of private data stored on device or removable media.

17-1 Can the device encrypt data at rest? Yes –

STCF notes: Microsoft BitLocker can be enabled at the factory or after customer installation
18 Transmission confidentiality (TXCF)
The ability of the device to ensure the confidentiality of transmitted private data.
18-1 Can private data be transmitted only via a point-to-point dedicated cable? No –

18-2 Is private data encrypted prior to transmission via a network or removable media? See Note –
(If yes, indicate in the notes which encryption standard is implemented.)
18-3 Is private data transmission restricted to a fixed list of network destinations? Yes –

TXCF notes: Encryption via industry standards is available with wireless networking. Application layer encryption is
available only if encrypted DICOM functionality is being used. Secure DICOM can be configured to use
TLS 1.0, 1.1 or 1.2. DICOM is encrypted by TLS_RSA_WITH_128_CBC_SHA or TLS_RSA_WITH_3DES_
EDE_CBC_SHA.
19 Transmission integrity (TXIG)
The ability of the device to ensure the integrity of transmitted private data.
19-1 Does the device support any mechanism intended to ensure data is not modified during transmission? No –
(If yes, describe in the notes section how this is achieved.)
TXIG notes: N/A

20 Other security considerations (OTHR)

Additional security considerations/notes regarding medical device security.
20-1 Can the device be serviced remotely? Yes –

20-2 Can the device restrict remote access to/from specified devices or users or network locations (e.g., Yes –
specific IP addresses)?
20-2.1 Can the device be configured to require the local user to accept or initiate remote access? Yes –

OTHR notes: N/A

32 [Link]/redwood
 ACUSON Redwood VA10 · Product and solution security white paper

Abbreviations

AD Active Directory MD5 Message Digest 5

AES Advanced Encryption Standard MDS2 Manufacturer Disclosure

­Statement
BIOS Basic Input Output System
MSTS Microsoft Terminal Server
DES Data Encryption Standard
NEMA National Electrical
DISA Defense Information Systems
­Manufacturers Association
Agency
NTP Network Time Protocol
DMZ Demilitarized Zone
OCR Office for Civil Rights
DoS Denial of Service
OU Organizational Unit
ePHI Electronic Protected Health
Information PHI Protected Health Information

FDA Food and Drug Administration PII Personally Identifiable

­Information
FIPS Federal Information Processing
Standards RPC Remote Procedure Call

HHS Health and Human Services SAM Security Accounts Manager

HIPAA Health Insurance Portability SHA Secure Hash Algorithm

and Accountability Act
SQL Structured Query Language
HIMSS Healthcare Information and
SRS Smart Remote Services
Management Systems Society
SW Software
HTTP Hypertext Transfer Protocol
TCP Transmission Control Protocol
HTTPS HTTP Secure
UltraVNC Ultra Virtual Network
ICS Integrated Communication
Computing
Services
UDP User Datagram Protocol
IEC International Electrotechnical
Commission VPN Virtual Private Network
LDAP Lightweight Directory Access
Protocol

[Link]/redwood 33
Product and solution security white paper · ACUSON Redwood VA10

Disclaimer According to International Electrotechnical

IEC 80001-1 Commission Glossary (extract)

1-1 The Device has the capability to be connected Responsible organization:

to a medical IT network, which is managed under Entity accountable for the use and maintenance of a
full responsibility of the operating legal entity medical IT network
(hereafter called “RESPONSIBLE ORGANIZATION”).
ACUSON Redwood is a trademark of Siemens Medical
It is assumed that the RESPONSIBLE ORGANIZATION
Solutions USA, Inc.
assigns a Medical IT Network Risk Manager to
perform IT Risk Management (see IEC 80001- syngo is a registered trademark of Siemens Healthcare
1:2010 / EN 80001-1:2011) for IT. GmbH.

Adobe is either a trademark or registered trademark of

1-2 This statement describes Device-specific IT
Adobe Systems Incorporated in the United States and/or
networking safety and security capabilities. It is
other countries.
NOT a RESPONSIBILITY AGREEMENT according to
IEC 80001-1:2010 / EN 80001-1:2011. Intel is a trademark of Intel Corporation in the United
States and other countries.
1-3 Any modification of the platform, the software or
Microsoft and Windows are registered trademarks of
the interfaces of the Device – unless authorized and
Microsoft Corporation in the United States and other
approved by Siemens Healthcare GmbH – voids all
countries.
warranties, liabilities, assertions and contracts.

1-4 The RESPONSIBLE ORGANIZATION acknowledges

that the Device’s underlying standard computer
with operating system is to some extent vulnerable
to typical attacks such as malware or denial-of-
service.

1-5 Unintended consequences (e.g., misuse/loss/

corruption) of data not under control of the Device
(e.g., after electronic communication from the
Device to an IT network or to a storage media),
are under the responsibility of the RESPONSIBLE
ORGANIZATION.

1-6 Unauthorized use of the external connections or

storage media of the Device can cause hazards
regarding the availability and information security
of all components of the medical IT network.
The RESPONSIBLE ORGANIZATION must ensure –
through technical and/or organizational measures –
that only authorized use of the external
connections and storage media is permitted.

34 [Link]/redwood
 ACUSON Redwood VA10 · Product and solution security white paper

Statement on FDA
Cybersecurity Guidance

Siemens Healthineers will follow cybersecurity guidance

issued by the FDA as appropriate. Siemens Healthineers
recognizes the principle described in FDA cybersecurity
guidance that an effective cybersecurity framework
is a shared responsibility among multiple stakeholders
(e.g., medical device manufacturers, healthcare facilities,
patients and providers), and is committed to drawing
on its innovation, engineering and pioneering skills
in collective efforts designed to prevent, detect and
respond to new and emerging cybersecurity threats.
While FDA cybersecurity guidance is informative as to
adopting a risk-based approach to addressing potential
patient harm, it is not binding and alternative approaches
may be used to satisfy FDA regulatory requirements.

The representations contained in this whitepaper are

designed to describe Siemens Healthineers’ approach to
cybersecurity of its medical devices and to disclose the
security capabilities of the devices/systems described
herein. Neither Siemens Healthineers nor any medical
device manufacturer can warrant that its systems will be
invulnerable to cyberattack. Siemens Healthineers makes
no representation or warranty that its cyber-security
efforts will ensure that its medical devices/systems will
be error-free or secure against cyberattack.

[Link]/redwood 35
 Please note that the learning material is for training purposes only!

For the proper use of the software or hardware, please always use the Operator Manual
or Instructions for Use (hereinafter collectively “Operator Manual”) issued by Siemens
Healthineers. This material is to be used as training material only and shall by no means
substitute the Operator Manual. Any material used in this training will not be updated
on a regular basis and does not necessarily reflect the latest version of the software and
hardware available at the time of the training.

The Operator's Manual shall be used as your main reference, in particular for relevant
safety information like warnings and cautions.

Note: Some functions shown in this material are optional and might not be part of your
system.

Certain products, product related claims or functionalities (hereinafter collectively

“Functionality”) may not (yet) be commercially available in your country. Due to
regulatory requirements, the future availability of said Functionalities in any specific
country is not guaranteed. Please contact your local Siemens Healthineers sales
representative for the most current information.

The reproduction, transmission or distribution of this training or its contents is not

permitted without express written authority. Offenders will be liable for damages.

ACUSON Redwood and UltraArt universal image processing are trademarks of Siemens
Medical
Solutions USA, Inc.
All names and data of patients, parameters and configuration dependent designations
are fictional and examples only.

All rights, including rights created by patent grant or registration of a utility model or
design, are reserved.

Copyright © Siemens Healthcare GmbH 2020

Siemens Healthineers Headquarters\Siemens Healthcare GmbH\Henkestr. 127\

91052 Erlangen, Germany\Telephone: +49 9131 84-0\[Link]

Siemens Healthineers Headquarters Legal Manufacturers

Siemens Healthcare GmbH Siemens Medical Solutions USA, Inc.
Henkestr. 127 Ultrasound
91052 Erlangen, Germany 22010 S.E. 51st Street
Phone: +49 9131 84-0 Issaquah, WA 98029, USA
[Link] Phone: 1-888-826-9702
[Link]/ultrasound

Published by Siemens Medical Solutions USA, Inc. · 8392 1219 online · © Siemens Medical Solutions USA, Inc., 2019