Cybersecurity - Protecting healthcare institutions against cyberthreats

CybersecurityProtecting healthcare institutions against cyberthreats

Our commitment to cybersecurity 

The digital transformation is in full swing, and cybersecurity paves the way for your institution to participate. We are committed to helping you stay on track, no matter what challenges and threats you face. We constantly improve our newly developed systems and processes and train our teams in cybersecurity matters, so that high cyberthreat awareness stays top of mind.

Cybersecurity at Siemens Healthineers
Data breaches in healthcare cost almost twice as much as the global average across industries
Data beaches in healthcare cost almost twice as much as the global average across industries

Trust and Certification 

Siemens Healthineers has received independent certification according to ISO/IEC 27001:2022 extended by ISO/IEC 27701:2019 which showcases our commitment to safeguarding data privacy and cybersecurity for our sustainable business and all key stakeholders of the company, particularly customers. 

As a partner in your operations and on the treatment journeys of our customers’ patients we want to provide a valid reason to put your trust in Siemens Healthineers.

The Siemens Healthineers global Cybersecurity Management System includes the Information Security and the Privacy Information Management for the company. It covers Governance and Assurance by the central groups for Cybersecurity and Data Protection from its Erlangen headquarter locations.

Cybersecurity elements

Cybersecurity readiness is part of the Siemens Healthineers company culture: we start with development and design, we support deployment, and we help you maintain secure operations during the support period.

Our products are designed with cybersecurity in mind: they support safe network integration and secure operations around the clock.

Secure Development Lifecycle
Thanks to the Secure Development Lifecycle (SDL), which is at the heart of the Siemens Healthineers approach to cybersecurity, our newly developed products* are ready for today’s operational requirements.

Data encryption
Data encryption: Secure data at rest and in transit using data encryption features

All products currently under development as well as a range of existing offerings have built-in security controls that are essential for modern IT environments:

  • Secure configuration and hardening
  • Authentication and authorization
  • Whitelisting
  • Data encryption
  • Trusted machine certificates
  • Auditing and logging

Transparency

We provide the information you need in advance, so there will be no surprises following deployment. Contact your local Sales representative for the following documents:

  • Product whitepaper describing all available product security features
  • SBOM (Software Bill of Materials)
  • General cybersecurity guidance and consultation
  • Secure environment configuration recommendation
  • Manufacturers Disclosure Statement for Medical Device Security (MDS2)

Deployment
During deployment, we enable you to verify the installation and configure security controls depending on the network and security requirements of your medical facility.

Because new vulnerabilities are discovered on an ongoing basis, your equipment needs to be monitored, updated, and upgraded in order to be up-to-date. We offer a suite of services that help you maintain the recommended security level of your Siemens Healthineers equipment.

Cybersecurity Management Services - Vulnerability monitoring and assessment

In line with the U.S. FDA’s post-market guidance and industry best practices, during the support period we perform continuous monitoring and assess if known vulnerabilities could be used to exploit equipment and solutions. We also have a formal process in place for handling and disclosing reported security vulnerabilities related to our equipment and solutions.

We make it as convenient as possible for you to stay protected against threats thanks to teamplay Fleet, our online portal for efficient and simple equipment maintenance, including cybersecurity:

  • teamplay Fleet Cybersecurity Profiles provide information about the security status of your fleet
  • Single interface for your Siemens Healthineers medical devices and medical IT solutions
  • High levels of transparency regarding the latest vulnerability notifications
  • Access to security advisories and mitigation advice
Cybersecurity updates

During the support period, we provide routine patches for Siemens Healthineers equipment* and if applicable we release additional hotfixes whenever necessary. This allows you to keep up with the evolving threat landscape and stay protected:

  • All patches are validated prior to release for patient safety and continuous operations
  • With your systems connected to our VPN-encrypted Smart Remote Service (SRS) the patches will be automatically transferred for you to install with just one click**
  • Alternatively, you can schedule the installation of updates at your convenience through teamplay Fleet Anytime Software Update, especially for equipment* inaccessible through SRS

State-of-the-art system software

Medical equipment can become outdated prior to scheduled replacement. With our Advance Plans, we can help you keep Siemens Healthineers equipment up-to-date throughout the agreed period. Choose from a range of service levels to cover your regulatory and financial needs. For products that are not yet eligible for Advance Plans, we offer other service contracts. Please visit our Customer Services website for more information.

Competent incident management

With more than 30 years of experience in IT security, we are well prepared for responding to cyberattacks. Our response to equipment integrity breaches is fast and designed to help limit any potential damage:

  • We perform technical evaluation, prioritize breach containment, and share relevant information in an effective and transparent manner
  • We offer support with forensic analyses to help minimize the risk of future cyberattacks
  • We offer support for restoring equipment to a fully functional state

Need support now?

Data privacy

Data privacy

Protecting the privacy of your data is very important to us. To help you comply with laws such as HIPAA in the U.S. and GDPR in Europe, we have aligned our processes with the core principle of “privacy by design and by default.” This means that data protection is incorporated into products, solutions, and services that process personal data beginning in the early design and planning stages.

Certified remote service
Smart Remote Services (SRS) is designed to help you maintain a high level of patient data confidentiality and integrity while upholding the availability of your data at the same time. Certified according to ISO 27001, SRS employs sophisticated authentication and authorization procedures, encryption technologies and logging routines, and strictly enforced organizational measures. These safeguards allow you to protect patient data and restrict access as needed.

Certified remote service

Cloud security
Our cloud-based solutions – including teamplay (which has been awarded the European Privacy Seal (EuroPriSe), AI-Rad Companion, and Digital Ecosystem – are secured by the Microsoft Azure cloud platform to provide you with protections against breaches and malicious attacks. All your information is encrypted, including in-transit from your site and at-rest in our cloud infrastructure. Our solutions also allow you to limit web use and data access based on staff roles to maintain strict control over sensitive information.

Publications

We publish security advisories and bulletins on an ongoing basis to notify you about any validated security vulnerabilities pertaining to Siemens Healthineers products. Mitigation may involve applying an update, performing an upgrade, or other actions on your part. Please visit the Siemens Healthineers teamplay Fleet customer online portal for more information.

SQL injection Vulnerability in syngo.plaza VB30E

The full security advisory can be found here (Siemens Healthineers Security Advisory) or in the Siemens Healthineers teamplay Fleet customer online portal.


24.07.2024:  Microsoft services outage 

Siemens Healthineers has resolved all the issues relating to our internal systems and customers. After a careful monitoring period, we have determined that system stability has been completely restored.

If necessary, updates will continue to be posted here. 


Privilege Escalation Vulnerability in Medicalis Workflow Orchestrator (CVE-2024-37999)

The full security advisory can be found here (Siemens Healthineers Security Advisory) or in the Siemens Healthineers teamplay Fleet customer online portal.


LockBit Ransomware

Data allegedly related to the Varian business segment of Siemens Healthineers was published on ransomware group LockBit’s website on August 15, 17, and 19 and was available for a short period. We have no evidence that Varian corporate systems and processes have been compromised or that data was extracted from them. Our investigations determined that the published data was related to a single customer site. We have officially closed our investigation into this incident. 

The security and privacy of our customers and their patients is of utmost importance to us, and we continually strive to improve cybersecurity and data privacy. 

 

Web Vulnerabilities in syngo Dynamics before VA40G HF01

The full security advisory can be found here (Siemens Healthineers Security Advisory) or in the Siemens Healthineers teamplay Fleet customer online portal.


Deserialization Vulnerability in Healthcare Products

The full security advisory can be found here (Siemens Healthineers Security Advisory) or in the Siemens Healthineers teamplay Fleet customer online portal.


Java library Log4j vulnerability (CVE-2021-44228)

Siemens Healthineers is aware of the zero-day remote code execution (RCE) vulnerability in the Java library Log4j, identified as CVE-2021-44228. Our cybersecurity experts continue to analyze and address potential impact to our products. A security preliminary advisory has been issued, see here


 DICOM/BMP File Parsing Vulnerabilities in syngo fastView

The full security advisory can be found here (Siemens Healthineers Security Advisory) or in the Siemens Healthineers teamplay Fleet customer online portal.


 Nucleus TCP/IP stack 

The full security advisory can be found in the Siemens Healthineers teamplay Fleet customer online portal.


PrintNightmare vulnerability (CVE-2021-34527)

Siemens Healthineers is aware of the Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527) named PrintNightmare (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527) disclosed by Microsoft on July 1 2021.
Our experts are investigating the reports to determine if any Siemens Healthineers products are affected. This statement will be updated as soon as more information requires it, and we would notify customers accordingly through Siemens Healthineers teamplay Fleet customer online portal.


BadAlloc vulnerability in the QNX Real-Time Operating System

Siemens Healthineers is aware of the vulnerability called BadAlloc in the QNX Real-Time Operating System. Our cybersecurity experts have been investigating and so far have not found any indication that Siemens Healthineers products are at risk. We continue to monitor the issue as it develops and might notify customers, if it is necessary, through Siemens Healthineers teamplay Fleet customer online portal.


SolarWinds Orion Platform Vulnerabilities

Siemens Healthineers is aware of the supply chain attack that introduced vulnerabilities in the SolarWinds Orion Platform publicly announced in December 2020.

Investigations by our security experts have not identified any Siemens Healthineers products affected by this software vulnerability. We continue to monitor the issue as it develops and, if needed, may provide additional information for our customers through Siemens Healthineers teamplay Fleet customer online portal.


Remote code execution vulnerability on syngo.via (CVE-2019-18935)
The full security advisory can be found here (Siemens Healthineers Security Advisory) or in the Siemens Healthineers teamplay Fleet customer online portal.


CISA advisory ICSA-20-343-01
Siemens Healthineers is aware of the reports about the CISA advisory ICSA-20-343-01 outlining 33 CVEs between CVE-2020-13984 and CVE-2020-25112. Experts from Siemens Healthineers are investigating the situation. If necessary, we may provide additional information for our customers through Siemens Healthineers teamplay Fleet customer online portal.


DCA Vantage Analyzer (vulnerabilities CVE-2020-7590 and CVE-2020-15797).
DCA Vantage Analyzer (vulnerabilities CVE-2020-7590 and CVE-2020-15797). Siemens Healthineers is aware of two vulnerabilities in the DCA Vantage Analyzer, CVE-2020-7590 and CVE-2020-15797. Software version 4.5 is now available to customers to remediate both. The full security advisory can be found here (Siemens Healthineers Security Advisory) or in the Siemens Healthineers teamplay Fleet customer online portal.


24.06.2020: Ripple20 - Treck TCP/IP stack vulnerabilities
Siemens Healthineers is aware of the TCP/IP stack vulnerabilities named Ripple20 (https://h-isac.org/h-isac-vulnerability-bulletin-ripple20/) disclosed by Treck on June 16 2020.
Our experts are investigating the reports to determine if any Siemens Healthineers products are affected. This statement will be updated as soon as more information becomes available, and we will notify customers through 

Siemens Healthineers teamplay Fleet customer online portal.


25.02.2020: SweynTooth - vulnerabilities in Bluetooth Low Energy (BLE)
Siemens Healthineers is aware of the vulnerabilities in Bluetooth Low Energy (BLE) known collectively as SweynTooth. Our investigations by security experts have not identified any products affected by these vulnerabilities. We continue to monitor the issue as it develops and will notify customers through Siemens Healthineers teamplay Fleet customer online portal.

Coordinated Vulnerability Disclosure

Siemens Healthineers encourages everyone to report vulnerabilities, regardless of service contracts or product lifecycle status. We welcome vulnerability reports from researchers, industry groups, CERTs, partners and any other source. Siemens Healthineers respects the interests of the reporting party (also anonymous reports if requested) and agrees to handle any vulnerability that is reasonably believed to be related to Siemens Healthineers products or components. Siemens Healthineers urges reporting parties to perform a coordinated disclosure, as immediate public disclosure causes a ‘0-day situation’ which puts our customer systems and client hospitals at unnecessary risk.


Reporting Process Siemens Healthineers currently follows the Siemens AG process for Coordinated Vulnerability Disclosure. This process begins by emailing one of the email addresses below. For a more detailed description of the process please visit the Siemens Vulnerability Handling and Disclosure website.


Report any cybersecurity incident or vulnerability affecting Siemens Healthineers Infrastructure or any of our Products via a PGP encrypted email to our CSIRT. Please note that customers must report incidents via the standard customer support contacts (e.g., CCC, country-specific, or platform-specific hotlines). Using the standard customer support processes ensures the fast and precise support. 

Siemens Healthineers CSIRT - Contact for Infrastructure

PGP Public Key and Fingerprint: 2F6F10718296C3D83CCCB39837F821AADDEA88B0

Download RFC 2350

Email: csirt@siemens-healthineers.com


1
2
3
*
**