white aper - karl storz endoskope | united states...3.6 routing between the subnets control,...
TRANSCRIPT
White Paper KARL STORZ OR1 FUSION® IPIEC 80001
O R 1 2 9 1 . 2 1 2 / 2 0 1 7 - E
WHITE
PAPER
2
© K
AR
L S
TOR
Z 9
6202
074
OR
1 29
1.2
12/
2017
/EW
-E
Table of Contents
1 Description - KARL STORZ OR1 FUSION® 3
2 DefinitionofaME-system 3
3 TechnicalSpecification-NetworkCommunicationandInfrastructure 3
3.1 General 3
3.2 Subnets 4
3.3 DHCP 4
3.4 Bonjour® 4
3.5 Port-basedVLAN 5
3.6 RoutingbetweenthesubnetsCONTROL,INTRANETandtheHospitalLAN 5
3.7 MulticastRoutingbetweentheIntranets 7
3.8 ManagementAccess 7
4 RequiredCharacteristicsandConfigurationoftheHospitalITNetwork 8
5 InformationflowbetweenKARL STORZ OR1 FUSION®andtheHospitalLAN 8
5.1 SIPVOIP-Telephone: 8
5.2 DigitalImagingandCommunicationsinMedicine(DICOM) 9
5.3 Browser 9
5.3.1 KARL STORZ OR1 FUSION®STREAMCONNECT®-Server 9
5.4 PTCAxeda®ConnectedAccess™RemoteService: 9
5.5 FTP 9
5.6 NetworkShare(SMB) 9
5.7 Microsoft™SkypeforBusiness(SfB) 10
5.8 CiscoTelePresenceSX80CodecandSX20Codec 10
5.9 NetworkPrinter 10
6 PatchManagement 10
7 Hazardanalysisofthesituation 11
7.1 Hazardbymalware: 11
7.2 Hazardbyincompatiblesoftware: 11
7.3 Hazardofdataloss: 11
7.4 Hazardofsurgicalimageloss: 11
7.5 Hazardbyviewingdiagnosticimages: 11
3
© K
AR
L S
TOR
Z 9
6202
074
OR
1 29
1.2
12/
2017
/EW
-E
1 Description - KARL STORZ OR1 FUSION®
KARL STORZ OR1 FUSION®isthenameforaproductaimedatintegratingtypicalaudio-video,documentationandchecklist/workflowrequirements,featuresandfunctionalitiesforanORenvironmentintoonesingleintegratedsystem.
2 DefinitionofaME-system
Asystemconsistsofacombinationofnetworkingdevices,non-medicaldevicesandME-systemsaccordingISO/IEC60601-1Part3.64(DefinitionofMEDICALELECTRICAL(ME)SYSTEM):
[Combination,asspecifiedbyitsMANUFACTURER,ofitemsofequipment,atleastoneofwhichisMEEQUIPMENTtobeinter-connectedbyaFUNCTIONALCONNECTIONorbyuseofaMULTIPLESOCKET-OUTLET.]
AsdefinedinAnnexHofISO/IEC60601-1theKARL STORZ OR1 FUSION®systemisaPEMS(ProgrammableElectricalMedicalSystem).ThereforetheKARL STORZ OR1 FUSION®system,whichisisolatedfromthehospitalnetworkviatherouter,whichisprovidedbyKARL STORZ,iscompletelymanagedanddesignedbyKARL STORZ.So,theresponsibilityforthenetworkofthehospitalITadministratorendsattheWANportoftherouter.AmedicalsystemisdefinedinClause16ofISO/IEC60601-1.
InChapter1,ScopeoftheISO/IEC80001Note4,themanufacturerwhospecifiesaMEsystemthatincludesanetworkisresponsibleforthiscompletemedicalsystem.ThisisaccordingtotheISO/IEC60601-1Part3.64.
ThesecombinationsaretestedandverifiedasacompletesystembyKARL STORZ.
3 TechnicalSpecification-NetworkCommunicationandInfrastructure
3.1General
Thecontrolunit,KARL STORZ OR1 FUSION CONTROL®,hasintotalthreenetworkinterfaces,butonlyoneisusedforcommunicationwiththeotherdevicesofthesystem.Themaingoalistocreateasubnetnetworkstructurewithgalvanicseparationifneeded.Themaingoalsofthenetworkdesignare:
1.ToseparatetheIP-traffic(especiallythehighresolutionvideotransmissions)fromthegeneralhospitaldailybusinesstraffic.
2.CreateasubnetnetworkstructurewithseparatenetworksforVideo/Documentationandcontroldevices.
3.Standardizedcertifiedconfigurationsforupto31OR’s.
4.GalvanicseparationoftheORsandthecentralITcomponents,accordingtoISO/IEC60601-1.
4 4
© K
AR
L S
TOR
Z 9
6202
074
OR
1 29
1.2
12/
2017
/EW
-E
3.2Subnets
TheintendedKARL STORZ OR1 FUSION®networkstructureconsistsoffoursubnetsinoneOR:
• HospitalLAN(H-LAN).ThisistheIPinfrastructureprovidedbythecustomerfortheKARL STORZ OR1 FUSION®IPsystemandbecomesapartoftheKARL STORZ OR1 FUSION®system.TheIPranges10.179.0.0/16mustnotbeusedbythissubnet.
• BACKBONEnetworkwithIPrange10.250.xxx.0/24willbeusedbytheKARL STORZ OR1 FUSION®systemforInter-OPconnection.
• INTRANETwithIPrange10.179.xxx.0/24willbeusedbytheKARL STORZ OR1 FUSION®systemfordevicesintendedforIntra-OPconnection.(ThissubnettogetherwiththeassociatedCONTROLsubnetisreferredtoas“Systemxxx”).
• CONTROLwithIPrange192.168.1.0/27.TheseIPsareidenticalforeverysystem.ThereasonforthisisthattheIPsoftheKARL STORZSCBdeviceslocatedineveryCONTROLsubnetcan’tbechangedbydesign. AlldeviceswhichareexplicitlynotinvolvedinInter-ORconnectionshavetobeplacedinthissubnet.TheKARL STORZ SCB MUSTbeonthissubnet.
3.3DHCP
ForeverysystemanExtremeNetworks¹SummitSwitchoffersDHCP-ServicefortheintranetwithIPrange10.179.xxx.11/254.
TheDHCPserverontheINTRANETprovidesanautomaticIPassignmenttotheencoderordecoder.BecausethesedevicesusetheZeroconfimplementationBonjour®ofAppleInc.,theKARL STORZ OR1 FUSION®systemidentifiesthembyasymbolicname.
3.4Bonjour®
TheBonjour®²ProtocolisApple’simplementationoftheZeroconfprotocolwhichisusedtoassignsymbolicnamesassociatedtoanIPliketheDNSsystembutwithoutanycentralizedserver.IncombinationwithDHCPitisusedtomanagetheOR1™videoencoderanddecoderfromtheKARL STORZ OR1 FUSION®software.BecausethisprotocolisbasedonIPmulticastsonthemanagingIPdevice(heretheExtremeNetworks®Switch)itneedsIGMPsnoopingsupport.
¹ExtremeNetworksandBlackDiamondaremarksorregisteredtrademarksofExtremeNetworks,Inc.,intheU.S.and/orothercountries²Bonjour®isaregisteredtrademarkofAppleInc.
5
© K
AR
L S
TOR
Z 9
6202
074
OR
1 29
1.2
12/
2017
/EW
-E
3.5Port-basedVLAN
ForhigherefficiencytheExtremeNetworksSummitX67010GSwitchisdividedintoVLANs.Dependingonthecustomerenvironment,1,2or3ORsmaybeconfiguredonasingleswitch.AvirtualrouterwillbeconfiguredforeachOR.DedicatedControl-andIntranet-VLANsarecreatedforanOR.Glassfiberopticconnectionswillbeusedtosettheswitchinanownelectricdomainforgalvanicseparation,sothatnoelectricfaultinoneORcancauseanelectricfailureinanotherOR.
ThefollowingORconfigurationsareproposed:
• 1ORperswitch.Ports1-48areassignedtothisOR.Ports1-5arereservedforconnectionwithothernetworkdevices,so43portsremaintoconnectencodersordecoderstotheswitch.
• 2ORsperswitch.Ports1-24areassignedtothefirstORandports25-48tothesecondOR.Againthefirst5portsofeachORarereserved.Theremaining19portspersystemareavailableforconnectingencodersordecoderstotheswitch(38intotal).
• 3ORsperswitch.Ports1-16areassignedtothefirstOR,ports17-32areassignedtothesecondORandports33-48areassignedtothethirdOR.Asinthepreviouslydescribedconfigurationsthefirst5portsofeachORarereserved,so11portspersystemareremainingforconnectingencodersordecoderstotheswitch(33intotal).
Allfurtherdrawings(Figure1,Figure2andFigure3)refertotheconfigurationwiththreeORsperswitch.
3.6RoutingbetweenthesubnetsCONTROL,INTRANETandtheHospitalLAN
Asmentionedinchapter3.5thereisavirtualrouterforeachOR.Thisvirtualroutersendsthetrafficbetweenthecontrol-andintranet-VLAN.Besidesthese“local”routesthefollowing routesareconfigured:
• 10.250.xxx.0/24(localBB-Subnet)
• 10.179.xxx.0/16(routetotheotherIntranets)
• 10.179.xxx.2(defaultgateway)
NotethatthereisnorouteforthedevicesinthecontrolnetworktootherINTRANETorH-LANnetworks.ThereisnospecialfirewallfromanINTRANETtotheH-LAN(i.e.allportscanbereachedintheH-LAN).IncomingconnectionstoanINTRANETareblockedbytheautomaticSPI(StatefulPacketInspection)firewallontherouter.Furthermore,thesecurityofthe KARL STORZ OR1 FUSION CONTROL®isguaranteedbytheNeXusSE46SoftwareIDsoftwareinstalledonthedevice.EveryIPaddresscanbereachedfromtheKARL STORZ OR1 FUSION®softwareintheHospitalLANexcepttheIPaddressesusedintheCONTROLsubnet(IPs192.168.1.0/). Becauseofthis,alongsubnetprefix(/27)insteadofastandardprefix(/24)isusedfortheCONTROLsubnet.
6 6
© K
AR
L S
TOR
Z 9
6202
074
OR
1 29
1.2
12/
2017
/EW
-E
Figure 1: Subnets and the routing in-between
Figure 2: Subnets and routing in-between with firewall
Traffic
Intranet to H-LAN / Internet
ControltoIntranet(insameOR)
IntranettoControl(insameOR)
IntranetX to IntranetY
Traffic
Blocked
Internet / H-LAN to Control or Intranet
Control to H-LAN / Internet
Control to Intranet in other OR
Intranet to Control in other OR
7
© K
AR
L S
TOR
Z 9
6202
074
OR
1 29
1.2
12/
2017
/EW
-E
Figure 3: Multicast routing between OP-rooms (physical cabling)
3.7MulticastRoutingbetweentheIntranets
Toenableroom-to-roommulticasting,PIMandIGMPareconfiguredfortheVLANsontheExtremeNetworksSummitSwitches.Toenhancestability,aloopinterface(10.179.0.xxx)foreachORisconfiguredasastaticrendezvouspointforthebroadcastIPsintheOR.
3.8ManagementAccess
• Throughtheconsoleport:Settingsoftheconsoleport:9600,8N1,noHardwareorSoftwareFlowControl.
• Throughthemanagementport:themanagementIPofExtremeNetworksSummitSwitchesis10.0.0.1.
• CreateaSSHconnection:theSwitchacceptsonlySSHconnectionsfromtheKARL STORZ OR1 FUSION®PCs,forwhichthereisanORconfiguredontheswitch.
• ForExample:Assumingthereare2ORs(or101andor122)configured.ItisthenpossibletomakeaSSHconnectionfromKARL STORZ OR1 FUSION® PC 10.179.101.3or10.179.122.3to10.179.101.1or10.179.122.1,whicharetheVLAN-IPsconfiguredontheswitch.
8 8
© K
AR
L S
TOR
Z 9
6202
074
OR
1 29
1.2
12/
2017
/EW
-E
4 RequiredCharacteristicsandConfigurationoftheHospitalITNetwork
ReferalsotoISO/IEC80001(DINEN50173;TIA-568)
Thefollowingrequirementshavetobefulfilledbythecustomer,otherwisecorrectfunctionalityoftheKARL STORZ OR1 FUSION®isn’tguaranteed:
• KARL STORZ OR1 FUSION CONTROL®hastobeprotectedwithafirewallagainstunauthorizedaccessfromtheinternet.
• TheuseofserverswithIPs192.168.1.0/27forKARL STORZ OR1 FUSION®isn’tallowed.
• Theuseofthesubnet10.179.0.0/16isn’tallowedinthehospital.
• OnthePOF-to-Copper-ConverteronlyaniPortdockingstation,aSCBoraLutronRoomControlisallowed.
• QoSforproperVOIPneedstobeimplemented.
• TheavailabilityofagatewayfortheKARL STORZ OR1 FUSION®routershastobeguaranteed.
• Amaximumroundtriptimeof300mshastobeguaranteed.
• Aminimumbandwidthof200Mbit/shastobeguaranteed.
5 InformationflowbetweenKARL STORZ OR1 FUSION®and theHospitalLAN
The KARL STORZ OR1 FUSION®systemsupportsthefollowingservicesofexternalserversintheHospitalLANorinternet:
5.1SIPVOIP-Telephone:
OneofthesystemfeaturesprovidestheuserwithanintegratedVOIP-ClientincludinglocalPhone-Bookfunctionality.
ThefollowingORconfigurationsareproposed:
• Required“In-House”SIPserver:(e.g.AVAYASessionManager,Asterisk1.6,3CX11.0forVOIPtelephony.)
• SIP protocol unencrypted UDP on Port 5060
• Audioprotocol:unencryptedRTP
• Dedicatedextensionnumberrequired
ThefollowingCodecsareavailableattheClient:
PCMA G722-16kHz L 16 G726-24kHz
PCMU GSM G728-8kHz G726-32kHz
Telephone-Event SPEEX-8kHz G723-8kHz G726-40kHz
ILBC-8kHz SPEEX-16kHz G726-16kHz G729
9
© K
AR
L S
TOR
Z 9
6202
074
OR
1 29
1.2
12/
2017
/EW
-E
5.2DigitalImagingandCommunicationsinMedicine(DICOM)
DICOM-server:e.g.DCMTKderivedserverforsavingpatientdata.Forfurtherinformationsee“DICOMComplianceStatement”.
5.3Browser
Thebrowserfeatureenablesaccesstoexternalweb-basedcontentfrom KARL STORZOR1™FUSION®.
HoweverthisisonlyrestrictedtoverifiedandapprovedKARL STORZapplicationsorThirdPartyProducts:
Thefollowingapplicationsareenabled:
- KARL STORZOR1™STREAMCONNECT®NEO(seeSection5.3.1)
5.3.1 KARL STORZ OR1 FUSION®STREAMCONNECT®-Server
Foraudio/videocommunicationoutsidetheOR-EnvironmentanadditionalServerplatformisavailable.
ForfurtherinformationpleaserefertothecountrybasedassignedWhitePaper:
UnitedStates/Canada/Mexico:STREAMCONNECT® NEO
Restoftheworld:WhitePaperOR1™STREAMCONNECT®IISystem
5.4PTCAxeda®ConnectedAccess™RemoteService:
KARL STORZoffersremoteservicefortheKARL STORZdeviceslocatedintheoperatingroom.ConnectionbetweendevicesintheORandtheAxeda®³ConnectedAccess™remoteserverisestablishedbythedeviceusingthehttpsprotocol.FurthercommunicationbetweenthedeviceandtheAxeda®ConnectedAccess™remoteserveruseshttpstunneling.
5.5FTP
The KARL STORZ OR1 FUSION®systemusespassiveFTPwhenexportingdatatoaFTPserverwithintheITnetworkinfrastructure.Thatis,allconnectionsareestablishedfromtheFTPclienttotheserver.Thereforenospecialfirewallconfigurationoftherouterisrequired.
TherequiredFTPcredentialstoconnecttotheFTPserverneedtobeconfiguredandstoredwithintheKARL STORZ OR1 FUSION®system.
PleaserefertotheFTPdefinitioninRFC959formoredetailedinformation.
5.6NetworkShare(SMB)
The KARL STORZ OR1 FUSION®systemusestheSMBprotocolstandardwhenexportingdatatoanetworkshareonaSMBserverwithintheITnetworkinfrastructure.HerebyallconnectionsareestablishedfromtheSMBclienttotheserver.Thereforenospecialfirewallconfigurationoftherouterisrequired.
TherequiredcredentialstoconnecttotheSMBserverneedtobeconfiguredandstoredwithinthe KARL STORZ OR1 FUSION®system.
PleaserefertotheSMBdefinitionbyMicrosoftunderhttp://msdn.microsoft.com/en-us/library/cc246482.aspxformoredetailedinformation.
³AxedaisaregisteredtrademarkofAxedaCorporation
10 10
© K
AR
L S
TOR
Z 9
6202
074
OR
1 29
1.2
12/
2017
/EW
-E
5.7Microsoft™SkypeforBusiness(SfB)
The KARL STORZ OR1 FUSION®systemoptionallysupportsavideoconferencingmodulebasedonMicrosoft™SkypeforBusiness(SfB).ThismoduleconsistsofacustomizedclientcodedtotheLync2013API.Therefore,itrequiresabackendSkypeforBusinessserver,whetheritbeinthecloud(e.g.MicrosoftOffice365)orthehospital’sownlocalorremoteSkypeforBusinessserver.UniquenewSkypeforBusinessaccountsarecreatedforeachORontheSkypeforBusinesssystemandthecorrespondingcredentialsareenteredintothe KARL STORZ OR1 FUSION®videoconferencemodulesconfigurationscreen.NootherconfigurationisneededfortherouterortheKARL STORZ OR1 FUSION®system.
5.8CiscoTelePresenceSX80CodecandSX20Codec
The KARL STORZ OR1 FUSION®systemprovidesconnectionstoaCiscoTelePresenceSX80CodecandaCiscoTelePresenceSX20Codec.ItcontrolstheCodecoverhttps-andSSH-connections.AudioandvideofromaconferencecallviaSX80CodecandSX20Codeccan beroutedwithintheKARL STORZ OR1 FUSION® installation.
5.9NetworkPrinter
The KARL STORZ OR1 FUSION®systemsupportstheconfigurationofnetworkprintersthatcanbeusedforprintingtreatmentreports.Therequiredresourcesdependontheconcretenetworkprintinginfrastructureanddriversthatareused.
AslongasallconnectionsareestablishedfromtheKARL STORZ OR1 FUSION®systemtothenetworkprinternospecialfirewallconfigurationoftherouterisrequired.
Thefollowingprotocolsaretestedandverified:
• NetworkShare(ServerMessageBlockSMB)(seeChapter6.4)
• InternetPrintingProtocol(IPP)TCP/UDP-Port 631
• LinePrinterDaemonprotocol/LinePrinterRemoteprotocol(LPD,LPR) TCP-Port 515
• HP-JetDirect TCP-Port 9100
6 PatchManagement
Classicantivirusprotectionisonlyeffectiveifthevirusdefinitionfile(=blacklist)andtheprogramengineareregularlyupdated.Therefore,usersareonlyprotectedagainstthreatsthatareknowntothemanufacturer.Thereisageneralriskofafaultyupdateoftheantivirusprogramnegativelyaffectingthesystem,resultinginproblemsassevereastotalsystemfailure.Therefore,carefulchecksareindispensable.
ThePatchmanagementsolutionoftheKARL STORZ OR1 FUSION®systemisbasedonNeXus SE46 Software ID solution, whichstartsautomaticallytogetherwiththeWindowsoperatingsystemandusesthewhitelistapproach.Whenusingawhitelist,allexecutablefilesthatarenotlistedonthewhitelistareblockedfromrunning.Asaresult,anyintrudingmalwareispreventedfromnegativelyaffectingthesystemorchangingit.ThisincludesmalwaresuchasvirusesorTrojanseveniftheyarehiddeninotherfiles.
OnlyaKARL STORZservicetechnicianhastheprivilegestoswitchtheNeXus SE46 Software ID into the Service Mode, whichallowsfullcontrolandsoleauthorizationtomakefundamentalmodificationstotheoperatingsystemandinstallations.Thisalsoappliestothereleaseofnewsystemcomponentsandupdates.
11
© K
AR
L S
TOR
Z 9
6202
074
OR
1 29
1.2
12/
2017
/EW
-E
It is recommended to check the suitability of the product for the intended procedure prior to use.
7 Hazardanalysisofthesituation
7.1Hazardbymalware:
• Pleaserefertochapter6PatchManagement
7.2Hazardbyincompatiblesoftware:
• The KARL STORZ OR1 FUSION CONTROL®systemisBIOSprotectedand inKIOSKmode
• The KARL STORZ OR1 FUSION®networkisprotectedandonlyserviced byKARL STORZ
7.3Hazardofdataloss:
• The KARL STORZ OR1 FUSION®systemisnotanarchivingsystem
• Allinformation(documents,picturesandstreamingmediacontent)havetobeexportedtoUSB,CD/DVD,DICOM,networkshares
7.4Hazardofsurgicalimageloss:
• The KARL STORZ OR1 FUSION®networkisonlyservicedbyKARL STORZ
• Aslongasthenetworkconnectionsdonotgodown,alldevicesare poweredandnodevicefails,theKARL STORZnetworkremainsstable.
7.5Hazardbyviewingdiagnosticimages:
• Seewarningsinusermanual-DonotusetheKARL STORZ OR1 FUSION® systemtoviewdiagnosticimages
9620
2074
OR
1 29
1.2
12/
2017
/EW
-E
KARL STORZSE&Co.KG Dr.-Karl-Storz-Straße34,78532Tuttlingen/Germany Postbox230,78503Tuttlingen/Germany Phone: +49(0)7461708-0 Fax: +49(0)7461708-105 E-Mail: [email protected]
www.karlstorz.com