GE Healthcare

GE OEC 9900 Elite

DIACAP/RMF Security Operator Manual Supplement

5763695-1EN-01
Rev. 1
© 2018
© GE OEC Medical Systems, Inc
All rights reserved.
Revision history

Revision history
Document # Revision # Release Date
5763695-1EN-01 1 04-2018

NOTE: The information provided in this supplement does not include all information regarding the
operation of the system. Please refer to the system operator manual(s) for complete inform-
ation regarding the safe and effective use of the system. For additional copies of the operator
manual(s), please contact GE customer service.

Document / Version Notice: GE Healthcare provides this documentation “as is“, without the
assumption of any liability under any theory of law. GE Healthcare reserves the right to change its
products and services at any time. This manual is subject to change without notice. This printed
document is the version at the time of system delivery and / or print run. Revisions are not
automatically distributed. Contact GE Heathcare at 800-874-7378 to order an updated version.
This manual may not be reproduced, in whole or in part, without the written permission of GE OEC
Medical Systems, Inc.
OEC is a registered trademark of GE OEC Medical Systems, Inc. Other product and company names
mentioned herein are the property of their respective owners.
The contents of this document are accurate at the time of publication. However, changes in design
and additional features can, at any time, be incorporated in the hardware and software and may
not be reflected in this version of the document. Contact GE OEC Technical Support for clarification,
if discrepancies arise.
GE OEC Medical Systems, Inc. a General Electric Company, going to market as GE Healthcare.

GE OEC Medical Systems, Inc.

384 Wright Brothers Drive
Salt Lake City, Utah 84116 U.S.A.
801-328-9300

ii
 Table of contents

Table of Contents

Revision history ii
GE OEC 9900 Elite DIACAP/RMF security operator manual supplement 1
Introduction and purpose 1
Service mode 1
DIACAP/RMF operator instructions 2
Anti-virus 2
Ports used for anti-virus communication 2
On-demand scan using a web browser 3
Performing an on-demand scan using the McAfee ePolicy Orchestrator (ePO) 8
If a virus is found 14
Update the anti-virus definition files 14
Updating the DAT files using ePO 14
Configure audit logging 18
Login banner 20
Troubleshooting the 9900 Elite DIACAP/RMF 20

iii
 Table of contents

This page intentionally left blank.

iv
 GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

GE OEC 9900 Elite DIACAP/RMF security operator manual

supplement
Introduction and purpose
The GE OEC 9900 Elite now features optional DIACAP/RMF (Department of Defense Information
Assurance Certification and Accreditation Process/Risk Management Framework) software to
provide additional security features for GE Healthcare customers.
These security features include a operating system (OS) hardening, service mode, audit logging,
warning banner, and anti-virus software, and ensure compliance to DIACAP/RMF security
requirements as defined by the United States Department of Defense.
This document provides instructions for using the new security features of the 9900 Elite
DIACAP/RMF system.

Service mode
In order to provide increased security, the DIACAP/RMF software adds a service mode to the OEC
9900 DIACAP/RMF system. The Service button on the Security / Network Configuration screen
allows service personnel to enter service mode. The system will only connect to computers with
specific settings which are limited to service laptops.

Figure 1: Service button on the Security / Network Configuration screen

1
GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

DIACAP/RMF operator instructions

Anti-virus
9900 Elite DIACAP/RMF systems use McAfee VirusScan Enterprise for Linux (VSEL).
VirusScan Enterprise for Linux protects the system from malware threats such as viruses, Trojan
horses, spyware, key loggers, joke programs, and other potentially unwanted software. 9900 Elite
DIACAP/RMF systems only allow the McAfee anti-virus software to run while in anti-virus mode.
When the system is in anti-virus mode, it cannot take X-rays. The system must be restarted before
resuming clinical use.
Consult with the site IT administrator when performing this configuration.

Ports used for anti-virus communication

The 9900 Elite DIACAP/RMF system uses the following ports for communication with a web server or
ePO (McAfee ePolicy Orchestrator).
Table 1: McAfee agent ports required for communication through system firewall
Port Default Description Traffic Direction
Agent-server 80 TCP port that the ePO server Inbound connection to the
communication service uses to receive requests Agent Handler and the ePO
port from agents. server from the McAfee
Agent.
Note: This port is only open in
service mode used for the web Inbound connection to the
browser based scans. ePO server from the remote
Agent Handler.
Agent-server 443 TCP port that the ePO server Inbound connection to the
communication service uses to receive requests Agent Handler and the ePO
secure port from agents and remote Agent server from the McAfee
Software Handlers. TCP port that the ePO Agent.
Manager, Product server's Software Manager uses to
Inbound connection to the
Compatibility List, connect to McAfee. TCP port that
ePO server from the remote
and License the ePO server uses to connect to
Agent Handler. 
Manager port the McAfee software updates server
(s-download.mcafee.com), McAfee Outbound connection from
license server (lc.mcafee.com), and the ePO server to McAfee
McAfee Product Compatibility List servers.
(epo.mcafee.com).

2
 GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Table 2: McAfee agent ports required for communication through system firewall
Port Default Description Traffic Direction
Agent-browser 55443 Default TCP port used to Inbound/Outbound for
default communicate with web browser. communication between
communication Only available when in both browser and agent.
secure port Service mode and anti-virus mode.
Agent wake-up 8081 TCP port that agents use to Inbound connection from the
communication receive agddent wake-up requests ePO server/Agent Handler to
port SuperAgent from the ePO server or Agent the McAfee Agent.
repository port Handler. TCP port that the
Inbound connection from
SuperAgents configured as
client machines to
repositories that are used to
SuperAgents configured as
receive content from the ePO
repositories.
server during repository
replication, and to serve content
to client machines.
Agent broadcast 8082 UDP port that the SuperAgents use Outbound connection from
communication to forward messages from the ePO the SuperAgents to other
port server/Agent Handler. McAfee Agents.
Console-to- 8443 TCP port that the ePO Application Inbound connection to the
application server Server service uses to allow web ePO server from the ePO
communication browser UI access. console.
port
Client to server 8444 TCP port that the client uses to Outbound connection from
communication communicate with the ePO server. client to the ePO server.
port

On-demand scan using a web browser

The VirusScan Enterprise for Linux agent can perform scans using the web browser on a laptop
connected directly to the 9900 Elite DIACAP/RMF system. This method is commonly used to scan the
system before connecting to a secured or protected network.
Performing an on-demand scan using a web browser
1. Press Setup on the Workstation keyboard. The Setup screen displays on the right monitor.
2. Touch Network Config.... The Security / Network Configuration screen displays on the right
monitor.
3. Touch Service and then touch Confirm... to accept the message.
4. Touch AV Mode, located at the bottom right of the Security / Network Configuration
screen, and then touch Confirm... to accept the message. The system enters anti-virus mode.

3
GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

5. Connect the system to a Windows-based service laptop:

a. Plug the laptop into the Ethernet connector on the back of the Workstation.
b. On the service laptop, click Start and select Control Panel.
c. In the Control Panel, select All Control Panel Items \ Network and Sharing Center.
d. Click Local Area Connection Properties. The Local Area Connection Properties
dialogue box displays.

Figure 2: Local Area Connection Properties dialogue box

e. Select Internet Protocol Version 4 (TCP/IPV4) and then click Properties. The TCP/IPV4
General Properties dialogue box displays.
f. Set the IP address to 192.168.0.2 and the subnet mask to 255.255.255.252.

4
 GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Figure 3: TCP/IPV4 General Properties dialogue box with correct values entered
g. Click OK and then click Close.
6. Open a web browser on the service laptop and, in the location bar, enter
https://192.168.0.1:55443 to launch McAfee VSEL agent.

You may have to click Continue to Site or Proceed to Site (depending on the browser) if you
have anti-virus browser security installed on the service laptop.
7. Log in using user name nails and password nails, then click Logon.

NOTE: This is the default password and can be modified. If this password is modified, use new pass-
word to log into the McAfee agent. If you forget or lose the password, you must reinstall the
DIACAP/RMF software.

8. Under Schedule in the left menu bar, select On-Demand Scan. The On-Demand Scan screen
displays the When to scan section.

5
GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Figure 4: When to scan

9. Select Run Immediately and then click Next in the top right corner. The What to scan section
displays.

Figure 5: What to scan

10. In the Path text box, enter a single forward slash: /. The root directory takes several hours to
scan, so you may begin the system scan, disconnect the laptop, and then reconnect later to
view the results.
11. Click the Add button to add the directory and then click Next in the top right corner. The
Choose scan settings section displays.
12. Leave all default scan settings as they are, and click Next in the top right corner. The Enter a
task name section displays.

6
 GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Figure 6: Enter a task name

13. Enter a unique name for the task and then click Finish in the top right corner. On the system,
the anti-virus status displays as Starting.

Figure 7: Anti-virus status display

After a few minutes, it displays as Running. Depending on the path scanned, the
scheduled task may take several hours to display as Complete.
If the scan is stops prematurely, the scheduled task displays on the system as Stopped.

Access the host and scan summaries, detected items, system events, and scheduled tasks by
selecting the appropriate page on the upper left of the VSEL web interface.

7
GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Figure 8: VSEL Scheduled Tasks

NOTE: ePO allows you to disable the client web UI. If this is enabled, it is not possible to run the client
web server and connect using the service laptop after connecting to ePO. To ensure service
or IT personnel can scan the system using the web browser after updates to software, ensure
this box is not selected.
To access this:
1. From the ePO server console, click System Tree, the click My Organization and select
the specific system.
2. Click Actions, then select Agent >> Modify Policies on a Single System.
3. In the Product drop-down menu, select VirusScan Enterprise for Linux.
4. In the General Policies line, click My Defaults.
5. Click the Advance tab and clear the Disable client Web UI checkbox.
6. Click Save.

Performing an on-demand scan using the McAfee ePolicy Orchestrator (ePO)

McAfee ePolicy Orchestrator software provides a management interface for the 9900 Elite
DIACAP/RMF anti-virus software which allows for centralized policy management and enforcement.
See the McAfee documentation for additional information on the capabilities of ePolicy Orchestrator.
Before an ePO scan can be performed, the ePO keys must be copied to the system.Call for service if
additional assistance is required.
1. Put the 9900 DIACAP/RMF system in AV mode:
a. Press Setup on the Workstation keyboard. The Setup screen displays on the right
monitor.

8
 GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

b. Touch Network Config.... The Security / Network Configuration screen displays on

the right monitor.
c. Touch AV Mode, located at the bottom right of the Security / Network Configuration
screen.
2. From the ePO server console, click System Tree, click My Organization and then click the
Systems tab.
3. Click This Group and All Subgroups from the Preset drop-down list to display all systems in
the tree.

Figure 9: System Tree with This Group and Subgroups selected,

showing two 9900 Elite DIACAP/RMF systems
4. Click the correct 9900 Elite DIACAP/RMF system. It will be listed as ws_gpos. Ensure that the
system has the correct IP address, if more than one 9900 Elite DIACAP/RMF system is listed.
The System Information screen displays.
5. Click Actions >> Agent >> Modify Tasks on a Single System. The Client Tasks screen
displays.

9
GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Figure 10: Actions >> Agent >> Modify Taskas on a Single System
6. Click Actions >> New Client Task Assignment. The Client Task Assignment Builder screen
displays. On this screen:
a. In the Product section, select Virus Scan Enterprise for Linux.
b. In the Task Type section, select On Demand Scan.
c. In the Task Name section, click on Create New Task and type a unique Task Name in
the text box.

10
 GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Figure 11: Client Task Assignment Builder with an On Demand virus

scan task named and ready to be created
d. Under Virus Enterprise for Linux, click the Advanced tab. Select the check boxes for
Heuristics, Non-viruses, and Compressed files.

Figure 12: Advanced tab with all options selected

e. Click the Where tab and ensure that Specify where scanning will take place text box
contains the root directory. The field should contain a single forward slash: /.

11
GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Figure 13: Where tab with the root directory entered

f. Click the Detection tab. In the What to scan options, select All files.

Figure 14: Detection tab with All files selected

g. Click the Actions tab. In the When Viruses and Trojans are found options, select
Clean infected files automatically.
h. In the When Programs & Jokes are found options, select Clean infected files
automatically.
i. In the When Programs & Jokes are found: If the above action fails options, select
Move infected files to the quarantine directory.

12
 GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Figure 15: Actions tab with the correct options selected

j. Click Save. The Client Task Assignment Builder screen displays.
7. In the Task Name section, select the task created and named in step 6c, above.
8. Click Next to schedule the task. On this screen:
a. In the Schedule status options, select Enabled.
b. In the Schedule type and Effective period text boxes, enter appropriate values.
c. Select a Start time.
d. In the Tasks run according to options, select Local time on managed systems.

13
GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Figure 16: Schedule tab with example values entered

e. Click Next to view the summary.
f. Click Save.

If a virus is found
If a virus is detected on a 9900 Elite DIACAP/RMF system, please contact the GE Healthcare Surgery
Technical Support at 1-800-874-7378 for assistance.
To ensure all malware is removed, the DIACAP/RMF software must be reinstalled on the system after
detection.

Update the anti-virus definition files

McAfee VirusScan Enterprise for Linux depends on DAT files to identify malware. These DAT files
should be updated periodically. A system that using outdated DAT files may compromise malware
protection.
The 9900 Elite DIACAP/RMF system allows you to update the DAT files using the ePO interface
described in the previous sections.

CAUTION Do not update the agent or client version. The installed versions have been formally
verified. Updated versions may not be compatible with the DIACAP/RMF system, and
can leave your system unprotected.

Updating the DAT files using ePO

1. From the ePO server console, click Menu and then under Automation, select Server Tasks.

14
 GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Figure 17: Server Tasks

2. Click New Task.

Figure 18: New Task button

3. Enter unique name for server task.

15
GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Figure 19: Name the new task

4. In the Scheduled Status options (shown in the image above), select Enabled and then click
Next.
5. From the Actions list, select Repository Pull.

Figure 20: Repository Pull action

6. Select Selected Packages option then click the Select Packages button (shown in the image
above).
7. In the Available Source Site Packages options, select From DAT and click Ok.

16
 GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Figure 21: DAT selected

8. Click Next.
9. In the Schedule type , Start date, End date, and Schedule text boxes, enter appropriate
values.

Figure 22: Schedule options

10. Click Next and then click Save.
See the McAfee VSEL or ePO documentation for additional information on how to update the VSEL
client DAT files.

17
GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Configure audit logging

GE OEC 9900 Elite DIACAP/RMF systems incorporate a Linux-based audit system that sends logs to a
remote server to track security-relevant information. Based on the Red Hat Enterprise Linux STIG
rules, this audit system generates log entries that record system call information. The audit logs can
be transmitted to an audit log server using the syslog message logging system. This information is
used to determine if malicious security events are occurring. The information is crucial for mission-
critical environments to determine the violator of the security policy and the actions they performed.
Note that audit logging does not provide security to your system, but is used to discover violations
to security policies.

Configure a server for audit logging

Consult with the site IT administrator when performing this configuration.
The audit log server must be configured to receive log files at the IP address and port entered on the
system.
For example, if the server is an rsyslog server, the /etc/rsyslog.conf file must be configured by
adding the following lines:

ModLoad imtcp
InputTCPServerRun 514
*.* /var/log/mysyslog.log

This configures the server to receive log messages using TCP on port 514 and to save them to the
mysyslog.log file.

Starting audit logging on the system

To begin audit logging, do the following:
1. Press Setup on the Workstation keyboard. The Setup screen displays on the right monitor.
2. Touch Network Config.... The Security / Network Configuration screen displays on the right
monitor.
3. Touch Audit Logs, located at the bottom of the Security / Network Configuration screen.

18
 GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Figure 23: Audit Logs button on the Security / Network Configuration screen
4. Enter the IP address and port of audit log server that will be used to store logs files.

Figure 24: Audit Log Configuration screen

5. Touch Start Logs. This configures the system to send logs when it is connected to the
network. The behavior will continues until the IP address and port are modified.
Verify that logs are being received and saved on the audit log server, if possible.
Audit logs are configurable to contain many types of data.

19
GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Figure 25: Example audit log

Login banner
GE OEC 9900 Elite DIACAP/RMF systems can be configured to display a configurable banner at login.
Call for service to configure the banner.

Troubleshooting the 9900 Elite DIACAP/RMF

General
Problem Cause Solution
Touchscreen monitor pointer System needs touchscreen Have a service engineer perform
not aligned or does not track monitor calibration. touchscreen monitor calibration.
with finger.

Audit logs
Problem Cause Solution
Cannot view audit logs on Audit logs are only viewable on Set up remote audit log server to
system. the remote audit log server. retrieve system logs.
Audit logs not sent to remote Wrong IP address configured for Enter correct IP address of
server. remote audit log server. remote audit log server.
Wrong port number configured Enter correct port number of
of remote audit log server. remote audit log server.
Audit logs service not started. After entering IP and port
information press the Start Logs
button to start the service.

20
 GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Problem Cause Solution

Audit logs not received on Audit log remote server Verify remote audit log server is
remote server. incorrectly configured. setup using correct IP address
and port information.

Anti-virus
Problem Cause Solution
Cannot connect to the system Laptop network settings Laptop IP address (192.168.0.2)
anti-virus software using a web incorrect. and subnet mask
browser. (255.255.255.252) must be
configured properly to connect to
the system.
Cannot connect to the system System did not open Touch the Service button to
anti-virus software using a web communication port. open the communications port
browser. before touching the AV Mode
button.
Client web UI is disabled in ePO. Enable client web UI in ePO. See
the note on page 8 for details.
Anti-virus scan or update did The system must be in AV mode Ensure system is in AV Mode
not run at scheduled time. to run updates or scans. when updating or scanning.
Anti-virus will not allow login The username and password Have a service engineer re-install
from web browser. were changed and are now the software.
unknown.
ePO server does not show the The system requires exchange Have a service engineer reload
system on the system tree. or security keys and network ePO server keys onto the system.
information.
The system is not in AV mode. Ensure system is in AV Mode for
communication with the ePO
server.
System agent could not Depending on the size and
communicate with ePO server. complexity of the network, it may
take up to 24 hours for the agent
to initially communicate with the
ePO server.
Network settings preventing Verify ports (80,443,
communication between agent 55443,8081,8082,8443,8444)
and ePO server. used for ePO agent
communication are open on the
network.
Setting modified on the ePO Agents pole the ePO server for Use the wake up agent command
server are not pushed to the setting updates periodically. on ePO to force agent/client
agent/client on system setting updates. See McAfee
immediately. documentation for additional
information.

21
GE OEC 9900 Elite DIACAP/RMF Security Operator Manual Supplement

Problem Cause Solution

On Demand scan does not Agents pole the ePO server for Use the wake up agent command
immediately start on system updated scan information on ePO to force agent/client scan
when commanded by ePO. periodically. updates. See McAfee
documentation for additional
information.
Malware detected on system by Malware installed on system. Contact GE Healthcare.
anti-virus client.

22