Philips HealthSuite Imaging

Executive Summary

Philips is committed to delivering secure, private, and reliable imaging solutions that enable clinicians and radiologists to provide timely and confident diagnoses.

HealthSuite Imaging (HSI) embodies this commitment through its secure-by-design approach, leveraging the power of cloud computing to streamline image management, collaboration, and reporting. HealthSuite Imaging, our radiology cloud-based services, delivered as a SaaS solution, shifts the operational burden from healthcare providers to trusted partners—Philips and Amazon Web Services (AWS)—who ensure the platform is always up to date, monitored and compliant.

This document outlines the security principles, controls, and technologies embedded within the HSI cloud architecture to protect sensitive healthcare data and ensure operational integrity. It is intended to provide healthcare organizations, IT professionals, and decision-makers with a comprehensive view of how HSI safeguards patient and system information in a cloud environment.

Cloud computing brings new challenges and safeguards: Radiology departments face a demanding dynamic cybersecurity landscape due to their reliance on interconnected systems, constant availability, and high data throughput. Cloud-based platforms add new challenges that demand advanced safeguards—robust identity management, encrypted data storage, audit trails, and compliance controls—to ensure they don't become new entry points for attackers. Yet cloud-based solutions also bring significant improvements in security posture, simplifying upgrades and patching and centralizing and consolidating points of entry.

Introducing HealthSuite Imaging

Delivered as a Software as a Service (SaaS) solution, Philips HealthSuite Imaging (HSI) delivers a modular portfolio of Philips RIS and PACS services, ranging from exam scheduling, through patient registration, documentation, image processing and diagnostic interpretation to result distribution.

HSI provides a security-first architecture designed to mitigate the threats to data in the cloud. It shifts the operational burden from healthcare providers to trusted partners—Philips and Amazon Web Services (AWS)—who ensure the platform is always up to date, monitored and compliant. Security is embedded into every layer, from data encryption and access controls to vulnerability management and real-time threat detection. This enables healthcare IT teams to stay ahead of evolving threats without compromising system performance or clinical availability.

Advanced Security in the Cloud

HealthSuite Imaging benefits from a modern, robust cloud security framework that enhances protection well beyond the capabilities of traditional on-premises environments.

Each HSI instance is deployed in an AWS region selected by Philips based on its proximity to the healthcare provider, ensuring low latency and optimal performance. This architecture promotes fast access to imaging studies while maintaining compliance with local data residency and performance requirements. HSI utilizes the full range of AWS services to secure its infrastructure, including Amazon EC2, S3, ELB, VPC, IAM, KMS, CloudWatch, AppStream, Route53, WAF, and CloudTrail.

The cloud infrastructure is architected with strong network segmentation, isolating public-facing services (e.g., diagnostic viewers and enterprise portals) from backend services (e.g., databases and storage). Virtual Private Cloud (VPC) constructs, security groups and network access control lists (NACLs) are used to strictly control inbound and outbound network flows, ensuring secure and controlled access to all resources.

Deployment Modes

Full Cloud RIS and PACS Services

A HealthSuite Imaging Full Cloud Deployment is a setup where all medical imaging services are hosted entirely in the cloud. This means that the data and applications are stored and managed on remote servers, specifically on Amazon Web Services (AWS).

Hybrid Cloud PACS Services

A HealthSuite Imaging Hybrid Cloud Deployment combines both on-premises and cloud-based components. This setup is well-suited for smaller healthcare providers or environments with lower network performance. It includes an on-premises device called Cloud Connect, which handles local data storage and quick access to images, while synchronizing data with a shared, multi-tenant environment in AWS.

Diagram: Hybrid Cloud Deployment

Diagram illustrating Hybrid Cloud Deployment. It shows an 'Imaging department' with 'Imaging modalities' and 'Reading services' connected to a 'Cloud gateway' containing 'Cloud connect'. This gateway connects via a secure transfer protocol over the internet to the 'AWS Cloud' region. The AWS Cloud features 'Availability Zones' with EC2 servers, databases (APP, DB), and S3 Image Storage. Remote access is provided for 'Reading services' and 'Enterprise Viewing services' via a secure transfer protocol over the internet, connecting to the home network.

Diagram: Full Cloud Deployment

Diagram illustrating Full Cloud Deployment. It shows an 'Imaging department' with 'Imaging modalities' and 'Reading services' connecting via DICOM S&F and AWS Direct Connect to the 'AWS Cloud' region. The AWS Cloud includes 'Availability Zones' with EC2 servers (including Analytics, Rendering, EIS), databases (APP, DB), WIM servers, WIM DB, and S3 Image Storage. Remote access is provided for 'Workflow and Viewing services' via a secure transfer protocol over the internet, connecting to the home network.

Key Security Features

Web Application Firewall (WAF)

HSI implements AWS Web Application Firewall (WAF) directly in front of the RIS and PACS web interfaces, such as the Enterprise Viewer and Diagnostic Client Gateway. WAF acts as a real-time defense layer against malicious traffic, shielding the system from common web exploits, bot activity, denial-of-service attempts, bad reputation IPs, cross-site scripting, and SQL injections. By inspecting HTTP/S traffic before it reaches the application layer, AWS WAF preserves the availability and integrity of the system while ensuring only legitimate users can access critical clinical interfaces.

Virtual Private Cloud (VPC)

The AWS Virtual Private Cloud (VPC) architecture adopted for each HSI customer strictly segments public-facing services and internal components. Access to user-facing systems such as the diagnostic viewer is isolated, while backend systems—including databases and archives—are confined to private subnets inaccessible from the internet. This layered approach ensures sensitive data remains protected, reducing exposure and enabling fine-grained control over internal network flows.

Security from the Start: Product and Service Development

Philips integrates cybersecurity into every phase of product and service development using a comprehensive Product Security Framework aligned with global security standards. This framework, applied across all Philips software products, encompasses structured activities such as Product Security Risk Assessments (PSRA), secure architecture and design, vulnerability and penetration testing, and security training across the organization.

Beyond Technological Threats: Philips applies a mature Information Security Management System (ISMS) to protect the business of customers, meeting objectives for confidentiality, integrity, and availability (the "CIA triad") of data and service. The ISMS uses a holistic approach, covering organizational, people, physical, and technological controls. Its adequacy is assessed annually through internal and external audits.

Diagram: Product Development Lifecycle

Diagram illustrating the product development lifecycle as a loop: Plan, Code, Build, Test, Release, Deploy, Operate, Monitor. Each phase lists associated security activities:

• Plan: Specific security requirements, Threat modelling, Secure by design principles, Security design review, Risk assessments.
• Code: Secure coding standards, Secure code reviews, Static code analysis, Open-source review.
• Build: OS hardening and patching, Secure systems engineering, Security documentation.
• Test: Security requirements testing, Threat mitigation testing, Vulnerability testing, Penetration testing.
• Release: Product defense in depth, Secure hardening guidelines, Security guidelines, Instructions for use, Installation manuals, MDS2, White papers.
• Deploy: Supply chain security, Timely delivery of security updates, Secure installation.
• Operate: Security patch analysis, Secure operation guidelines, Vulnerability advisories, Threat analysis, Manage customer complaints, Coordinated vulnerability disclosure.
• Monitor: 24x7 monitoring, Intrusion analysis, Incident response.

Encryption in Transit

All communication across the HSI platform is encrypted using modern protocols that align with healthcare industry standards. Within the cloud environment, internal services communicate using proprietary protocols secured with Transport Layer Security (TLS), preventing unauthorized interception or manipulation of data.

In HSI Full Cloud Implementation: Communication with medical imaging devices uses DICOM TLS for encrypted and authenticated data exchange. Web-based interfaces and applications use HTTPS secured with TLS 1.2 or above. When connecting on-premises environments to the cloud, the system leverages AWS Direct Connect (DX) enhanced with MACSec encryption, providing confidentiality and integrity at the network level (Layer 2).

In HSI Hybrid Cloud Implementation: The connection is secured using a VPN tunnel established by an SSL appliance device, employing AES-256-CBC cipher for encryption and SHA256 message hash for HMAC authentication. This encrypted channel leverages Transport Layer Security (TLS) for data confidentiality and integrity.

Encryption at Rest

HSI applies strong encryption to all stored data, including metadata and imaging content, to protect it from unauthorized access. Database credentials, certificates, and encryption keys are managed securely through Oracle Wallets, with access restricted to the Philips service team.

AWS native storage services (S3, EBS, FSx) provide built-in encryption capabilities for imaging data. These services use AWS Key Management Service (KMS) with customer-managed keys (CMK) controlled by Philips, ensuring strong separation and confidentiality for each customer's data. Locally attached storage on EC2 instances, FSx for Windows file systems, and Amazon S3 buckets are encrypted using AES-256 keys managed through AWS KMS. Access to these keys is tightly controlled with granular policies, preventing AWS from accessing encrypted content. Credentials and private keys are managed by Philips. Additional safeguards include automated key rotation, comprehensive audit logging via AWS CloudTrail, and strict access control policies enforced through AWS IAM.

Protection in Use

HSI protects data while it is being processed through the AWS Nitro System, the foundational security layer behind Amazon EC2 instances. Nitro prevents even AWS personnel from accessing customer data inside virtual machines. This system was designed to eliminate operator access, meaning there is no backdoor or administrative override. This model was validated by an NCC Group audit in 2023, confirming no mechanism for AWS employees to access data on Nitro-based hosts. This shields customer data from external, internal, and cloud provider threats.

Security Scan

To proactively identify and mitigate vulnerabilities, HSI integrates security scanning tools. These services regularly assess the environment for misconfigurations, compliance drift, and potential security threats. Alerts are prioritized and aggregated to support timely remediation. These automated assessments complement manual reviews and contribute to a continuously monitored security posture.

Endpoint Detection Response (EDR)

Trend Micro's Endpoint Detection and Response (EDR) solution fortifies endpoint security on EC2 instances. EDR provides real-time monitoring, threat detection, and rapid response capabilities for all compute endpoints, ensuring systems hosting PACS components are continuously checked for abnormal behavior. The Philips Security Operations Center (SOC) monitors the install base on a 24/7 basis.

Data Resiliency

Amazon S3 enables the recovery of previous object states, preventing data loss due to accidental deletions or overwrites. Object Lock enforces a Write Once Read Many (WORM) policy, ensuring medical imaging data cannot be altered or removed for a defined retention period. These safeguards are enabled by default for all archived imaging data, supporting a reliable and immutable archive strategy.

Data Durability

HSI leverages the 99.999999999% (11 nines) durability of Amazon S3 for long-term data preservation. S3 stores data redundantly across multiple Availability Zones within an AWS region. The PACS software intelligently selects the most appropriate storage tier based on access patterns, optimizing cost-efficiency while ensuring rapid availability for both recent and historical studies.

General Product Security

All services within the HealthSuite Imaging portfolio are developed following the comprehensive security framework for Philips Radiology Informatics solutions. For more information on the Philips security framework, reference the white paper, "Cybersecurity in Radiology Informatics," available at https://www.usa.philips.com/healthcare/white-paper/cybersecurity-for-radiology-informatics or by contacting a Philips radiology informatics representative. This white paper provides in-depth explanations of Philips security in terms of:

• Industry Standards and Compliance
• Third-Party and Supply Chain Security
• Malware Protection and OS Patching
• System Hardening and Data Security
• Application-Level Security
• Secure Remote Access
• User Management
• Business Continuity and Disaster Recovery
• Threat Monitoring and Incident Response

Operational Security

The Philips service and operations team, adhering to ITIL (Information Technology Infrastructure Library) framework, continually evaluates security risks, privacy risks, and controls during HealthSuite Imaging operation and maintenance to minimize risks and maximize availability.

Event Logging, Auditing, and Monitoring

Regulations require organizations to log all activities concerning Protected Health Information (PHI). Each logged event can include warnings, failures, operation performed, user, location (including client IP), and affected information (study instance unique identifier). An audit is an event log that collects important actions and events for tracking and investigating past actions. It is a write/read-only table, meaning Philips can only write to it and read information afterwards; once created, it is never edited or deleted.

Log and audit trails are crucial in cybersecurity for providing a detailed record of system activities, allowing for detection of security incidents, investigation of suspicious events, compliance with regulatory requirements, and analysis of historical data to improve security posture and response strategies. Philips can provide detailed audit trail logs that are IHE ATNA compliant, covering logging, reading, and modifying clinical information.

Audit trail logs are stored locally (encrypted) or transferred to a central Syslog server. Hospital administrators can monitor logged events and identify unusual system activity or suspicious user behavior using the Audit Log Viewer, filtering records and exporting as necessary.

Responding to Cyber Security Threats

The top priority of the 24/7 Philips Security Operations Center (SOC) is safeguarding vital assets like the Vue PACS and Image Management Software. Their multifaceted strategy integrates proactive measures such as continuous monitoring and threat detection, leveraging state-of-the-art technologies.

In the event of an incident, the Philips Imaging Informatics SOC uses rapid triage and containment procedures to isolate affected systems, mitigate harm, and prevent threat spread. Analysts examine forensic evidence, log data, and network traffic to understand attacker tactics, techniques, and objectives. This granular analysis informs response strategies and enhances threat detection capabilities, enabling anticipation and thwarting of future threats.

Philips maintains open dialogue with internal stakeholders, external partners, and regulatory bodies to keep all parties informed throughout the incident response process. Remediation efforts focus on restoring affected systems to a secure state, including patching vulnerabilities, deploying security updates, resetting compromised credentials, and restoring data from backups. The focus remains on safeguarding critical assets and maintaining operational continuity.

Post-incident analysis provides insights for improvement. Assessments identify gaps in security controls, weaknesses in incident response procedures, and opportunities for enhancement. Philips' commitment to continuous improvement includes investment in training and skill development to ensure analysts remain at the forefront of cybersecurity best practices.

Conclusion

HealthSuite Imaging is purpose-built to support secure, scalable, and high-performance diagnostic imaging in the cloud. Its architecture integrates advanced security technologies, strong governance, and a secure-by-design approach to protect patient data, meet regulatory expectations, and enable clinical efficiency. From identity management and encryption to continuous threat detection and structured incident response, every aspect of the platform is engineered with security as a foundational principle.

Philips maintains a proactive approach to security, incorporating regular updates, independent assessments, and third-party certifications to ensure HealthSuite Imaging continues to evolve alongside the dynamic threat landscape. The security controls are continuously tested and validated against industry benchmarks and healthcare-specific cybersecurity standards.

As cybersecurity challenges grow in complexity, Philips remains committed to maintaining the trust of healthcare providers and patients by delivering secure, resilient, and compliant solutions.