Trident MDS2 Sheet
Contents
1. ability to configure re configure device security capabilities to meet users needs Can the device owner operator reconfigure product security capabilities CYBER SECURITY PRODUCT UPGRADES CSUP The ability of on site service staff remote service staff or authorized customer staff to install upgrade device s security patches Can relevant OS and device security patches be applied to the device as they become available 5 1 1 Can security patches or other software be installed remotely HEALTH DATA DE IDENTIFICATION DIDT The ability of the device to directly remove information that allows identification of a person Does the device provide an integral capability to de identify private data DATA BACKUP AND DISASTER RECOVERY DTBK The ability to recover after damage or destruction of device data hardware or software Does the device have an integral data backup capability i e backup to remote storage or removable media such as tape disk No System only acts as a temporary store of patient data before it is transmitted to PACS Any disaster recovery will be performed by Hologic Service EMERGENCY ACCESS EMRG The ability of device users to access private data in case of an emergency situation that requires immediate access to stored private data Does the device incorporate an emergency access break glass feature No HEALTH DATA INTEGRITY AND AUTHENTICITY IGAU How the device ensures that data processed by2. prior to transmission via a network or removable media If yes indicate in the notes which encryption standard is implemented Is private data transmission restricted to a fixed list of network destinations Device can be configured to only transmit to specific IP addresses DICOM provides no native method to encrypt data but TLS can be used on a local network TRANSMISSION INTEGRITY TXIG The ability of the device to ensure the integrity of transmitted private data Does the device support any mechanism intended to ensure data is not modified during transmission If yes describe in the notes section how this is achieved OTHER SECURITY CONSIDERATIONS OTHR Additional security considerations notes regarding medical device security Can the device be serviced remotely Can the device restrict remote access to from specified devices or users or network locations e g specific IP addresses 20 2 1 Can the device be configured to require the local user to accept or initiate remote access Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society
3. Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 21 Device Category Manufacturer Document ID j ocument Release Date Specimen Radiography System Hologic Inc MAN 03 142 3 12 2015 ee E m m e e o o oe a e a e a a a e m m m m Software Revision Software F Release Date Trident ji 1 8 14 2012 es No Refer to Section 2 3 2 of this standard for the proper interpretation of information requested in this form N A or See Note ROADMAP FOR THIRD PARTY COMPONENTS IN DEVICE LIFE CYCLE RDMP Manufacturer s plans for security support of 3rd party components within device life cycle 14 1 In the notes section list the provided or required separately purchased and or delivered operating system s including version number s 14 2 Isa list of other third party applications provided by the manufacturer available Microsoft Windows 7 Professional SP1 No third party software besides the OS installed SYSTEM AND APPLICATION HARDENING SAHD The device s resistance to cyber attacks and malware Does the device employ any hardening measures Please indicate in the notes the level of conformance to any industry recognized hardening standards Does the device employ any mechanism e g release specific hash key checksums etc to ensure the installed program update is the manufacturer authorized program or software update Does the device have external communicati
4. HN 1 2013 Page 17 Manufacturer Disclosure Statement for Medical Device Security MDS DEVICE DESCRIPTION Device Category Manufacturer Document ID Document Release Date Specimen Radiography System lHologic Inc IMAN 03142 l 12 2015 Device Model 7 TTS pSoftware Revision MA jSoftware F Release Date Trident ii 8 14 2012 Company Name Manufacturer Contact Information Manufacturer or Hologic Inc Greg Amante hologic com IRepresentative Name Position IGreg Amante l Representative Contact Information Intended use of device in network connected environment The Trident Specimen Radiography system is a point of care system used to image surgical and core biopsy specimens The Trident system features an intuitive user interface ideal for non technical operators with one touch X ray automatic exposure control AEC a lighted specimen X ray chamber and large active imaging area The system incorporates easy to use software with a simple yet robust tool set MANAGEMENT OF PRIVATE DATA es No Refer to Section 2 3 2 of this standard for the proper interpretation of information requested in this form N A or See Note Can this device display transmit or maintain private data including electronic Protected Health Information ePHI Types of private data elements that can be maintained by the device B 1 Demographic e g name address location unique identification number B 2 Medical record e g medical record account tes
5. bility of the device to authenticate communication partners nodes Does the device provide support any means of node authentication that assures both the sender and the recipient of data are known to each other and are authorized to receive transferred information PERSON AUTHENTICATION PAUT Ability of the device to authenticate users Does the device support user operator specific username s and password s for at least one user 12 1 1 Does the device support unique user operator specific IDs and passwords for multiple users Can the device be configured to authenticate users through an external authentication service e g MS Active Directory NDS LDAP etc Can the device be configured to lock out a user after a certain number of unsuccessful logon attempts Can default passwords be changed at prior to installation Are any shared user IDs used in this system Can the device be configured to enforce creation of user account passwords that meet established complexity rules Can the device be configured so that account passwords expire periodically PHYSICAL LOCKS PLOK Physical locks can prevent unauthorized users with physical access to the device from compromising the integrity and confidentiality of private data stored on the device or on removable media Are all device components maintaining private data other than removable media physically secure i e cannot remove without tools Copyright 2013 by the National
6. ctrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 18 Device Category peaectist eae ID poem Release Date Specimen Radiography System Hologic Inc foo 142 3 12 2015 Device Model lt S S S Stare Revision 70 T T T T I I i Software Release Date Trident pil 8 14 2012 SECURITY CAPABILITIES es No Refer to Section 2 3 2 of this standard for the proper interpretation of information requested in this form N A or v e zZ See Note AUTOMATIC LOGOFF ALOF The device s ability to prevent access and misuse by unauthorized users if device is left idle for a period of time Can the device be configured to force reauthorization of logged in user s after a predetermined length of inactivity e g auto logoff session lock password protected screen saver 1 1 1 Is the length of inactivity time before auto logoff screen lock user or administrator configurable Indicate time fixed or configurable range in notes 1 1 2 Can auto logoff screen lock be manually invoked e g via a shortcut key or proximity sensor etc by the user Inactivity logout interval configurable by customer AUDIT CONTROLS AUDT The ability to reliably audit activity on the device Can the medical device create an audit trail Indicate which of the following events are recorded in the audit log 2 2 1 Login logout 2 2 2 Display presentation of data 2 2 3 Creation modi
7. features documented for the device user No Are instructions available for device media sanitization i e instructions for how to achieve the permanent deletion of personal or other sensitive data Yes Hologic provides a Cyber Security Best Practices document on its website that provides recommendations on network security with the Trident product Instructions for sanitation included in user manual SGUD notes Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 22 Device Category Manufacturer Document ID Document Release Date MAN 03142 l3712 2015 Software F Release Date 8 14 2012 Specimen Radiography System Hologic Inc Device Model pii as e iki Software Revision es No N A or See Note The ability of the device to ensure unauthorized access does not compromise the integrity and confidentiality of private data stored on device or removable media Can the device encrypt data at rest No System is only a temporary store of ePHI System can be configured to automatically remove studies shortly after completio and successful transmission to PACS and supports manual removal of patient records TRANSMISSION CONFIDENTIALITY TXCF The ability of the device to ensure the confidentiality of transmitted private data Can private data be transmitted only via a point to point dedicated cable Is private data encrypted
8. fication deletion of data 2 2 4 Import export of data from removable media 2 2 5 Receipt transmission of data from to external e g network connection 2 2 5 1 Remote service activity 2 2 6 Other events describe in the notes section Indicate what information is used to identify individual events recorded in the audit log 2 3 1 User ID 2 3 2 Date time AUTHORIZATION AUTH The ability of the device to determine the authorization of users Can the device prevent access to unauthorized users through user login requirements or other mechanism Yes Can users be assigned different privilege levels within an application based on roles e g guests regular users power users administrators etc Yes Can the device owner operator obtain unrestricted administrative privileges e g access operating system or application via local root or admin account Yes System supports individual operator accounts and differing operator roles Technologic and Manager Manager level users can create new accounts and revoke existing accounts Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 19 Device Category Manufacturer Document ID Document Release Date Specimen Radiography System Hologic Inc MAN 3 142 Ls 12 2015 ee ee ee m m m m JSoftware F Release Date 18 14 2012 Software Revision es No N A or See Note The
9. on capability e g network modem etc Does the file system allow the implementation of file level access controls e g New Technology File System NTFS for MS Windows platforms Are all accounts which are not required for the intended use of the device disabled or deleted for both users and applications Are all shared resources e g file shares which are not required for the intended use of the device disabled Are all communication ports which are not required for the intended use of the device closed disabled Are all services e g telnet file transfer protocol FTP internet information server IIS etc which are not required for the intended use of the device deleted disabled Are all applications COTS applications as well as OS included applications e g MS Internet Explorer etc which are not required for the intended use of the device deleted disabled Can the device boot from uncontrolled or removable media i e a source other than an internal drive or memory component Yes Can software or hardware not authorized by the device manufacturer be installed on the device without the use of tools Yes The Product Development Life Cycle PDLC of the device incorporates numerous security scans and other vulnerability _ accessments which are incorporated into the product design The availability of security guidance for operator and administrator of the system and manufacturer sales and service Are security related
10. t or treatment date device identification number B 3 Diagnostic therapeutic e g photo radiograph test results or physiologic data with identifying characteristics B 4 Open unstructured text entered by device user operator B 5 Biometric data B 6 Personal financial information Maintaining private data Can the device Ci Maintain private data temporarily in volatile memory i e until cleared by power off or reset C 2 Store private data persistently on local media C 3 Import export private data with other systems C 4 Maintain private data during power service interruptions Mechanisms used for the transmitting importing exporting of private data Can the device D 1 Display private data e g video display etc D 2 Generate hardcopy reports or images containing private data D 3 Retrieve private data from or record private data to removable media e g disk DVD CD ROM tape CF SD card memory stick etc D 4 Transmit receive or import export private data via dedicated cable connection e g IEEE 1073 serial port USB FireWire etc D 5 Transmit receive private data via a wired network connection e g LAN WAN VPN intranet Internet etc D 6 Transmit receive private data via an integrated wireless network connection e g WiFi Bluetooth infrared etc D 7 Import private data via scanning D 8 Other Management of Private Data notes Copyright 2013 by the National Ele
11. the device has not been altered or destroyed in an unauthorized manner and is from the originator Does the device ensure the integrity of stored data with implicit or explicit error detection correction technology Copyright 2013 by the National Electrical Manufacturers Association and the Healthcare Information and Management Systems Society HN 1 2013 Page 20 Device Category Manufacturer joome ID pom Release Date Specimen Radiography System Hologic Inc MAN 03142 3 12 2015 si Na i fe eet AIR ame hell le ee i Device Model Software Revision Software F Release Date 8 14 2012 es No N A or See Note The ability of the device to effectively prevent detect and remove malicious software malware Does the device support the use of anti malware software or other anti malware mechanism 10 1 1 Can the user independently re configure anti malware settings 10 1 2 Does notification of malware detection occur in the device user interface 10 1 3 Can only manufacturer authorized persons repair systems when malware has been detected Can the device owner install or update anti virus software Can the device owner operator technically physically update virus definitions on manufacturer installed anti virus software Hologic Validates most general Anti Virus Anti Malware packages and provides instructions for installation by the customer Automatic virus definition updates are supported NODE AUTHENTICATION NAUT The a
Download Pdf Manuals
Related Search