CybersecurityProtecting healthcare institutions against cyberthreats

Thanks to the Secure Development Lifecycle (SDL), which is at the heart of the Siemens Healthineers approach to cybersecurity, our products* are ready for today’s operational requirements:

• Hardware and software development follow defined state-of-the-art processes
• Product development adheres to Siemens Healthineers standardized requirements and industry best practices
• Processes and requirements are aligned consistently across the Siemens Healthineers product portfolio

_{*We continue to improve and extend the security measures for our current products. As threats and associated risks are evolving not all statements on this page apply to all products and services. Contact your local Siemens organization for further details.}

All products currently under development as well as a range of existing offerings have built-in security controls that are essential for modern IT environments:

• Secure configuration and hardening
• Authentication and authorization
• Whitelisting
• Data encryption
• Trusted machine certificates
• Auditing and logging

We provide the information you need in advance, so there will be no surprises following deployment. Contact your local Sales representative for the following documents:

• Product whitepaper describing all available product security features
• SBOM (Software Bill of Materials)
• General cybersecurity guidance and consultation
• Secure environment configuration recommendation
• Manufacturers Disclosure Statement for Medical Device Security (MDS²)

During deployment, we verify the installation and configure security controls depending on the network and security requirements of your medical facility:

• User management setup for assigning roles to your staff
• Individualized passwords
• Activation of encryption to protect against data theft
• Secured connection to peer systems, e.g., DICOM archive

In line with the U.S. FDA’s post-market guidance and industry best practices, we perform continuous monitoring and assess if known vulnerabilities could be used to exploit equipment and solutions. We also have a formal process in place for handling and disclosing reported security vulnerabilities related to our equipment and solutions.

Transparent overview of security status
We make it as convenient as possible for you to stay protected against threats thanks to teamplay Fleet, our online portal for efficient and simple equipment maintenance, including cybersecurity:

• Teamplay Fleet Cybersecurity Profiles provide information about the security status of your fleet
• Single interface for your Siemens Healthineers medical devices and medical IT solutions
• High levels of transparency regarding the latest vulnerability notifications
• Access to security advisories and mitigation advice

We provide quarterly patches for Siemens Healthineers equipment* and we release additional hotfixes whenever necessary. This allows you to keep up with the evolving threat landscape and stay protected:

• All patches are validated prior to release for patient safety and continuous operations
• With your systems connected to our VPN-encrypted Smart Remote Service (SRS) the patches will be automatically transferred for you to install with just one click
• Alternatively, you can schedule the installation of updates at your convenience through teamplay Fleet Anytime Software Update, especially for equipment* inaccessible through SRS

Medical equipment can become outdated prior to scheduled replacement. With our Advance Plans, we can help you keep Siemens Healthineers equipment future-proof and cybersecure throughout its lifespan. Choose from a range of service levels to cover your regulatory and financial needs. For products that are not yet eligible for Advance Plans, we offer other service contracts. Please visit our Customer Services website for more information.

Protecting the privacy of your data is very important to us. To help you comply with laws such as HIPAA in the U.S. and GDPR in Europe, we have aligned our processes with the core principle of “privacy by design and by default.” This means that data protection is incorporated into products, solutions, and services that process personal data beginning in the early design and planning stages.

Certified remote service
Smart Remote Services (SRS) is designed to help you maintain a high level of patient data confidentiality and integrity while upholding the availability of your data at the same time. Certified according to ISO 27001, SRS employs sophisticated authentication and authorization procedures, state-of-the-art encryption technologies and logging routines, and strictly enforced organizational measures. These safeguards allow you to optimally secure patient data and restrict access as needed.

Cloud security
Our cloud-based solutions – including teamplay (which has been awarded the European Privacy Seal (EuroPriSe), AI-Rad Companion, and Digital Ecosystem – are secured by the Microsoft Azure cloud platform to provide you with cutting-edge protections against breaches and malicious attacks. All your information is encrypted, including in-transit from your site and at-rest in our cloud infrastructure. Our solutions also allow you to limit web use and data access based on staff roles to maintain strict control over sensitive information.