| 01

Today we live in a dangerous world. Not only on the streets – but also with our personal and business information. According to Forbes Magazine*, 91% of healthcare organisations have had at least one data breach involving the loss or theft of patient data in the past two years.

FIPS and DIACAP-Accredited Patient Monitoring and Clinical IT Systems FAQs

ST-

6168

-200

7_10

00

At Dräger, we are committed to producing medical device technology that adheres to the highest standards of healthcare cybersecurity. As part of that commitment, we have initiated and received FIPS and DIACAP certification for several of our patient monitoring and clinical IT system devices.

WHAT IS FIPS? The Federal Information Processing Standard 140-2 (FIPS 140-2) is a security standarddeveloped by the National Institute ofStandards and Technology (NIST) for testingand validating the cryptographic capabilities of systems used with government networksin the United States and Canada. FIPS validation demonstratesthat the cryptographic module built into the system can helpmaintain the confidentiality and integrity of electronic data.

WHAT IS THE FIPS VALIDATION PROCESS? To receive FIPS 140-2 validation, product must pass through three phases: – Phase 1, initiated by the manufacturer, includes preparing

or updating the design of the product and documentingthe changes made in order to meet FIPS requirements.

– Phase 2 is independent laboratory testing to verify themanufacturer claims.

– Phase 3 consists of the test results being reviewed bythe Cryptographic Module Validation Program (CMVP),a governmental agency that reviews all test reports forcompliance. Once it is determined that the product is incompliance, the product is validated.

WHY IS FIPS ACCREDITATION IMPORTANT TO MY HOSPITAL? While FIPS 140-2 is a U.S. government computer security standard developed for use in all federal healthcare facilities, it is also valuable for public and private hospitals because

approved devices offer a high degree of security, assurance and dependability.

The Dräger Infinity® M300 patient-worn monitoring device contains a FIPS-validated Wi-Fi module (RS9113-N00-D0F Wi-Fi module from Redpine Signals) for wireless data encryption. This patient-worn monitor uses non-proprietary 802.11 b/g wireless technologies instead of proprietary antennas, which allows for continuous patient monitoring wherever Wi-Fi coverage is present in a hospital. This enables medical facilities to monitor patients in specialty areas where telemetry is not typically an option, and helps eliminate workflow bottlenecks in dedicated telemetry wards.

WHAT IS DIACAP?

The Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP) is a process by which information systems are certified for compliance with DoD security requirements and accredited for operation on the DoD network to ensure security and the protection of sensitive information. Dräger has received an Authorisation to Operate (ATO) and an Authorisation to Connect (ATC) as issued by the Defense Health Agency (DHA) for several of its patient monitoring devices.

DL-

1450

9-20

14

D

IACAP

ACC

REDITED

Dräger is the first company to achieve DIACAP certification for multi-parameter patient monitoring.

FIPS 140-2 inside

Source: “Why Medical Identity Theft is Rising and How to Protect Yourself”, Forbes, May 2015

02 |

WHAT ABOUT PUBLIC AND PRIVATE HOSPITALS? Vulnerabilities in medical devices connected to hospital networks can threaten the entire system and expose it to attacks – jeopardising both patient safety and the reputation of the hospital. Higher device security helps increase patient safety. DIACAP certified patient monitoring devices allow both private and public hospitals to comply with higher standards and cybersecurity regulations.

WHICH DRÄGER PRODUCTS HAVE RECEIVED DIACAP ACCREDITATION?The current list of patient monitoring and clinical IT products that have received DIACAP accreditation includes bedside/transport monitors, patient-worn telemetry monitors, central monitors, remote viewing software, network integration software and network printers.

HOW WILL THE NEW RMF CERTIFICATION IMPACT OUR DIACAP CERTIFICATION?While DIACAP has already started to be replaced by Risk Management Framework (RMF) which will apply to all federal facilities, Dräger can continue to operate under our current DIACAP certification until it expires. We have already begun working with the Air Force Medical Operations Agency (AFMOA) and Defense Health Agency (DHA) to transfer our information over to the new RMF templates and begin the RMF certification process. With similar certification criteria, Dräger is uniquely positioned to meet all new regulatory requirements under RMF.

Once this transition to RMF is made, it will also apply to all Military Treatment Facilities (MTFs) and all hospitals in the Department of Veterans Affairs (VA), through the reciprocity provisions of RMF.

For more information on Dräger FIPS and DIACAP product accreditation and cybersecurity initiatives, please contact your Dräger representative.

WHAT IS THE DIACAP ACCREDITATION PROCESS? DIACAP accreditation is an extremely complex process and demonstrates Dräger’s dedication to patient safety and support for its customers’ cybersecurity goals. The accreditation process includes five main activities, as follows:1. Initiating and planning Information Assurance (IA)

certification and accreditation – in which the company registers the system with the DoD, assigns IA controls, assembles a DIACAP team, and initiates an implementation plan

2. Implementing and validating assigned IA controls – in which the company executes the implementation plan, conducts validation activities and compiles validation results

3. Making of the certification determination and accreditation decision – whereby the DOD makes the certification determination and issues an accreditation decision

4. Maintaining the authorisation to operate and conduct reviews – in which the company maintains situation awareness, maintains an IA posture, performs an annual review of IA controls and submits the product forre-accreditation

5. Decommissioning the system

HOW DOES DRÄGER’S ACCREDITATION BENEFIT

MILITARY TREATMENT FACILITIES? This accreditation ensures the secure operation and protection of sensitive information of DIACAP-certified products deployed in military treatment facilities. DIACAP certification also ensures that the facility’s patient monitoring and clinical IT systems are in compliance with the standards and regulations of appropriate, consistent levels of cybersecurity as required for Command Cyber Readiness Inspections (CCRI). Dräger’s DIACAP certification provides validation that our accredited products meet this level of CCRI.

91 0

2 49

6 |

17.

03-1

| N

W |

LL

| S

ubje

ct t

o m

odifi

catio

ns |

© 2

017

Drä

gerw

erk

AG

& C

o. K

GaA

CORPORATE HEADQUARTERS Drägerwerk AG & Co. KGaA Moislinger Allee 53–55 23558 Lübeck, Germany

AUSTRALIADraeger Medical Australia8 Acacia Place Notting Hill, VIC 3168Tel 1800 372 437Fax 1800 647 484

www.draeger.com

Not all products, features, or services are for sale in all countries. Mentioned Trademarks are only registered in certain countries and not necessarily in the country in which this material is released. Go to www.draeger.com/trademarks to find the current status.