White Paper KARL STORZ AIDA system

Transcription

1 White Paper KARL STORZ AIDA system

2 Contents 1 Introduction Short description of the AIDA system Definition of an AIDA system regarding IEC and application regarding IEC Purpose of the AIDA system regarding the connection to the hospital network IT-Network Requirements Required characteristics and configuration of the hospital IT network Intended information flow between the AIDA system and the IT hospital network infrastructure Digital Imaging and Communications in Medicine (DICOM) File Transfer Protocol (FTP) Network Share (Server Message Block SMB) HL7 communication (HL7 server / HIS) KARL STORZ OR1 STREAMCONNECT Server Network Printer Software Installation Licensing Model User Rights User Roles System Administrator Application Administrator Settings User User Audit User Super User Security settings Local users Active directory Access rights validation Security risks Availability Remote Maintenance Remote access via Axeda Patch Management EN BA

3 9 Malware / Antivirus Defense Data Protection Delete the sensitive data Data Backup and Recovery Network Load Network Ports, Protocols and Services Conformity Assessment HL7 Conformance Statement DICOM Conformance Statement Test Protocol Cybersecurity Residual Risk and Mitigations (Threat Model) System Schematic References /REF_001/ PI_OR1_92_E_R.PDF (DICOM Conformance Statement) /REF_002/ PI_OR1_93_E_R.PDF (HL7 Interface Description) /REF_003/ AIDA SofB (Software Description) Whitepaper KARL STORZ AIDA sytem 9

4 1 Introduction 1. 1 Short description of the AIDA system AIDA is the name for a product aimed at integrating typical audio-video, documentation and checklist/ workflow requirements, features and functionalities for an OR environment into one single integrated system. The AIDA system is a medical device according to MDD Definition of an AIDA system regarding IEC and application regarding IEC The whole system consists of a combination of networking devices, non-medical devices and ME-systems according to ISO/IEC Part 3.64 (Definition of MEDICAL ELECTRICAL (ME) SYSTEMS): combination, as specified by its MANUFACTURER, of items of equipment, at least one of which is ME EQUIPMENT to be inter-connected by FUNCTIONAL CONNECTION or by use of a MULTIPLE SOCKETOUTLET. As defined in Annex H of ISO/IEC , the AIDA System is a PEMS (Programmable Electrical Medical System). The complete system is isolated from the hospital network via a software firewall. The responsibility for the network of the hospital IT administrator ends at the network port of the AIDA system. A medical system is defined in Clause 16 of ISO/IEC In Chapter 1 Scope of the ISO/IEC Note 4, the manufacturer who specifies a ME system that includes a network is responsible for this complete medical system. This is according to the ISO/IEC Part These combinations are tested and verified as a complete system by KARL STORZ Purpose of the AIDA system regarding the connection to the hospital network The AIDA system is defined to be used in a medical environment, especially in Operating Rooms. Regarding the network topology design in direction to the hospital network, the system is designed to assist in medical interventions in cases of documentation and communication. The following general communications are supported: Storage of still images, streaming media, audio sequences on a Hospital Server DICOM storage and Worklist HL7 Patient query and export of MDM/ORU messages Printing of still images and treatment reports EN BA

5 2 IT-Network Requirements Note: Connection of the KARL STORZ Medical Device to a network/data coupling that includes equipment that is not validated for use with the KARL STORZ equipment could result in previously unidentified risks to patients, or operators. The operator should identify, analyze, and control such risks. This includes any subsequent changes to the network/data coupling introducing new risks and requiring new analysis. Examples of pertinent changes to network/data coupling include: Changes in network/data coupling configuration Connection of additional items to network/data coupling Disconnecting items from network/data coupling Update of equipment connected to network/data coupling Upgrade of equipment connected to network/data coupling 2. 1 Required characteristics and configuration of the hospital IT network The following requirements have to be fulfilled by the customer; otherwise correct function of the AIDA isn t guaranteed: The availability of a gateway and DNS-Server for the AIDA should be ensured A minimum bandwidth of 100Mbit/s has to be guaranteed 2. 2 Intended information flow between the AIDA system and the IT hospital network infrastructure The AIDA system supports six types of external servers in the hospital network Digital Imaging and Communications in Medicine (DICOM) For further information refer to the AIDA DICOM Conformance Statement File Transfer Protocol (FTP) The AIDA system uses passive FTP when exporting data to a FTP server within the IT hospital network infrastructure. That means, all connections are established from the FTP client to the server. The required FTP credentials to connect to the FTP server need to be configured and stored within the AIDA system. Used TCP-Ports 20/21. Please refer to the FTP definition in RFC 959 for more detailed information. FTP-server: e.g. vsftpd, Filezilla FTP server for saving patient data Network Share (Server Message Block SMB) The AIDA system uses the SMB protocol standard when exporting data to a network share on a SMB server within the IT network infrastructure. Hereby all connections are established from the SMB client to the server. Therefore no special firewall configuration of the router is required. The required credentials to connect to the SMB server need to be configured and stored within the AIDA system. New Windows systems use primary TCP-Port 445. Older systems or other compatible Operation Systems (OS) can use different ports. Please refer to the SMB definition by Microsoft under: for more detailed information. SMB-server: e.g. Windows based server (Windows server 2008), Samba (Version 4) for saving patient data. Whitepaper KARL STORZ AIDA sytem 11

6 2.2.4 HL7 communication (HL7 server / HIS) The AIDA system uses the most common HL7 transport method to send HL7 messages, called Lower Layer Protocol (LLP). The Lower Layer Protocol sends unencrypted HL7 messages via TCP/IP over a local area network, such as those found in a hospital. When using LLP, an HL7 message must be wrapped using a header and trailer (also called a footer) to signify the beginning and end of a message KARL STORZ OR1 STREAMCONNECT Server For audio/video communication outside the OR-Environment an additional server platform is available. For further information please refer to the country based assigned Whitepaper: United States / Canada / Mexico: STREAMCONNECT NEO Rest of the world: White Paper OR1 STREAMCONNECT II System Network Printer The AIDA system supports the configuration of network printers that can be used for printing treatment reports or still images. The required resources depend on the concrete network printing infrastructure and drivers that are used. The following protocols are tested and verified: Network Share (Server Message Block SMB) Internet Printing Protocol (IPP) via TCP/UDP-Port 631 Line Printer Daemon protocol / Line Printer Remote protocol (LPD, LPR) via TCP-Port 515 HP-JetDirect via TCP-Port EN BA

7 3 Software Installation System is a delivery of a complete system including hardware and software (AIDA SW and Windows 10 Embedded). 4 Licensing Model There is no dedicated licensing model implemented. 5 User Rights The AIDA system provides flexible user permissions management which allows handling of multiple users and storage of user and group specific settings User Roles User capabilities of the users are role-based. Please consult /REF_003/ for more details. The following standard user roles are available in the AIDA system System Administrator Users with System Administrator rights have access to all windows functionalities. They are able to change the following system settings: Add system to the domain (active directory) Add, edit, and delete local user accounts and assign local users to user groups Change network and time settings Change autologin settings Install/configure printers Access the Windows desktop Update the system / install the patches Application Administrator The access rights of the Application Administrator are restricted only within the AIDA system. Users with AIDA Application Administrator rights can change the following AIDA settings: Settings applied for the local AIDA unit Settings with global impact (settings can be shared between AIDA installations) Settings with impact to the group Settings User Additionally to regular Users, Users with User Settings rights have permissions to access AIDA configuration and change their own user specific settings like print settings and individual keywords User Users with User rights have rights to login to the AIDA system, access own patients data in the filing cabinet, but no rights to change any configuration settings Audit User Users with Audit rights shall have access to see and download the audit logs. They do not have rights to access patient data Super User Users that play the role of Super Users have, unlike users with User roles, access to all patient data in the filing cabinet. Whitepaper KARL STORZ AIDA sytem 13

8 5. 2 Security settings The System Administrator and Application Administrator in the hospital are responsible for configuring the AIDA System for later secure usage. Please consult /REF_003/ and the following subchapters to manage cybersecurity settings corresponding to your requirements Local users AIDA is delivered with default users and passwords (Please refer to /REF_003/). To improve the security of the system, change the administrative password on your device immediately before first usage. You will need to login as System Administrator (OR1 Admin user) to windows and make changes to the windows local user accounts. The process of administrating local users / passwords is not part of the AIDA application Active directory The AIDA system has the option of being added to a domain (active directory). When added to a domain, LDAP will be used for login authentication and authorization, so the user group s membership will be read from LDAP and mapped to AIDA standard user roles. The process of adding the AIDA system to a domain is not a part of the AIDA application Access rights validation AIDA is divided into different security sections. The following access rights validations can be set by the Application Administrator in the AIDA Application. Setting Description Access Roles Default Value Startup If enabled, the user has to be authorized after start All Roles Off of AIDA Patient Import Check access rights for Patient Import (HL7 query User, Super User Off /DICOM worklist) Finish Check access rights to finish the procedure User, Super User Off Open Tasks Check access rights to access data in Open Tasks. Please note, that members of the Super Users User, Super User, Application Administrator role can see tasks of all users and members of the User role only owned tasks. Filing Cabinet Check access rights to access data in the Filing Cabinet. Please note, that members of the Super Users role can see all patients and members of the User role only own patients in the filing cabinet. User, Super User Off Configuration If enabled, the User will be asked for credentials each time they access the configuration. If disabled, credentials of an already logged in User will be reused to access the configuration. Settings User, Application Administrator, System Administrator 5. 3 Security risks Some AIDA settings that can be made by a System/Application Administrator should be configured carefully, due to potential resulting risks. Please consult Chapter 17 Cybersecurity Residual Risk and Mitigations (Threat Model) for more details. 6 Availability KARL STORZ cannot make any statements regarding the safety and availability of devices that the operator has modified without authorization, for instance, by installing printer drivers, additional software, etc. 7 Remote Maintenance Remote maintenance requires network access that connects the device to the hospital network. In accordance with the data protection laws of the respective federal state, KARL STORZ explicitly ensures that external access is established only to the device in question. The individuals accessing the device are all specifically trained and instructed KARL STORZ employees who have confirmed in writing that they have undergone instruction and will apply the corresponding procedures. KARL STORZ guarantees that no patient-related information will be used for service purposes, copied, or used in any other form. On EN BA

9 KARL STORZ will inform the operator by phone or in writing (via with confirmation request) before performing any required remote access. KARL STORZ and the operator will agree on the required modalities, the procedures, the necessary contacts, etc., in advance. These agreements will be made in writing. Three options are available for the actual external access to the device. They are described below Remote access via Axeda By default KARL STORZ offers remote maintenance through its Axeda software for the KARL STORZ devices located in the operating room. Connection between devices in the OR and the Axeda 3 Connected Access Remote Server is established by the device using the https protocol. Further communication between the device and the Axeda Connected Access Remote server uses https tunneling. Remote service requires two outbound ports (443 and 17002) to allow the remote service agent to connect to the remote service backend (currently Axeda ). The remote service agent is installed on the AIDA PC only and therefore only the AIDA PC needs access to the remote service backend. The H-LAN firewall has to allow this traffic to be passed from inside the OR to outside. In addition there are a few network management tools that will be installed on the AIDA PC to allow the network maintenance, monitoring and troubleshooting tasks via remote service. The access to the system via Axeda needs the confirmation of the user. Axeda software requirements can be viewed at 8 Patch Management AIDA system updates always include relevant patches which are tested following regulatory requirements for medical devices. KARL STORZ provides patches and fixes if necessary. Users with User rights have rights to login to the AIDA system, access own patients data in the filing cabinet, but no rights to change any configuration settings. 9 Malware / Antivirus Defense Classic antivirus protection is only effective if the virus definition file (= blacklist) and the program engine are regularly updated. Therefore, users are only protected against threats that are known to the manufacturer. There is a general risk of a faulty update of the antivirus program negatively affecting the system, resulting in problems as severe as total system failure. Therefore, careful checks are indispensable. The patch management solution of the AIDA system is based on Cryptzone SE46, which starts automatically together with the Windows operating system and uses the whitelist approach. When using a whitelist, all executable files that are not listed on the whitelist are blocked from running. As a result, any intruding malware is prevented from negatively affecting the system or changing it. This includes malware such as viruses or Trojans even if they are hidden in other files. Only a KARL STORZ service technician has the privileges to switch the Cryptzone SE46 into the Service Mode, which allows full control and sole authorization to make fundamental modifications to the operating system and installations. This also applies to the release of new system components and updates. SE46 prevents the exploitation of zero days on OS level and other applications. Malware / antivirus protection software may be installed and run under certain conditions. If the operator meets the requirements described below, the appliance s conformity with Medical Device Directive 93/42EEC will remain intact as declared by KARL STORZ. The operator must configure the software such that it does not limit the operation of the appliance. Please take resource intensive processes, such as video storage during surgery and other real-time applications, into consideration. The initial installation as well as the installation of updates or safety patches of anti-malware programs must be tested in advance within the respective environment. Please note that the operator is responsible for malware protection in view of risk management in accordance with IEC Whitepaper KARL STORZ AIDA sytem 15

10 10 Data Protection The AIDA system will be used in secured environments like ORs or doctors' offices. These are environments with reduced access only for selected staff Delete the sensitive data The System Administrator should consider deleting sensitive data located on the D: drive before sending the system for service purposes. Please consult the /REF_003/ for working instructions. 11 Data Backup and Recovery This system is not intended to be used as an archive. The system does not provide a local backup solution. Under normal operating conditions all data will be exported to a defined target after each treatment, which is under customer control as for backups. During a procedure, data is stored locally in a buffer; after the finalization of the treatment an export to predefined targets is initiated. If the export fails, the data export will be resumed after the failure condition has been resolved (e.g. reestablishment of network connectivity etc.) Data of current treatments will remain on the local HDD in case of power failure or other adverse events. 12 Network Load The system can read and write up to 1GBit/sec during storage operations. 13 Network Ports, Protocols and Services Port Protocols / Application Name Application Description Services [445] [TCP / SMB] [Windows Share] [exporting / importing presets] Configurable (Outgoing) TCP DICOM.Service.exe DICOM service (support fo secure transfer via SSL) Dicom store Worklist request Configurable (Ingoing) Dicom MPPS TCP DICOM.Service.exe Dicom service Listening port to receive Storage treatments 20/21 (Outgoing) TCP OR1Desktop.exe Export of procedure files via outgoing FTP connection to export destination 22 (Outgoing TCP OR1Desktop.exe Export of procedure files via secure SSH connection to export destination 445 TCP OR1Desktop.exe Export of procedure files via windows share (smb) protocol Configurable TCP OR1Desktop.exe HL7 query and export (DEM/ ORU) messages via Lower Layer Protocol (LLP) 443 and TCP / UDP 5900 (Ingoing) TCP winvnc.ex Remote access to AIDA system EN BA

11 14 Conformity Assessment HL7 Conformance Statement Refer to /REF_002/ for HL7 Interface Description 15 DICOM Conformance Statement Refer to /REF_001/ for DICOM Conformance Statement document. 16 Test Protocol Under certain prescribed circumstances, the Operator may make changes to the KARL STORZ device (e.g. See Section 10, Malware Defence, above). In all circumstances, the Operator is ultimately responsible for risk management in accordance with IEC Cybersecurity Residual Risk and Mitigations (Threat Model) Residual Risk ID Threat / Vulnerability Mitigation Strategy 1.1 HL7 message via TCP Data transfer between server and the AIDA could be intercepted by a man in the middle attack. Customer is responsible for securing the hospital network from unauthorized access and the communication between AIDA and other systems. AIDA uses Lower Layer Protocol (LLP) which is standard for HL7 communication and not secured by default. In theory, LLP with the TLS (Transport Layer Security) or SSL (Secure Socket Layer) cryptographic protocol is a standard supported by the IHE organization. In practice, it doesn t seem to be used often. Most integration engines have yet to support this standard Manage users/ groups DICOM stream with patient data via TCP/IP Elevation of privilege: Browse buttons can be used to open Windows explorer and access the system with the rights of regular Windows users Data transfer between server and the AIDA could be intercepted by a man in the middle attack To make the communication secure, the Network Administrators should connect the AIDA to trusted networks only, to ensure that it cannot be read by unauthorized users. Network Administrators could consider using VPN, SSH Tunneling to create secure encrypted point to point connection between the AIDA System and HL7 server. Only a System Administrator should be able to make changes to the OS, the user accounts, etc.. Through the vulnerability of browse functionality, it is possible that an Application Administrator (able to change settings for other users within the application) will gain access to the OS. This access is limited to Windows user rights, so the user cannot make significant changes to the system configurations. The hospital administration has to make sure that only qualified and hospital trusted users should play the role of System and Application Administrators. Customer is responsible for securing the hospital network from unauthorized access and for securing the communication between the AIDA and other systems. Application Administrators should consider activating DICOM TLS encryption in the AIDA in case it is supported by the Dicom server vendor. Whitepaper KARL STORZ AIDA sytem 17

12 Residual Risk ID Threat / Vulnerability Mitigation Strategy 3.1. Patient treatment files via FTP Data transfer between server and the AIDA could be intercepted by a man in the middle attack. Customer is responsible for securing the hospital network from unauthorized access and for securing the communication between the AIDA and other systems. Configuration data store 5.2. View remote web site DICOM Worklist flat file data Information Disclosure: Everybody can read unencrypted data DNS Spoofing in hospital network. Can be used for phishing sensitive username/ password information from e.g. STREAMCONNECT Data transfer between server and the AIDA could be intercepted by a man in the middle attack. Application Administrators should consider using SFTP instead of FTP for exporting patient data. Consult also /REF_003. The System Administrator should consider protecting the data drive (PHI data) with any encryption tool from being compromised if the drive is lost or stolen or sent for service purposes. Please also consult the / REF_003/ for PHI data delete instructions. Customer is responsible for securing the hospital network from unauthorized access and for securing the communication between the AIDA and other systems. Application Administrators should only configure https endpoint to avoid Spoofing. Customer is responsible for securing the hospital network from unauthorized access and for securing the communication between the AIDA and other systems. AIDA is delivered in ready to use, but unsecure state Upon first use of the AIDA System, the System Administrator should perform steps to use the system in a hardened state Application Administrators should use secure transfer protocol to transport the flat file to the local AIDA machine. Please consult /REF_003/, this document and this table and follow the hardening steps. UltraVNC Server Unencrypted data session Because of unencrypted data sections, hackers can use sniffer tools to view information (passwords, etc.) that flows over a VNC connection. Hospital System Administrator is responsible for data flow security. VNC should be used only in a DMZ secure environment. Network Administrators could consider setting VNC to be used only when tunneled through SSH or VPN across the DMZ to assure secure encrypted point to point connection. The hospital System Administrator is responsible for setting VNC usage inside the lab, VNC tunneled through SSH across the DMZ, and VNC through a VPN tunnel are acceptable. See alternative solutions below EN BA

13 18 System Schematic TM TM Whitepaper KARL STORZ AIDA sytem 19

14 KARL STORZ SE & Co. KG Dr.-Karl-Storz-Straße Tuttlingen Postfach Tuttlingen Germany Telefon: +49 (0) Telefax: +49 (0)