Professional Documents
Culture Documents
Shared Roles For System and Data Security: 4535 616 08142 Rev B August 2013
Shared Roles For System and Data Security: 4535 616 08142 Rev B August 2013
This document and the information contained in it is proprietary and confidential information of Philips Healthcare (“Philips”) and may not be re-
produced, copied in whole or in part, adapted, modified, disclosed to others, or disseminated without the prior written permission of the Philips
Legal Department. This document is intended to be used by customers and is licensed to them as part of their Philips equipment purchase. Use of
this document by unauthorized persons is strictly prohibited.
Philips provides this document without warranty of any kind, implied or expressed, including, but not limited to, the implied warranties of mer-
chantability and fitness for a particular purpose.
Philips has taken care to ensure the accuracy of this document. However, Philips assumes no liability for errors or omissions and reserves the right
to make changes without further notice to any products herein to improve reliability, function, or design. Philips may make improvements or
changes in the products or programs described in this document at any time.
Unauthorized copying of this document, in addition to infringing copyright, might reduce the ability of Philips to provide accurate and current in-
formation to users.
“QLAB” is a trademark of Koninklijke Philips N.V.
Non-Philips product names may be trademarks of their respective owners.
Philips Healthcare
2 Shared Roles for System and Data Security 4535 616 08142
Contents
Contents
Introduction ............................................................................................................................................. 5
General Information ................................................................................................................................. 5
Control of Security Vulnerabilities on Philips Ultrasound Systems ............................................................. 6
Strategy for Defense-in-Depth Security ........................................................................................................ 6
Regulatory Environment ............................................................................................................................... 6
Role of Philips in the Product Security Partnership ...................................................................................... 8
Role of Customers in the Product Security Partnership ................................................................................ 9
Security Issues and Guidelines ................................................................................................................... 10
Information-Maintenance Example ........................................................................................................ 13
Assumptions About the Environment ......................................................................................................... 13
Information Zones ...................................................................................................................................... 13
Security Protection Software .................................................................................................................. 15
Operating System Security Updates ........................................................................................................... 15
Antivirus Scanning and Updates ................................................................................................................. 16
Backups and Archives ............................................................................................................................. 16
Backup Procedure ....................................................................................................................................... 16
Disaster Recovery Plans .............................................................................................................................. 17
Data Security for Off-Cart Workflows ...................................................................................................... 17
User Authentication .................................................................................................................................... 17
Operating System ....................................................................................................................................... 18
Network Configuration ............................................................................................................................... 18
Virus Protection .......................................................................................................................................... 18
System Patching .......................................................................................................................................... 19
Remote Administration .............................................................................................................................. 19
Protecting Patient Data ............................................................................................................................... 19
Exporting Data from QLAB and Q-Station Software ................................................................................. 20
Philips Healthcare
Shared Roles for System and Data Security 4535 616 08142 3
Contents
Philips Healthcare
4 Shared Roles for System and Data Security 4535 616 08142
Introduction
These guidelines are designed to help healthcare facilities understand how the security of Philips
ultrasound systems, software products, and patient data can be compromised, and to highlight Philips
efforts to ensure that safeguards are in place to help prevent security breaches.
This document discusses security on ultrasound systems and QLAB and Q-Station software on host
computers. Where Philips ultrasound systems are delivered as complete systems, with restrictions on
what is authorized and available, QLAB and Q-Station host computers are acquired, configured, and
maintained by the healthcare facility or individuals.
For ultrasound-system security resources, such as security bulletins, FAQs, and vulnerability information,
see the Philips Product Security website:
www.philips.com/productsecurity
General Information
The following general information applies to the security of Philips ultrasound systems, QLAB software,
Q-Station, and patient data.
• Philips ultrasound systems do not support multiple-user-session operations. They are designed as
single-user devices. Clinical-use access over a network is unsupported, except through Philips-
authorized service applications.
• Ultrasound systems and the QLAB and Q-Station software products are not long-term storage devices.
Persistent patient data must be archived to a PACS or stored temporarily on removable media (see
“Removable and Portable Media” on page 12).
• Ultrasound systems automatically boot into a custom shell through the use of an XP Embedded or
Windows Embedded Standard 7 capability. This satisfies the safety requirements for medical devices,
which require ultrasound systems to be operational as soon as possible after startup. Access to the
Philips Healthcare
Shared Roles for System and Data Security 4535 616 08142 5
Control of Security Vulnerabilities on Philips Ultrasound
Systems
Philips is dedicated to helping all customers maintain the confidentiality, integrity, and availability of
patient data while ensuring that their ultrasound systems continue to generate and manage this
information with complete security. Ultrasound systems may become vulnerable to security breaches
when they are connected to a network or accept removable media.
Regulatory Environment
The development and manufacture of medical devices is tightly regulated, as is the security and privacy of
patient information held by health care providers. This creates challenges for both healthcare providers
and manufacturers in responding quickly to new threats to the security of patient data stored on medical
Philips Healthcare
devices.
6 Shared Roles for System and Data Security 4535 616 08142
Protection of Electronic Patient Health Information
One of the most important assets to protect with security measures is patient health information. As an
example, the following regulations require patient health information to remain confidential, and they
specify security measures to guard patient information:
• Health Insurance Portability and Accountability Act (HIPAA), United States of America
(www.hhs.gov/ocr/privacy/)
• European Medical Device Directive 93/42/EEC
• Japan’s HPB517
• HIPAA-related portions of the U.S. federal economic-stimulus act (or HITECH), formally known as the
American Recovery and Reinvestment Act of 2009
CAUTION
The internal electronic log files generated by the system as part of its normal operation contain the
names of storage folders and therefore will include any patient, clinician, or other personal identifying
information used in such folder names. In the course of maintenance, monitoring, or repair of the
system, or of related development and other system-related activities, Philips may access, store, or
otherwise use these log files.
WARNING
Do not alter the configuration settings of the ultrasound system unless instructed to do so by an
Philips Healthcare
authorized Philips service representative. Altering system settings, such as the DICOM configuration, is
permitted only under strict guidelines. Unauthorized modifications can cause the system to
malfunction, which may lead to misdiagnosis.
Shared Roles for System and Data Security 4535 616 08142 7
CAUTION
Philips delivers and sets up some of its ultrasound systems in the “secure by default” state. If a user
weakens the security configuration, Philips does not assume further responsibility for ensuring safe and
effective operation of the system.
CAUTION
Do not install software on the ultrasound system without authorization from Philips. Installation of
unauthorized software on such systems can cause the system to malfunction.
www.philips.com/productsecurity
8 Shared Roles for System and Data Security 4535 616 08142
Design Improvements
Philips actively conducts internal product security assessments to identify potential security weaknesses.
With that information, Philips engineering teams often define configuration changes and re-engineering
efforts that harden the system against outside threats. The same information also drives security design
requirements for new products. The Philips Product Security Policy requires design-for-security objectives
as part of all new product-creation efforts.
immediately disconnect the system from the network and report the incident to your Philips service
representative. Alternatively, report the incident by sending e-mail to productsecurity@philips.com.
Shared Roles for System and Data Security 4535 616 08142 9
If you detect malware on the system, do not install or run third-party software, such as virus scanners, on
the system to detect and remove the malware. If malware is detected on the system, the only safe
recovery is for your Philips service representative to reimage the system.
10 Shared Roles for System and Data Security 4535 616 08142
For more information, download the Philips Remote Services Security brochure from the Remote Services
Security website:
www.healthcare.philips.com/main/support/equipment-performance/remote-services/security.wpd
Antivirus Updates
Antivirus software introduces a safety and performance risk in Philips ultrasound systems, with little value
added. Alternatively, Philips provides secure virus-resistant system configurations that use a pre-installed
software firewall or that minimize network port and services exposure. Also, an Internet browser is
neither accessible nor required for the intended uses of Philips ultrasound systems.
Those mitigations greatly reduce the virus threat. When they are combined with an effective network-
security policy for your network, your Philips system’s risk of virus infection is minimized (see “Antivirus
Scanning and Updates” on page 16).
Physical Access Control
Each healthcare facility should limit physical access to the ultrasound systems for the prevention of
accidental, casual, or deliberate contact by unauthorized individuals. Access to the room containing the
ultrasound system should be controlled by policy and procedures that identify who is authorized to occupy
specific areas. The facility safety or security office can provide more information about what measures are
in place or how to implement room-access controls.
Position of Display Monitors
Unauthorized visual access to protected information can be minimized by positioning the system’s monitor
to prevent viewing from doorways, hallways, and other traffic areas.
Philips continues to improve its product security, including the introduction of controls to enable a screen
saver to protect information from casual viewing when users need to be away from the system.
Initiate screen blanking by logging off the system or manually clearing the display before leaving the unit
unattended for any amount of time.
Philips Healthcare
Shared Roles for System and Data Security 4535 616 08142 11
Embedded Standard 7 capability. A password protects saved protected health information (PHI) from
unauthorized access, while meeting safety requirements for the device to be operational as soon as
possible.
For systems with login capabilities, a consistent user login process, including user names and passwords,
provides good security for protecting information. In both cases the healthcare facility must control access
to the system.
Protective login and password practices include these:
• Implement strong passwords. This is the easiest and most-effective method to increase security.
Strong passwords consist of at least eight alphanumeric, mixed-case characters, digits, and special
characters, for example “@” or “*.” Never use words that can be found in a dictionary.
• Never post or share user names and passwords.
• Change passwords periodically.
Train system operators to log off of the system immediately after completing their work.
Removable and Portable Media
Philips ultrasound systems can export clinical studies to removable media, including CDs, DVDs, and USB
devices. Removable or portable media are easily lost or damaged and are at risk of technology
obsolescence. Philips recommends that you do not use removable or portable media for long-term
storage of patient data. Rather, store patient data on a PACS or other long-term storage media. Follow
your IT department’s recommended practices for intended use of removable or portable media.
CAUTION
Before inserting media into the ultrasound system or workstation, a good practice is to use media only
from trusted sources and to perform a virus scan to ensure that the media has not been exposed to
viruses, worms, or trojans that infect desktop PCs. For information about software security, see
“Security Protection Software” on page 15.
Philips Healthcare
CAUTION
Removable media that contains images or other medical information must be stored in a secure area
that is not accessible by unauthorized individuals.
12 Shared Roles for System and Data Security 4535 616 08142
CAUTION
It is impossible to disable removable-media interfaces on the system.
NOTE
Some ultrasound systems include a setting that disables exports to removable media.
When using removable media (flash memory, CD-ROMs, DVDs, USB storage devices, and magneto-optical
discs) be aware of these security issues:
• Ultrasound systems may become vulnerable to security breaches when they accept removable media.
Inserting removable media in the system may introduce viruses. Philips recommends that you use the
system to format USB storage devices before working with them.
• Removing media that contains patient data may allow access to the data by unauthorized individuals.
• Destroying or disabling discarded media is necessary to prevent further access to data.
• The system does not encrypt personal data that is stored on the system hard drive or exported to
removable media.
Information-Maintenance Example
This example of how to maintain information security uses a zone model of information flow.
Information Zones
The information-flow model is commonly incorporated into security standards. An easy way to visualize
this model is to diagram a healthcare facility as divided into three zones (see figure), with each zone having
Shared Roles for System and Data Security 4535 616 08142 13
a different priority and level of use for the information. Some facilities decide not to extend their
information to the farthest zone because they cannot guarantee its protection and integrity.
Firewall
Zone 2
Zone 1
14 Shared Roles for System and Data Security 4535 616 08142
Security Within the Zones
The security within the zones should be managed by a combination of standard IT security solutions and
the security functions of the ultrasound system.
NOTE
Updates are provided through regular releases and the Philips Field Change Order process.
continuing security of Philips products, Philips incorporates many security measures, as described in this
document and in product-specific documents. When combined with an effective network security policy,
this creates a defense strategy that may significantly increase the longevity and supportability of your
Philips ultrasound system, while minimizing risks to data integrity and customer networks.
Shared Roles for System and Data Security 4535 616 08142 15
Antivirus Scanning and Updates
Philips ultrasound systems differ in their degree of exposure to and protection from the threat of software
virus infection. In all cases, the best protection against viruses is for a healthcare facility to establish an
effective network-security policy.
Philips works to create secure system configurations in different ways for different systems. For some
systems, Philips authorizes the installation of antivirus software. For other systems, Philips may include a
software firewall or limit network-port and services exposure as part of the security architecture. Also, to
address known vulnerabilities, Philips tests, qualifies, and installs revisions to the ultrasound system
software. When those measures are combined with an effective network-security policy within a
healthcare facility, the risk of software virus infection on those systems is greatly reduced.
If you detect malware on your system, immediately contact your authorized Philips service representative.
For complete information on connecting to external systems and backing up system files, consult the user
information for your ultrasound system.
16 Shared Roles for System and Data Security 4535 616 08142
Disaster Recovery Plans
It is your responsibility to ensure you have a disaster recovery plan that includes regular and complete
patient data backup. Ultrasound systems are intermittent storage devices; patient data must be exported
from the ultrasound system. Ensure you also create backups of the system-specific settings. For more
information on exporting patient data and creating system-setting backups, see your ultrasound system
user information. Use data backup software to create backups of patient data exported from QLAB and
Q-Station software.
User Authentication
Ensure that QLAB and Q-Station host PCs are configured for user authentication and that the individuals
using QLAB and Q-Station host PCs have a user name and password. You can use this information to
protect the data in the folders and individual files.
Philips Healthcare
Use strong passwords for access to QLAB and Q-Station host PCs and data. For more information on
passwords, see “User Login and Logout Protections” on page 11.
Shared Roles for System and Data Security 4535 616 08142 17
Operating System
Ensure that the operating system and applications on QLAB and Q-Station host PCs are kept current with
patches, updates, and upgrades.
Network Configuration
If the QLAB or Q-Station host PC is connected to a local area network, the network should be securely
configured, providing protection against computer viruses and other harmful code or traffic. Ensure the
local area network uses appropriate protection, such as using only secure wireless technologies, firewalls,
intrusion-detection systems, and virus scanners.
File Access Controls
Use the operating system’s file security properties to control access to files containing patient data on
QLAB and Q-Station host PCs.
Shared Folder Security
The default security setting for a shared folder allows all users to view and change the folder contents.
When sharing folders that contain patient data, ensure the appropriate security settings are in place. You
can assign permissions to individual users or groups of users.
NOTE
Transfers of non-DICOM images from a SONOS ultrasound system to a PACS require an open-share-folder
security setting.
Virus Protection
Use up-to-date antivirus and host-intrusion-prevention systems to ensure that QLAB and Q-Station host
PCs, associated networks, and any removable media are protected from viruses and similar programmed
threats. Philips Healthcare
For more information on using removable and portable media to share information, see “Removable and
Portable Media” on page 12.
18 Shared Roles for System and Data Security 4535 616 08142
System Patching
The ultrasound architecture does not support system patching with Internet-downloadable software.
Philips manages field updates with validated security improvements through Philips-authorized software
releases.
Remote Administration
If remote administration is used on a QLAB or Q-Station host PC, ensure it is configured for secure remote
administration.
Shared Roles for System and Data Security 4535 616 08142 19
Exporting Data from QLAB and Q-Station Software
Use appropriate security measures to protect data exported from QLAB and Q-Station software.
Q-Station has an “anonymization” feature, which, if used when exporting patient data to a CD, DVD, or
Windows folder, replaces certain patient attributes with anonymous values.
CAUTION
Exported data is not anonymized by default. If data is exported to a system or storage device that is not
protected by password or another method, it is accessible by all clinical users. It is your responsibility to
ensure that patient privacy is not compromised at the export location.
Exporting Images
QLAB software exports images only if you have selected the QLAB Hide Patient Data preference.
Philips Healthcare
20 Shared Roles for System and Data Security 4535 616 08142