Cybersecurity - Protecting healthcare institutions against cyberthreats

CybersecurityProtecting healthcare institutions against cyberthreats

Cybersecurity at Siemens Healthineers

The digital transformation is in full swing, and cybersecurity paves the way for your institution to participate. As a global market leader for medical imaging and diagnostics, we are committed to helping you stay on track, no matter what challenges and threats you face. We offer a state-of-the-art portfolio of secure products, cybersecurity management services, and consulting that provides you with what you need for optimal protection across your institution. We constantly improve our systems and processes and train our teams in cybersecurity matters, so that high cyberthreat awareness stays top of mind.


Siemens Healthineers has received independent certification according to ISO/IEC 27001:2013 extended by ISO/IEC 27701:2019 which showcases our commitment to safeguarding data privacy and cybersecurity for our sustainable business and all key stakeholders of the company, particularly customers.

As a partner in your operations and on the treatment journeys of our customers’ patients we want to provide a valid reason to put your trust in Siemens Healthineers.

The Siemens Healthineers global Cybersecurity Management System includes the Information Security and the Privacy Information Management for the company. It covers Governance and Assurance by the central groups for Cybersecurity, Data Protection, IT Security, and IT Operations from its Erlangen headquarter locations.

Cybersecurity throughout the product lifecycle

Cybersecurity readiness is part of the Siemens Healthineers company culture: we start with secure development and design, we take care of secure deployment, and we help you maintain secure operations continuously.

Medical equipment* from Siemens Healthineers enables you to stay protected. Our products are designed with cybersecurity in mind: they support safe network integration and secure operations around the clock.

Secure Development Lifecycle

Thanks to the Secure Development Lifecycle (SDL), which is at the heart of the Siemens Healthineers approach to cybersecurity, our products* are ready for today’s operational requirements:

  • Hardware and software development follow defined state-of-the-art processes
  • Product development adheres to Siemens Healthineers standardized requirements and industry best practices
  • Processes and requirements are aligned consistently across the Siemens Healthineers product portfolio

*We continue to improve and extend the security measures for our current products. As threats and associated risks are evolving not all statements on this page apply to all products and services. Contact your local Siemens organization for further details.

Data encryption
Data encryption: Secure data at rest and in transit using state-of-the-art data encryption features

All products currently under development as well as a range of existing offerings have built-in security controls that are essential for modern IT environments:

  • Secure configuration and hardening
  • Authentication and authorization
  • Whitelisting
  • Data encryption
  • Trusted machine certificates
  • Auditing and logging

We provide the information you need in advance, so there will be no surprises following deployment. Contact your local Sales representative for the following documents:

  • Product whitepaper describing all available product security features
  • SBOM (Software Bill of Materials)
  • General cybersecurity guidance and consultation
  • Secure environment configuration recommendation
  • Manufacturers Disclosure Statement for Medical Device Security (MDS2)

During deployment, we verify the installation and configure security controls depending on the network and security requirements of your medical facility:

  • User management setup for assigning roles to your staff
  • Individualized passwords
  • Activation of encryption to protect against data theft
  • Secured connection to peer systems, e.g., DICOM archive

Because new vulnerabilities are discovered on an ongoing basis, your equipment needs to be monitored, updated, and upgraded in order to stay secure. We offer a suite of services that help you maintain the recommended security level of your Siemens Healthineers equipment.

Cybersecurity Management Services - Vulnerability monitoring and assessment

In line with the U.S. FDA’s post-market guidance and industry best practices, we perform continuous monitoring and assess if known vulnerabilities could be used to exploit equipment and solutions. We also have a formal process in place for handling and disclosing reported security vulnerabilities related to our equipment and solutions.

Transparent overview of security status
We make it as convenient as possible for you to stay protected against threats thanks to teamplay Fleet, our online portal for efficient and simple equipment maintenance, including cybersecurity:

  • teamplay Fleet Cybersecurity Profiles provide information about the security status of your fleet
  • Single interface for your Siemens Healthineers medical devices and medical IT solutions
  • High levels of transparency regarding the latest vulnerability notifications
  • Access to security advisories and mitigation advice
Cybersecurity updates

We provide quarterly patches for Siemens Healthineers equipment* and we release additional hotfixes whenever necessary. This allows you to keep up with the evolving threat landscape and stay protected:

  • All patches are validated prior to release for patient safety and continuous operations
  • With your systems connected to our VPN-encrypted Smart Remote Service (SRS) the patches will be automatically transferred for you to install with just one click
  • Alternatively, you can schedule the installation of updates at your convenience through teamplay Fleet Anytime Software Update, especially for equipment* inaccessible through SRS
State-of-the-art system software

Medical equipment can become outdated prior to scheduled replacement. With our Advance Plans, we can help you keep Siemens Healthineers equipment future-proof and cybersecure throughout its lifespan. Choose from a range of service levels to cover your regulatory and financial needs. For products that are not yet eligible for Advance Plans, we offer other service contracts. Please visit our Customer Services website for more information.

Competent incident management

With more than 30 years of experience in IT security, we are well prepared for responding to cyberattacks. Our response to equipment integrity breaches is fast and designed to help limit any potential damage:

  • We perform technical evaluation, prioritize breach containment, and share relevant information in an effective and transparent manner
  • We conduct forensic analyses to help minimize the risk of future cyberattacks
  • We offer support for restoring equipment to a fully functional state

Need support now! Open a Service Ticket in teamplay Fleet

Data privacy

Data privacy

Protecting the privacy of your data is very important to us. To help you comply with laws such as HIPAA in the U.S. and GDPR in Europe, we have aligned our processes with the core principle of “privacy by design and by default.” This means that data protection is incorporated into products, solutions, and services that process personal data beginning in the early design and planning stages.

Certified remote service
Smart Remote Services (SRS) is designed to help you maintain a high level of patient data confidentiality and integrity while upholding the availability of your data at the same time. Certified according to ISO 27001, SRS employs sophisticated authentication and authorization procedures, state-of-the-art encryption technologies and logging routines, and strictly enforced organizational measures. These safeguards allow you to optimally secure patient data and restrict access as needed.

Certified remote service

Cloud security
Our cloud-based solutions – including teamplay (which has been awarded the European Privacy Seal (EuroPriSe), AI-Rad Companion, and Digital Ecosystem – are secured by the Microsoft Azure cloud platform to provide you with cutting-edge protections against breaches and malicious attacks. All your information is encrypted, including in-transit from your site and at-rest in our cloud infrastructure. Our solutions also allow you to limit web use and data access based on staff roles to maintain strict control over sensitive information.


Siemens Healthineers is aware of the zero-day remote code execution (RCE) vulnerability in the Java library Log4j, identified as CVE-2021-44228. Our cybersecurity experts continue to analyze and address potential impact to our products. A security preliminary advisory has been issued, see here

Siemens Healthineers is aware of the vulnerabilities in the Nucleus TCP/IP stack known as NUCLEUS:13. Our security experts have identified several products that contain vulnerable versions of the Nucleus operating system. Our analysis has identified a very low level of exploitation potential and cybersecurity risk due to the product design. Risk to patient safety or patient data have been determined to be negligible. These products have multiple security controls in place which make the possibility of a successful attack using the NUCLEUS:13 vulnerabilities extremely remote. Further, there have been no demonstrated exploitation methods relevant to how Nucleus is used on these products. Nevertheless, we are evaluating options for updating these systems. We continue to monitor the issue as it develops and will notify customers through product specific customer bulletins, if it is necessary.

Coordinated Vulnerability Disclosure

Siemens Healthineers encourages everyone to report vulnerabilities, regardless of service contracts or product lifecycle status. We welcome vulnerability reports from researchers, industry groups, CERTs, partners and any other source. Siemens Healthineers respects the interests of the reporting party (also anonymous reports if requested) and agrees to handle any vulnerability that is reasonably believed to be related to Siemens Healthineers products or components. Siemens Healthineers urges reporting parties to perform a coordinated disclosure, as immediate public disclosure causes a ‘0-day situation’ which puts our customer systems and client hospitals at unnecessary risk.

Reporting Process Siemens Healthineers currently follows the Siemens AG process for Coordinated Vulnerability Disclosure. This process begins by emailing one of the email addresses below. For a more detailed description of the process please visit the Siemens Vulnerability Handling and Disclosure website.

Reporting a Product Incident

Does this incident involve a Siemens Healthineers product? Some examples include, but are not limited to, Medical Imaging Devices, Laboratory Diagnostics equipment, healthcare software solutions, etc.

Siemens ProductCERT - Contact for Products, Solutions, and Services
PGP Public Key and Fingerprint: 9534 422C 0570 CCA7 FF6F C5FC D3F4 81EA 114A AFE4

Reporting an Infrastructure Incident

Does this incident involve the Siemens Healthineers infrastructure? If it pertains to Siemens Healthineers Enterprise please report it here.

Siemens CERT - Contact for Infrastructure
PGP Public Key and Fingerprint: A3D1 8E40 D104 DEAD A112 3FF6 B485 0E2E 1AA2 2CD8