Cybersecurity - Protecting healthcare institutions against cyberthreats

CybersecurityProtecting healthcare institutions against cyberthreats

Cybersecurity at Siemens Healthineers

The digital transformation is in full swing, and cybersecurity paves the way for your institution to participate. As a global market leader for medical imaging and diagnostics, we are committed to helping you stay on track, no matter what challenges and threats you face. We offer a state-of-the-art portfolio of secure products, cybersecurity management services, and consulting that provides you with what you need for optimal protection across your institution. We constantly improve our systems and processes and train our teams in cybersecurity matters, so that high cyberthreat awareness stays top of mind.

System Certification ISO 27001

Siemens Healthineers has received independent certification according to ISO/IEC 27001:2013 extended by ISO/IEC 27701:2019 which showcases our commitment to safeguarding data privacy and cybersecurity for our sustainable business and all key stakeholders of the company, particularly customers. 

As a partner in your operations and on the treatment journeys of our customers’ patients we want to provide a valid reason to put your trust in Siemens Healthineers.

The Siemens Healthineers global Cybersecurity Management System includes the Information Security and the Privacy Information Management for the company. It covers Governance and Assurance by the central groups for Cybersecurity, Data Protection, IT Security, and IT Operations from its Erlangen headquarter locations.

Click to download the ISO/IEC 27001:2013 and ISO/IEC 27701:2019 certificate. Please note that this is a static download and will be reverted back to the online version hosted by SGS as soon as possible.

Cybersecurity throughout the product lifecycle

Cybersecurity readiness is part of the Siemens Healthineers company culture: we start with secure development and design, we take care of secure deployment, and we help you maintain secure operations continuously.


Medical equipment* from Siemens Healthineers enables you to stay protected. Our products are designed with cybersecurity in mind: they support safe network integration and secure operations around the clock.

Secure Development Lifecycle

Thanks to the Secure Development Lifecycle (SDL), which is at the heart of the Siemens Healthineers approach to cybersecurity, our products* are ready for today’s operational requirements:

  • Hardware and software development follow defined state-of-the-art processes
  • Product development adheres to Siemens Healthineers standardized requirements and industry best practices
  • Processes and requirements are aligned consistently across the Siemens Healthineers product portfolio

*We continue to improve and extend the security measures for our current products. As threats and associated risks are evolving not all statements on this page apply to all products and services. Contact your local Siemens organization for further details.

Data encryption
Data encryption: Secure data at rest and in transit using state-of-the-art data encryption features

All products currently under development as well as a range of existing offerings have built-in security controls that are essential for modern IT environments:

  • Secure configuration and hardening
  • Authentication and authorization
  • Whitelisting
  • Data encryption
  • Trusted machine certificates
  • Auditing and logging
Transparency

We provide the information you need in advance, so there will be no surprises following deployment. Contact your local Sales representative for the following documents:

  • Product whitepaper describing all available product security features
  • SBOM (Software Bill of Materials)
  • General cybersecurity guidance and consultation
  • Secure environment configuration recommendation
  • Manufacturers Disclosure Statement for Medical Device Security (MDS2)
Deployment

During deployment, we verify the installation and configure security controls depending on the network and security requirements of your medical facility:

  • User management setup for assigning roles to your staff
  • Individualized passwords
  • Activation of encryption to protect against data theft
  • Secured connection to peer systems, e.g., DICOM archive

Because new vulnerabilities are discovered on an ongoing basis, your equipment needs to be monitored, updated, and upgraded in order to stay secure. We offer a suite of services that help you maintain the recommended security level of your Siemens Healthineers equipment.

Cybersecurity Management Services - Vulnerability monitoring and assessment

In line with the U.S. FDA’s post-market guidance and industry best practices, we perform continuous monitoring and assess if known vulnerabilities could be used to exploit equipment and solutions. We also have a formal process in place for handling and disclosing reported security vulnerabilities related to our equipment and solutions.

Transparent overview of security status
We make it as convenient as possible for you to stay protected against threats thanks to teamplay Fleet, our online portal for efficient and simple equipment maintenance, including cybersecurity:

  • Teamplay Fleet Cybersecurity Profiles provide information about the security status of your fleet
  • Single interface for your Siemens Healthineers medical devices and medical IT solutions
  • High levels of transparency regarding the latest vulnerability notifications
  • Access to security advisories and mitigation advice
Cybersecurity updates

We provide quarterly patches for Siemens Healthineers equipment* and we release additional hotfixes whenever necessary. This allows you to keep up with the evolving threat landscape and stay protected:

  • All patches are validated prior to release for patient safety and continuous operations
  • With your systems connected to our VPN-encrypted Smart Remote Service (SRS) the patches will be automatically transferred for you to install with just one click
  • Alternatively, you can schedule the installation of updates at your convenience through teamplay Fleet Anytime Software Update, especially for equipment* inaccessible through SRS
State-of-the-art system software

Medical equipment can become outdated prior to scheduled replacement. With our Advance Plans, we can help you keep Siemens Healthineers equipment future-proof and cybersecure throughout its lifespan. Choose from a range of service levels to cover your regulatory and financial needs. For products that are not yet eligible for Advance Plans, we offer other service contracts. Please visit our Customer Services website for more information.

Competent incident management

With more than 30 years of experience in IT security, we are well prepared for responding to cyberattacks. Our response to equipment integrity breaches is fast and designed to help limit any potential damage:

  • We perform technical evaluation, prioritize breach containment, and share relevant information in an effective and transparent manner
  • We conduct forensic analyses to help minimize the risk of future cyberattacks
  • We offer support for restoring equipment to a fully functional state

Need support now! Open a Service Ticket in teamplay Fleet

Data privacy

Data privacy

Protecting the privacy of your data is very important to us. To help you comply with laws such as HIPAA in the U.S. and GDPR in Europe, we have aligned our processes with the core principle of “privacy by design and by default.” This means that data protection is incorporated into products, solutions, and services that process personal data beginning in the early design and planning stages.

Certified remote service
Smart Remote Services (SRS) is designed to help you maintain a high level of patient data confidentiality and integrity while upholding the availability of your data at the same time. Certified according to ISO 27001, SRS employs sophisticated authentication and authorization procedures, state-of-the-art encryption technologies and logging routines, and strictly enforced organizational measures. These safeguards allow you to optimally secure patient data and restrict access as needed.

Certified remote service

Cloud security
Our cloud-based solutions – including teamplay (which has been awarded the European Privacy Seal (EuroPriSe), AI-Rad Companion, and Digital Ecosystem – are secured by the Microsoft Azure cloud platform to provide you with cutting-edge protections against breaches and malicious attacks. All your information is encrypted, including in-transit from your site and at-rest in our cloud infrastructure. Our solutions also allow you to limit web use and data access based on staff roles to maintain strict control over sensitive information.

Publications

We publish security advisories and bulletins on an ongoing basis to notify you about any validated security vulnerabilities pertaining to Siemens Healthineers products. Mitigation may involve applying an update, performing an upgrade, or other actions on your part. Please visit the Siemens Healthineers teamplay Fleet customer online portal for more information.


LockBit Ransomware

Data allegedly related to the Varian business segment of Siemens Healthineers was published on ransomware group LockBit’s website on August 15, 17 and 19 and was available for a short period. We have no evidence that Varian corporate systems and processes have been compromised or that data was extracted from them. Our investigations determined that the published data was related to a single customer site.

We are taking this incident very seriously and are continuing to monitor the situation. The security and privacy of our customers and their patients is of utmost importance to us and we continually strive to improve cyber security and data privacy.

 

Web Vulnerabilities in syngo Dynamics before VA40G HF01

The full security advisory can be found here (Siemens Healthineers Security Advisory) or in the Siemens Healthineers teamplay Fleet customer online portal.


Deserialization Vulnerability in Healthcare Products

The full security advisory can be found here (Siemens Healthineers Security Advisory) or in the Siemens Healthineers teamplay Fleet customer online portal.


Java library Log4j vulnerability (CVE-2021-44228)

Siemens Healthineers is aware of the zero-day remote code execution (RCE) vulnerability in the Java library Log4j, identified as CVE-2021-44228. Our cybersecurity experts continue to analyze and address potential impact to our products. A security preliminary advisory has been issued, see here


 DICOM/BMP File Parsing Vulnerabilities in syngo fastView

The full security advisory can be found here (Siemens Healthineers Security Advisory) or in the Siemens Healthineers teamplay Fleet customer online portal.


 Nucleus TCP/IP stack 

The full security advisory can be found in the Siemens Healthineers teamplay Fleet customer online portal.


PrintNightmare vulnerability (CVE-2021-34527)

Siemens Healthineers is aware of the Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527) named PrintNightmare (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527) disclosed by Microsoft on July 1 2021.
Our experts are investigating the reports to determine if any Siemens Healthineers products are affected. This statement will be updated as soon as more information requires it, and we would notify customers accordingly through Siemens Healthineers teamplay Fleet customer online portal.


BadAlloc vulnerability in the QNX Real-Time Operating System

Siemens Healthineers is aware of the vulnerability called BadAlloc in the QNX Real-Time Operating System. Our cybersecurity experts have been investigating and so far have not found any indication that Siemens Healthineers products are at risk. We continue to monitor the issue as it develops and might notify customers, if it is necessary, through Siemens Healthineers teamplay Fleet customer online portal.


SolarWinds Orion Platform Vulnerabilities

Siemens Healthineers is aware of the supply chain attack that introduced vulnerabilities in the SolarWinds Orion Platform publicly announced in December 2020.

Investigations by our security experts have not identified any Siemens Healthineers products affected by this software vulnerability. We continue to monitor the issue as it develops and, if needed, may provide additional information for our customers through Siemens Healthineers teamplay Fleet customer online portal.


Remote code execution vulnerability on syngo.via (CVE-2019-18935)
The full security advisory can be found here (Siemens Healthineers Security Advisory) or in the Siemens Healthineers teamplay Fleet customer online portal.


CISA advisory ICSA-20-343-01
Siemens Healthineers is aware of the reports about the CISA advisory ICSA-20-343-01 outlining 33 CVEs between CVE-2020-13984 and CVE-2020-25112. Experts from Siemens Healthineers are investigating the situation. If necessary, we may provide additional information for our customers through Siemens Healthineers teamplay Fleet customer online portal.


DCA Vantage Analyzer (vulnerabilities CVE-2020-7590 and CVE-2020-15797).
DCA Vantage Analyzer (vulnerabilities CVE-2020-7590 and CVE-2020-15797). Siemens Healthineers is aware of two vulnerabilities in the DCA Vantage Analyzer, CVE-2020-7590 and CVE-2020-15797. Software version 4.5 is now available to customers to remediate both. The full security advisory can be found here (Siemens Healthineers Security Advisory) or in the Siemens Healthineers teamplay Fleet customer online portal.


24.06.2020: Ripple20 - Treck TCP/IP stack vulnerabilities
Siemens Healthineers is aware of the TCP/IP stack vulnerabilities named Ripple20 (https://h-isac.org/h-isac-vulnerability-bulletin-ripple20/) disclosed by Treck on June 16 2020.
Our experts are investigating the reports to determine if any Siemens Healthineers products are affected. This statement will be updated as soon as more information becomes available, and we will notify customers through 

Siemens Healthineers teamplay Fleet customer online portal.


25.02.2020: SweynTooth - vulnerabilities in Bluetooth Low Energy (BLE)
Siemens Healthineers is aware of the vulnerabilities in Bluetooth Low Energy (BLE) known collectively as SweynTooth. Our investigations by security experts have not identified any products affected by these vulnerabilities. We continue to monitor the issue as it develops and will notify customers through Siemens Healthineers teamplay Fleet customer online portal.

Coordinated Vulnerability Disclosure

Siemens Healthineers encourages everyone to report vulnerabilities, regardless of service contracts or product lifecycle status. We welcome vulnerability reports from researchers, industry groups, CERTs, partners and any other source. Siemens Healthineers respects the interests of the reporting party (also anonymous reports if requested) and agrees to handle any vulnerability that is reasonably believed to be related to Siemens Healthineers products or components. Siemens Healthineers urges reporting parties to perform a coordinated disclosure, as immediate public disclosure causes a ‘0-day situation’ which puts our customer systems and client hospitals at unnecessary risk.

Reporting Process Siemens Healthineers currently follows the Siemens AG process for Coordinated Vulnerability Disclosure. This process begins by emailing one of the email addresses below. For a more detailed description of the process please visit the Siemens Vulnerability Handling and Disclosure website.

Reporting a Product Incident

Does this incident involve a Siemens Healthineers product? Some examples include, but are not limited to, Medical Imaging Devices, Laboratory Diagnostics equipment, healthcare software solutions, etc.

Siemens ProductCERT - Contact for Products, Solutions, and Services

PGP Public Key and Fingerprint: 9534 422C 0570 CCA7 FF6F C5FC D3F4 81EA 114A AFE4
 Email productcert@siemens.com

Reporting an Infrastructure Incident

Does this incident involve the Siemens Healthineers infrastructure? If it pertains to Siemens Healthineers Enterprise please report it here. 

Siemens CERT - Contact for Infrastructure

PGP Public Key and Fingerprint: A3D1 8E40 D104 DEAD A112 3FF6 B485 0E2E 1AA2 2CD8
 Email cert@siemens.com

1
2
3