Elekta Anti-malware Policy

Elekta Anti-malware Policy

Introduction
Malicious software (or malware) is software that can get on a computer and cause damage to the computer or the data on it. Malware can include computer viruses, worms, Trojan horses (Trojans), spyware, and rootkits.

Policy
Elekta software runs on Microsoft Windows or GNU/Linux operating systems. Elekta recommends that you do not install anti-malware software on computers in the treatment delivery suite (TDS) 1. The design of the software on the computers in the TDS includes some protection from malware contamination. Elekta recommend that you examine the computers in the TDS out of clinical hours from a computer on the same network. If you find malware on a computer in the TDS, isolate the computer and install the operating system and software again. The installation of anti-malware software on computers that are not in the TDS is recommended. The Elekta anti-malware policy gives information about malware contamination from network connection or storage devices and media. The policy also includes information about the problems that can occur when you use anti-malware software. Included in this Newsletter there are two tables that give a list of Elekta software, with its applicable level of protection and policy on operating system upgrades.

Network connection
In some installations, Elekta software connects to the same networks as other computers that connect to the Internet. This network connection increases the risk of contamination from malware. Elekta recommends that you use a VLAN, with no other connected computers, for computers in the TDS. We can then keep the applicable ports for some interfaces open, for example, DICOM from a treatment planning system. The largest risk to Elekta software comes from other computers on the same network that you use to read email or go to websites that can cause malware contamination on these computers, and subsequently, other connected computers. Elekta therefore recommends that you: Do not use e-mail or Internet software on the computers in the TDS Do not connect portable computers to the network Where applicable, run Elekta software from a user account that does not have administrator user rights.

The risk of malware contamination decreases when the malware tries to run on an account that does not have administrator user rights. If the malware runs on a user account without administrator user rights, the malware cannot change system files and settings. The design of Elekta software is such, that it is not necessary to use administrator user rights for the usual operation of the software.

1. A treatment delivery suite (TDS) contains all computers connected to a Digital Accelerator, for example, Desktop Pro, iViewGT, XVI, MOSAIQ SEQUENCER.

Page 2

Usually, Internet Explorer and Outlook Express are a standard part of Microsoft Windows. But on most computers in the TDS, we use an installation CD with Internet Explorer and Outlook Express removed. Where applicable, Elekta does use the security functions in the operating system, for example, the Windows Firewall.

Storage devices and media

All computers are at risk of malware contamination from storage devices and media, for example, CD-ROM, DVD-ROM, USB hard disks, and USB flash memory drives. Elekta recommends that you examine storage devices and media for malware and remove the malware before you use the device or media on a computer in the TDS. Windows XP, and later releases, decreases the risk of malware contamination from USB devices. The AutoPlay function in these releases does not automatically start programs, without your approval, when you connect the USB device. Malware contamination from storage devices or media can occur only if you open or run a file that contains dangerous data.

Operating system upgrades

Elekta does not let you install operating system security upgrades on the computer in the TDS because: Installation of these upgrades can change operating system files that can have an effect on the operation of the TDS computer. Elekta must make sure that the computers in the TDS which are delivered to its customers have a stable configuration.

Note: The warranty on computers in the TDS states that you must not make changes to the configuration, without the correct authority of the manufacturer 2. Elekta will not be responsible for any unauthorized changes in configuration or their effect on patient safety. 2. FDA, Guidance for Industry, Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software, January 14, 2005

Anti-malware software problems

The problems that can occur on systems that run anti-malware software are as follows. Decreased performance In real time, it is possible that the anti-malware software scans all opened or run files, all received network packets, and all received e-mail and IRC messages. All malware scans (those done automatically in real time, and those done by the user) use processing time, hard disk access, and memory. Malware scans can cause unsatisfactory performance of the computers in the TDS. This decrease in performance can cause abnormal termination of treatment delivery, but it will not have an effect on the beam quality or safety. Changes in file location Most anti-malware software will change or move files that contain dangerous data to a safe location on the hard disk. If the software moves or changes a file that is necessary for the operation of a computer in the TDS, it can prevent correct operation or cause full system failure. Incorrect reports Anti-malware software can give incorrect reports of dangerous files, and change or move these files incorrectly. This can also prevent correct operation or cause full system failure. It is important, therefore, that you update the malware database in the anti-malware software regularly. Page 3

Elekta Anti-malware Policy

Scheduled backup failures During backup, it is possible that the anti-malware software incorrectly finds files with dangerous data. The software changes or moves these files, which can cause a failure in the backup of the files, or a failure of the scheduled backup. Blocked network ports The firewall functions in the anti-malware software can make it necessary for the system administrator to open some ports for communication from other systems. This can prevent or decrease communication between the computers in the TDS or other Elekta systems (or systems from other manufacturers) on the network. And some functions, such as DICOM, backup and restore, and IntelliMax will not operate correctly.

Elekta software protection level

The tables that follow show Elekta software with their applicable level of protection. Table 1: Elekta software on Windows operating systems
Elekta software Desktop Pro Level of protection Anti-malware scans are permitted (out of clinical hours) from a computer on the same network (no anti-malware software is installed on the control system) Windows Firewall (where applicable) configured to open only the necessary ports for communication from other systems By design: 1. Windows AutoRun and AutoPlay disabled 2. No Internet browser installed 3. No e-mail client installed 4. User cannot run random programs or open random files Operating system upgrades not permitted Anti-malware scans are permitted (out of clinical hours) from a computer on the same network (no anti-malware software is installed on the control system) Windows Firewall (where applicable) configured to open only the necessary ports for communication from other systems Operating system upgrades not permitted Anti-malware scans are permitted (out of clinical hours) from a computer on the same network (no anti-malware software is installed on the control system) Windows Firewall (where applicable) configured to open only the necessary ports for communication from other systems Operating system upgrades not permitted Anti-malware scans are permitted (out of clinical hours) from a computer on the same network (no anti-malware software is installed on the control system) Users recommended to run as non-administrator Windows Firewall (where applicable) configured to open only the necessary ports for communication from other systems Operating system upgrades not permitted Anti-malware scans are permitted (out of clinical hours)from a computer on the same network Operating system upgrades not recommended (until non-clinical tests of the upgraded system in a test environment are completed) Anti-malware scans are permitted (out of clinical hours) from a computer on the same network Operating system upgrades not recommended (until non-clinical tests of the upgraded system in a test environment are completed )

iGUIDE iView & iViewGT XVI MOSAIQ SEQUENCER and SYNERGISTIQ MOSAIQ Server

Page 4

Elekta software Other MOSAIQ products

Level of protection Anti-malware scans are permitted (out of clinical hours) from a computer on the same network Operating system upgrades not recommended (until non-clinical tests of the upgraded system in a test environment are completed)

Note: For more information about Elekta CMS Software and IMPAC Software products, refer to the applicable section below.

Table 2: Elekta products on GNU/Linux operating systems

Elekta product DMLC Level of protection Standard GNU/Linux protection Anti-malware scans are permitted from a computer on the same network (no anti-malware software is installed on the control system) GNU/Linux Firewall configured to open only the necessary ports for communication from other systems

Elekta CMS Software and IMPAC Software

Elekta CMS Software and IMPAC Software recommend that its customers use the information below to make their decision about antimalware protection for their software. Elekta recommends that updates to operating systems or third-party programs must first have non-clinical tests of the upgraded system in a test environment. For some updates, IMPAC or CMS Software Support will know if they cause problems or prevent correct operation. Contact IMPAC or CMS Software Support for more information and a list of known updates that cause problems. Only install software updates without validation to third-party programs if the update decreases the risk to operation. After an update of the operating systems or third-party programs, do the applicable non-clinical tests for each program on which the update has an effect. Make sure that each program operates correctly. Where it is possible, do the tests in a test environment. Contact IMPAC or CMS Software Support for assistance to set up a configuration of a test environment. Most anti-malware software can have a negative effect on system performance. Elekta recommends that you disable real-time malware scans and set all malware scans to run during non-clinical hours. If you must do real-time scans, contact IMPAC or CMS Software Support for more information.
Note: Elekta will update this policy regularly with information about other Elekta software, which will include treatment planning systems (TPS).

PROCEDURE
To find the Anti-Malware Policy on the Internet: 1. 2. 3. Go to http://www.elekta.com. Type Anti-malware policy in the search box. Click the link Anti-malware Policy for Elekta Software.

Page 5

www.elekta.com
Corporate Head Office: Elekta AB (publ) Box 7593, SE-103 93 Stockholm, Sweden Tel +46 8 587 254 00 Fax +46 8 587 255 00 info@elekta.com Regional Sales, Marketing and Service: North America Atlanta, USA Tel +1 770 300 9725 Fax +1 770 448 6338 info.america@elekta.com Europe, Latin America, Africa, Middle East & India Tel +44 1293 544 422 Fax +44 1293 654 321 info.europe@elekta.com

Human Care Makes the Future Possible

Asia Pacific Hong Kong, China Tel +852 2891 2208 Fax +852 2575 7133 info.asia@elekta.com

RT Crawley 462 2010 Elekta. All mentioned trademarks and registered trademarks are the property of the Elekta Group. All rights reserved. No part of this document may be reproduced in any form without written permission from the copyright holder. Specifications subject to change without notice.