PEPconnect & PEPconnections Security White Paper

Whitepaper PEPconnect & PEPconnections Version 20210331.1 & Later Security Whitepaper The facts about the security of our products and solutions. siemens-healthineers.com/cybersecurity SIEMENS Unrestricted Effective Date: 03 JUL 2021 | HOOD05162003202697 Healthineers Product and Solution Security Whitepaper· PEPconnect & PEPconnections Version 20210331.1 & Later Foreword The Siemens Healthineers Product and Solution Security (PSS) program • Providing a patch management strategy for the At Siemens Healthineers, we are committed to working medical device with you to address cybersecurity and privacy • Monitoring security vulnerabilities to track reported requirements. Our Product and Solution Security Office third party component issues in our products is responsible for our global program that focuses on • addressing cybersecurity throughout the product lifecycle Working with suppliers to address security throughout of our products. the supply chain • Training of employees to provide knowledge consistent Our program targets incorporating state-of-the-art with their level of responsibility regarding your data cybersecurity into our current and future products. We and device integrity. seek to protect the security of your data while, at the same time, providing measures to strengthen the resiliency of our products from cyber threats. Contacting Siemens Healthineers about Product and Solution Security We comply with applicable security and privacy laws and Siemens Healthineers requests that any cybersecurity will cooperate with the competent autorities including, but or privacy incidents are reported by email to: not limited to, the US Department of Health and Human productsecurity@siemens-healthineers.com Services (HHS), the US Food and Drug Administration (FDA), the US Office for Civil Rights (OCR), the EU General Data Protection Regulation (GDPR), the National Medical Products Administration (NMPA) in China, and the EU Medical Device Regulation (MDR) to meet IT security and privacy obligations. Vulnerability and incident management Siemens Healthineers cooperates with government agencies and cybersecurity researchers concerning reported potential vulnerabilities. Our communications policy strives for coordinated disclosure. We work in this way with our customers and other parties, when appropriate, in response to potential vulnerabilities and Jim Jacobson incidents in our products, no matter what the source. Chief Product and Solution Security Officer Siemens Healthineers Elements of our Product and Solution Security program • Providing information to facilitate secure configuration and use of our medical devices in your IT environment • Conducting formal threat and risk analysis for our products • Incorporating security-focused architecture, design and coding methodologies in our software development process • Performing static code analysis of our products • Conducting security testing of products under development as well as products already in the field Unrestricted Siemens Healthcare GmbH © 2021 Effective Date: 03 JUL 2021 | HOOD05162003202697 2 Product and Solution Security Whitepaper· PEPconnect & PEPconnections Version 20210331.1 & Later Contents Foreword 2 Basic Information 2 Network Information 6 Security Controls 7 Shared Responsibilities 9 Abbreviations 10 Statement on FDA Cybersecurity Guidance 11 Unrestricted Siemens Healthcare GmbH © 2021 Effective Date: 03 JUL 2021 | HOOD05162003202697 3 Product and Solution Security Whitepaper· PEPconnect & PEPconnections Version 20210331.1 & Later Basic Information PEPconnect is the industry’s first personalized education • Passwords are case sensitive and must consist of and performance experience for healthcare professionals – alphanumeric characters containing at least one designed to increase staff competency, efficiency, and uppercase letter, one lowercase letter, one number, productivity. and must be at least 8 characters in length. With the premium subscription PEPconnections1, our Patching Strategy customers can easily manage their clinical institution’s The PEPconnect site is updated: performance growth with integrated group management • Monthly for software updates and administration features. • As needed for Non-Scheduled Emergency security patching Operating Systems For Desktop, Windows 10 and higher or macOS (Current Cryptography Usage Version) To protect data in transit, PEPconnect uses SSL/TLS during For Mobile devices, Android (Current Version), iOS (Current data transfer, creating a secure tunnel protected by 128-bit Version) or iPadOS (Current Version) or higher Advanced Encryption Standard (AES) encryption. PEPconnect utilizes HTTP Strict Transport Security header For an optimized experience, the following browser (HSTS) to its web connections directing modern browsers recommendations should be followed: to connect to PEPconnect over an encrypted connection. • Android Browser (Current Version) Additionally, PEPconnect flags all authentication cookies as • Mac Safari (Current Version) secure. Data is stored at rest using the industry-standard • Mobile Safari (Current Version) AES-256 algorithm. • Google Chrome (Current Version) Handling of Sensitive Data • Microsoft Edge (Current Version) Mozilla Firefox (Current Version) PEPconnect does not include patient or sensitive • data. When using PEPconnect and PEPconnections, our Hardware Specifications Terms of Use, Privacy Policy, and Special Terms of Use for PEPconnect was designed to function on the customers’ PEPconnect Groups2 apply. Desktop and Mobile devices meeting the Operating System criteria above. You can request your PEPconnect account be deleted, erasing your personal information at any time on the Site User Account Information Settings page. Please note that, should you choose to • Each person must have a unique email address. delete your account, all of your data will be eliminated • New users to the site select Register and complete the from the system and you will be removed from any registration form, after which they receive an email upcoming class events. Please export your transcript from with a confirmation code. The code provided in this My Transcript and print your certificates if you wish to email is used to confirm each user’s registration so keep these records. For more details, see the PEPconnect they can continue with the login process. Privacy Policy. • Individual users may also use their Healthineers ID to authenticate with PEPconnect and PEPconnections. 1 Subscription required. Availability of subscription depends on country. The products/features and/or service offerings (here mentioned) are not commercially available in all countries and/or for all modalities. If the services are not marketed in countries due to regulatory or other reasons, the service offering cannot be guaranteed. Please contact your local Siemens Healthineers organization for further details. 2 Terms of Use: https://www.siemens-healthineers.com/terms-of-use Privacy Policy: https://pep.siemens-info.com/en-us/privacy Special Terms of Use for PEPconnect Groups: https://pep.siemens-info.com/en-us/terms Unrestricted Siemens Healthcare GmbH © 2021 Effective Date: 03 JUL 2021 | HOOD05162003202697 4 Product and Solution Security Whitepaper· PEPconnect & PEPconnections Version 20210331.1 & Later Data Recovery PEPconnect servers are hosted with Amazon Web Services and are not prone to failure due to AWS’s EBS architecture which is redundant and fault tolerant (http://aws.amazon.com/ebs/). All customer data is backed up regularly to guard against data loss. All backups are encrypted and stored in high resiliency, geographically diverse, locations to prevent loss due to natural disaster or location-specific failures. Servers are regularly imaged and geographically distributed to allow for low downtime in the case of a datacenter failure. Terms and Conditions When using PEPconnect and PEPconnections, our Terms of Use, Privacy Policy, and Special Terms of Use for PEPconnect Groups2 apply. See local terms and conditions that may apply when purchasing PEPconnections. 1 Subscription required. Availability of subscription depends on country. The products/features and/or service offerings (here mentioned) are not commercially available in all countries and/or for all modalities. If the services are not marketed in countries due to regulatory or other reasons, the service offering cannot be guaranteed. Please contact your local Siemens Healthineers organization for further details. 2 Terms of Use: https://www.siemens-healthineers.com/terms-of-use Privacy Policy: https://pep.siemens-info.com/en-us/privacy Special Terms of Use for PEPconnect Groups: https://pep.siemens-info.com/en-us/terms Unrestricted Siemens Healthcare GmbH © 2021 Effective Date: 03 JUL 2021 | HOOD05162003202697 5 Product and Solution Security Whitepaper· PEPconnect & PEPconnections Version 20210331.1 & Later Network Information & Firewall End Users Hospital Internet End Users CO Amazon Web Services VPC Legend Legend Subtitle Symbol Description Data center AWS CloudFront Content Delivery Web server Siemens Web Server Siemens DB Server Network (CDN) Database server.14 Content Delivery Network (CDN) Data AWS S3 User Cloud Storage Firewall The server requires 3 static IP addresses and specific ports for automated email communication, such as receipt of registrant confirmation code, which must be available to the customer. The customer may need to contact their Local IT to see if the facility SPAM filter caught the automated email on the mail server (quarantined folder). If the email was caught by the SPAM filter, their Local IT needs to: 1. ”Whitelist" (allow) the following IP addresses and ports (see table below) 2. Allow emails from admin@siemenspepconnect.com 3. Once complete, the customer may need to use Forgot Password to re-send their confirmation code if one week has passed IP Address Port Number(s) Service/Function Direction (In/Out) Protocol 198.2.128.180 25, 465, 587, 2525 Sending of transactional emails Out SMTP + TLS 168.245.57.23 587 Sending of transactional emails Out SMTP + TLS 167.89.88.97 587 Sending of transactional emails Out SMTP + TLS Unrestricted Siemens Healthcare GmbH © 2021 Effective Date: 03 JUL 2021 | HOOD05162003202697 6 Product and Solution Security Whitepaper· PEPconnect & PEPconnections Version 20210331.1 & Later Security Controls Malware Protection Continuous Vulnerability Monitoring All servers are protected using a multilayered approach. A suite of third party software is used to periodically scan The infrastructure is protected from the outside utilizing a PEPconnect to test for vulnerabilities. Virtual Private Cloud (VPC) on Amazon Web Services along with AWS Security Groups that limit the types of internet Hardening traffic that can reach the servers and what networks can All servers provisioned for development and testing reach the servers. activities are hardened (by disabling unused ports and accounts, removing default passwords, etc.). The base Controlled Use of Administrative Privileges Operating System image has server hardening built into it, The following administrative privileges apply to and this OS image is provisioned in the servers, to improve PEPconnect and PEPconnections Group Owners: consistency across servers. • Manage group members • Monitor activity feed posts Network Controls • Redeem virtual wallet points for group subscriptions PEPconnect network security and monitoring techniques are designed to provide multiple layers of protection and Users in PEPconnect can become Group Owners by: defense. Firewalls are used to prevent its network from • Creating a group unauthorized access and undesirable traffic and its • Being invited to a group as a Group Owner by an systems are segmented into separate networks to protect existing owner of the group and accepting the data. invitation • Being invited to a group as a Group Owner by a Third party monitoring software protects against intrusion Siemens Healthineers Administrator and accepting the and unauthorized access to any of our servers. invitation Physical Safeguards The following administrative privileges apply to The PEPconnect site and all other back-end services PEPconnections Group Owners, who have the premium includes data storage run on Amazon Web Services. The subscription PEPconnections: AWS platform is designed and built to run on a shared • Manage and administer group members’ education security responsibility model. This means that AWS is • Access group members’ transcripts and reporting responsible for providing the underlying infrastructure that • Upload page links and files (e.g., video, pdf, supports the PEPconnect platform, including facilities, documents) to the Virtual Library accessible only to network, hardware, and operational software. The members of the PEPconnections group infrastructure that Amazon provides is designed and managed in alignment with security best practices and a Authentication variety of IT security standards, including SOC 1,2 and 3, Individual users can self-register on PEPconnect with a PCI DSS level 1, and ISO 27001. valid email address. To complete registration, an emailed confirmation code must be entered. Alternatively, Data Protection Controls authentication via Single Sign On may be utilized, such as To protect data in transit, PEPconnect uses SSL/TLS during authentication using your Healthineers ID. data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption. Security Scanning PEPconnect utilizes HTTP Strict Transport Security header Each individual server has ESET File Security for Windows (HSTS) to all its web connections telling all modern Server in addition to Trend Micro Cloud One intrusion browsers to only connect to PEPconnect over an encrypted detection software, which is managed through a cloud connection. Additionally, on the web PEPconnect flags all interface and alerts. authentication cookies as secure. Data is stored at rest using the industry-standard AES-256 algorithm. Unrestricted Siemens Healthcare GmbH © 2021 Effective Date: 03 JUL 2021 | HOOD05162003202697 7 Product and Solution Security Whitepaper· PEPconnect & PEPconnections Version 20210331.1 & Later PEPconnect offers customers complete control over their PEPconnect integrated diagnostics and global technical data on a self-serve basis, with the ability to delete data support is provided during normal business hours EST, CET within their accounts and, for PEPconnections customers, and SST excluding holidays. the ability to remove end user accounts from their Groups and content from their Virtual Library. Customers may also request assistance from PEPconnect Support to support any of these actions. PEPconnect adheres to GDPR and CCPA requirements and guidelines. For information about our data retention practices, please see our Privacy Policy. Siemens Healthineers maintains a comprehensive written data protection plan that covers key aspects of our data protection practices, policies, and procedures. Auditing/Logging PEPconnect has comprehensive logging and auditing at all levels, including our application and infrastructure. Application logs are centrally managed for troubleshooting and analyzing user and system events. Software developers use analytics tools for safe and efficient access to required data while maintaining security best practices. Access to logs is protected through managed authentication and restricting access to authorized Siemens Healthineers personnel and partners. Remote Connectivity A small number of privileged accounts are authorized for access to PEPconnect physical assets. All other access is expressly forbidden. Administrative Controls Access to the production servers and data is protected using network isolation and strong authentication mechanisms. A combination of strong passwords, passphrase-protected SSH keys, a Virtual Private Network (VPN), and two-factor authentication is used to shield mission critical systems. Siemens Healthineers Administrators are required to complete annual Cybersecurity and Data Privacy trainings. Incident Response and Management Systems are monitored by 3rd party software to notify engineers proactively to prevent possible outages as well as allow immediate response in the case of an outage. Customers can report incidents via the PEPconnect Support link in the footer of the site, and scheduled outage messages are displayed directly on the PEPconnect site. Unrestricted Siemens Healthcare GmbH © 2021 Effective Date: 03 JUL 2021 | HOOD05162003202697 8 Product and Solution Security Whitepaper· PEPconnect & PEPconnections Version 20210331.1 & Later Shared Responsibilities Personal Account Management PEPconnect provides a lifelong learning record for each registered user. As a registered user on PEPconnect, it is important to observe the following practices. Account Security • Do not create or maintain group accounts with shared passwords • Keep your profile information, especially your email address, up to date in your account settings • You will automatically be logged out of PEPconnect after 4 hours. If you are using a shared computer, log out of PEPconnect to end your session before leaving the workstation. Password Security • Do not share your password with others • Make your password hard to guess but easy to remember • Your password can be updated at any time using the Forgot Password link or in your account site settings PEPconnect Group Security • Update your group participation by removing yourself from groups that are no longer relevant on the the group settings page • If you are a group owner, routinely monitor your group’s activity feed and members. Remove members who are no longer authorized to participate in your group or access your group information Unrestricted Siemens Healthcare GmbH © 2021 Effective Date: 03 JUL 2021 | HOOD05162003202697 9 Product and Solution Security Whitepaper· PEPconnect & PEPconnections Version 20210331.1 & Later Abbreviations AES Advanced Encryption Standard AWS Amazon Web Services CCPA California Consumer Privacy Act CDN Content Delivery Network DB Database DNS Domain Name System DSS Data Security Standard EBS Elastic Block Store FDA Food and Drug Administration GDPR General Data Protection Regulation HHS Health and Human Services HSTS HTTP Strict Transport Security header HTTP Hypertext Transfer Protocol HTTPS HTTP Secure ID Identifier IE Internet Explorer IP Internet Protocol ISO International Organization for Standardization IT Information Technology OCR Office for Civil Rights OS Operating System PCI Payment Card Industry PSS Product & Solution Security S3 Simple Storage Service SOC Security Operations Center SSH Secure Shell SSL Secure Sockets Layer TLS Transport Layer Security VPC Virtual Private Cloud VPN Virtual Private Network Unrestricted Siemens Healthcare GmbH © 2021 Effective Date: 03 JUL 2021 | HOOD05162003202697 10 Product and Solution Security Whitepaper· PEPconnect & PEPconnections Version 20210331.1 & Later Statement on FDA Cybersecurity Guidance Siemens Healthineers will follow cybersecurity guidance issued by the FDA as appropriate. Siemens Healthineers recognizes the principle described in FDA cybersecurity guidance that an effective cybersecurity framework is a shared responsibility among multiple stakeholders (e.g., medical device manufacturers, health care facilities, patients and providers), and is committed to drawing on its innovation, engineering and pioneering skills in collective efforts designed to prevent, detect and respond to new and emerging cybersecurity threats. While FDA cybersecurity guidance is informative as to adopting a risk- based approach to addressing potential patient harm, it is not binding and alternative approaches may be used to satisfy FDA regulatory requirements. The representations contained in this whitepaper are designed to describe Siemens Healthineers’ approach to cybersecurity of its medical devices and to disclose the security capabilities of the devices/systems described herein. Neither Siemens Healthineers nor any medical device manufacturer can warrant that its systems will be invulnerable to cyberattack. Siemens Healthineers makes no representation or warranty that its cybersecurity efforts will ensure that its medical devices/systems will be error- free or secure against cyberattack. Unrestricted Siemens Healthcare GmbH © 2021 Effective Date: 03 JUL 2021 | HOOD05162003202697 11 Product and Solution Security Whitepaper· PEPconnect & PEPconnections Version 20210331.1 & Later On account of certain regional limitations of sales rights In the interest of complying with legal requirements and service availability, we cannot guarantee that all concerning the environmental compatibility of our products included in this brochure are available through products (protection of natural resources and waste the Siemens sales organization worldwide. Availability and conservation), we recycle certain components. Using the packaging may vary by country and are subject to change same extensive quality assurance measures as for factory- without prior notice. new components, we ensure the quality of these recycled components. Some/All of the features and products described herein may not be available in the United States or other Note: Any technical data contained in this document may countries. vary within defined tolerances. Original images always lose a certain amount of detail when reproduced. The information in this document contains general technical descriptions of specifications and options as well Caution: Federal law restricts this device to sale by or on as standard and optional features that do not always have the order of a physician. to be present in individual cases. For PEPconnections, a subscription is required. Availability Siemens reserves the right to modify the design, of subscription depends on country. The products/features packaging, specifications and options described herein and/or service offerings (here mentioned) are not without prior no-tice. Please contact your local Siemens commercially available in all countries and/or for all sales representative for the most current information. modalities. If the services are not marketed in countries due to regulatory or other reasons, the service offering cannot be guaranteed. Please contact your local Siemens Healthineers organization for further details. Siemens Healthineers Headquarters Siemens Healthcare GmbH Henkestr. 127 91052 Erlangen, Germany Phone: +49 9131 84-0 siemens-healthineers.com Published by Siemens Healthcare GmbH · Online · © Siemens Healthcare GmbH, 2021 Effective Date: 03 JUL 2021 | HOOD05162003202697 12