Knwledge Exchange (KE) System Cyber Security Plan OVERVIEW This dcument prvides recmmendatins t enhance the security prfile f the Knwledge Exchange (KE) System. Yu are respnsible fr identifying the security ptin(s) mst apprpriate t the risks identified in yur envirnment. D nt attempt t implement any f these settings withut first testing them in a nnperatinal envirnment. Use f this dcument is at the discretin f the user. Fllwing these recmmendatins des nt guarantee that the KE system will be secure. This dcument discusses the fllwing cyber security issues: Applicatin Data Encryptin in Mtin HTTPS Supprt HTTP Re-Ruting (using URL Rewrite) Secure Headers t Web Client Cmmunicatin Device Data Encryptin in Mtin Legacy Device Cmmunicatin Encryptin (OER-Pr, CV-190) Applicatin Attack Ftprint Firewall Settings Web Obslescence This plan uses industry best practices and slutins. There are links fr each plan item within this Security Plan, at the end f the dcument. 2017 OLYMPUS CORPORATION OF THE AMERICAS PAGE 1 OF 5 TR0131V01
APPLICATION DATA ENCRYPTION IN MOTION HTTPS supprt can be prvided by installing the Micrsft IIS 8.5 feature n the Micrsft Windws 2012 R2, where yur KE system is installed. The fllwing steps can be used t cnfigure IIS 8.5: 1. Set the first rule t cnfigure URL Rewrite as a reverse prxy. 2. Create the secnd rule Redirect HTTP t HTTPS. 3. Edit the IIS web cnfiguratin fr secure headers. 4. Set up bindings t TCP prts 80 and 443, using a self-signed certificate, r a CA certificate, t TCP 443 prt nly. Olympus KE IIS Reverse Prxy HTTP t HTTPS Secure Web Client OLYMPUS KE APPLICATION SERVER FIREWALL IIS SERVER T prevent vulnerability with the web client cnnectin, industry standards recmmend adding secure headers t Web Client cmmunicatin. Add these by custmizing the HTTP respnse header in IIS (see list f HTTP Respnse Headers belw). TR0131V01 PAGE 2 OF 5 2017 OLYMPUS CORPORATION OF THE AMERICAS
DEVICE DATA ENCRYPTION IN MOTION Cnfigure an encrypted VPN tunnel between the trusted netwrk (i.e., the Olympus medical device) and the KE server netwrk indicated n the netwrk adapter. The VPN server must be a physical netwrk device, and cnfigured t enable a L2TP server t cnnect t a sftware-cnfigured L2TP Client WAN miniprt, using MS CHAP v2. Examples f such servers include the Cisc ASA 5506X and 5516X, amng thers. Cnsult with yur netwrk administratr n availability f any f these devices. Be aware f username creatin n the physical netwrk device fr use in L2TP VPN. Usernames may require specific encryptin f passwrds fr use with MS CHAP v2. If Olympus medical devices, frm multiple lcatins within yur facility, must cnnect, additinal physical netwrk devices may be required as shwn in the diagram belw. CV-190 Olympus Medical Devices OER-Pr L2TP VPN Olympus KE OER-Pr L2TP VPN Trusted Netwrk (Inside) Un-trusted Netwrk VPN (Outside) - Encrypted 2017 OLYMPUS CORPORATION OF THE AMERICAS PAGE 3 OF 5 TR0131V01
Cyber Security netwrk cnfiguratin example belw: Inside netwrk (Trusted) Outside netwrk (Un-trusted) Olympus CV-190 IP 192.168.1.25 IP 192.168.1.40 Olympus OER-Pr IP 192.168.1.26 IP 192.168.1.40 Olympus OER-Pr IP 192.168.1.27 IP 192.168.1.46 Cisc ASA 5516 Rm 1 VPN L2TP Cisc ASA 5506 Rm 2 VPN L2TP Olympus KE IP 10.10.0.10 (Physical Netwrk Interface) IP 192.168.1.40 (Virtual Netwrk Interface fr Rm 1 L2TP VPN Cnnectin) IP 192.168.1.46 (Virtual Netwrk Interface fr Rm 2 L2TP VPN Cnnectin) DICOM MWL and PACS IP 10.10.0.11 REDUCE APPLICATION ATTACK FOOTPRINT Cnfigure the Windws 2012 firewall t allw traffic nly n prts TCP 443, TCP 9722, and TCP 80. Prts TCP 9722 and TCP 80 are required fr Olympus remte supprt. Blck the Olympus KE Glassfish (Receiving HTTP requests) entry, TCP prt 8080 t remve accidental access t bslescent web server. Cnfigure nly the prts required fr Olympus medical devices t cmmunicate with KE, such as OER-Pr and CV-190 units. Allw these prts ver the encrypted WAN miniprt(s) cnfigured n the KE server. This nly allws cnnectin thrugh the VPN. Please cnsult Knwledge Exchange (KE) IT Specificatins (TR0094) fr prt details. TR0131V01 PAGE 4 OF 5 2017 OLYMPUS CORPORATION OF THE AMERICAS
WEB RESOURCES IIS Reverse Prxy: https://blgs.msdn.micrsft.cm/friis/2016/08/25/setup-iis-with-url-rewrite-as-a-reverse-prxy-fr-real-wrld-apps IIS Name Change: https://sctthelme.c.uk/hardening-yur-http-respnse-headers/ IIS Security Headers: https://securityheaders.i Applicatin Request Ruting v3: https://www.micrsft.cm/en-us/dwnlad/details.aspx?id=47333 If additinal infrmatin is needed, cntact the Olympus Technical Assistance Center (TAC) at (800) 848-9024. Olympus is a trademark f Olympus Crpratin f the Americas, Olympus America Inc. and/r their affiliated entities. All ther trademarks and registered trademarks listed herein are the prperty f their respective hlders. 2017 OLYMPUS CORPORATION OF THE AMERICAS PAGE 5 OF 5 TR0131V01