Safety standards in syngo MR Information for Administrators

The internal user accounts are: B.2

❏ BRAdmin: This account is used to back up and restore files

on the computer, regardless of any permissions that protect
those files. Further functions are very restricted.
❏ DICOM_USER: Account for processes using DICOM ser-
vices.
❏ Guest: Built-in Windows XP account, not to be deleted. For
syngo MR, this account is disabled.
❏ HelpAssistant: Built-in Windows XP account for providing
remote desktop assistance. Usually, this account is disabled.
❏ IUSR_nnn: Account to access the Internet Information Ser-
vices.
❏ IWAM_nnn: Account for starting the Internet Information Ser-
vices from process applications.
❏ meduser: Account created by syngo MR to keep system
services running.
❏ PPP: Account created by syngo MR to enable point-to-point
communication used for remote service logon via modem.
❏ SUPPORT_xxx: Built-in Windows XP account for the Help
and Support Service. Usually, this account is disabled.
❏ HP ITO account: Account created by syngo when the Sys-
tem Management is enabled.
❏ OPC_OP: Account created by syngo when the System Man-
agement is enabled.

0.0

syngo MR 2006T B.2–9

Information for Administrators Safety standards in syngo MR

DICOM Nodes B.2 For the security system, DICOM network nodes are treated as
“virtual” user accounts. They are not intended for local logon;
they are required for proper networking (transfer of data).
B.2

The network symbol indicates virtual DICOM users. B.2

For each DICOM service (AET) that is configured in the Local

Service Software, automatically a corresponding entry is cre-
ated in the special DICOM Nodes folder of the user manage-
ment. B.2

To set up the access rights for data being transferred from and
to the network workstation, you should put each DICOM node
into a user group and assign a role (this effectively assigns the
workstation a user group and role). The relationship between
user groups and patient groups define the permissions on the
data as well as the default patient group, the roles define the
functional privileges of the DICOM nodes. B.2

Example: You may want to configure the system so that the

workstation AET_HOP01 may query for data of VIP patients,
but the workstation AET_WARD12 has no access. The Patient
Groups configuration in the Data Access Permissions sec-
tion is the place to configure this. B.2

0.0

B.2–10 Operator Manual

Safety standards in syngo MR Information for Administrators

Tracking of User Activities B.2 In syngo MR, the activities of a user are recorded in the audit
trail - including the user’s identity. According to national regula-
tions, it is not allowed to share user accounts. B.2

TIP
Recommend the users to use the Log In Different User
function to switch the user quickly at the workstation. B.2

B.2

Multistage Security Setup B.2 Security in syngo MR has a multistage security concept: B.2

(1) The user management is the essential basis of all other

security building blocks. It makes user logon mandatory
and ensures user authentication.
(2) The audit trail records all (the defined) actions involving
patient data.
(3) The function execution check ensures that only authorized
users perform actions.
(4) The data access check defines the rights to access patient
data (assembled in patient groups).
Despite of the mandatory user management, any combination
of the options mentioned above is possible. Useful combina-
tions of options are: 1., 1.+3., 1.+2.+3. for PACS or network,
1.+2.+3.+4. for full security management. B.2

0.0

syngo MR 2006T B.2–11

Information for Administrators Safety standards in syngo MR

Preparatory steps B.2

The following preparatory steps will help you to set up the secu-
rity system from scratch. Depending on the options selected for
your security system, you do not have to perform all steps: B.2
❏ Get a license for the security system.
❏ Outline the intended user management system with the help
of a drawing similar to the one shown below.
As a basis, outline the intended daily workflow at the system.
For example, consider who can stand in as an acting physi-
cian and set up the necessary access rights accordingly. B.2
For basic user management you need user accounts and
groups. When using the functional check too, you also need
to think about the organization of roles. B.2

❏ For data access check, define data security levels in accor-

dance with the security regulations of your hospital.
❏ In the security configuration, you define patient groups and
assign them to users and groups. For example, “Radiology”
could be used for data that should only be visible to members
of the radiology department or “VIP” for patient data that
should only be visible to very few persons, such as the head
physician.

0.0

B.2–12 Operator Manual

Safety standards in syngo MR Information for Administrators

– For each patient group you can later grant groups and
users the permission to have full control or no access to
data that is marked with that patient group. You can also
grant the right to modify the assigned patient group.
– Whenever a “real” user or a “virtual” DICOM node user
creates new patient data on your system, a patient group
that defines the access rights to the data can be applied.
Registration of new patients or data received from a
DICOM node are the most common ways new data is cre-
ated.
– If studies of a patient are already stored in the local data-
base, the existing patient group assignment is also used
for any additional studies.
– After switching the data access check option of the secu-
rity system on, you will find all of your patient studies in the
STANDARD patient group.

0.0

syngo MR 2006T B.2–13

Information for Administrators Safety standards in syngo MR

❏ Develop a matrix that describes the permissions and privi-

leges of the groups, roles and special user accounts.
Verify this model before activating the security system. B.2

❏ You are also responsible for establishing a proper procedure

for emergency access. Inform your users that they should
contact you or the system administrator in case of problems.

0.0

B.2–14 Operator Manual

Safety standards in syngo MR Information for Administrators

B.2

CAUTION
Source of danger: Behavior of secured systems. B.2

Consequence: The hospital's security policy also affects

the behavior of the syngo MR system in certain cases (for
example, password requirements, enabled empty
passwords, or locking of an account after a specific number
of failed logins). B.2

Remedy: B.2

✧ Establish a user model for your hospital and verify it

before the security system is activated.
✧ Establish a proper procedure for emergency access.
✧ Note that if you enable an empty password for the emer-
gency account, this is enabled for all other users as well.
Nevertheless, instruct the users to use good passwords.
✧ Always back up your system before enabling the secu-
rity system and before any major changes.
✧ Inform all your users about any changes and settings.
They should contact you or any other administrator
immediately in case of problems.

0.0

syngo MR 2006T B.2–15

Information for Administrators Safety standards in syngo MR

Workflow for the configuration of the security

system B.2

B.2

NOTE
You have to set up the security system on every syngo MR
workstation in your hospital except for satellite consoles,
which take the security settings from their main console. B.2

B.2

NOTE
In any case, the security system should never be configured
during an acquisition B.2

Once the security system has been enabled, access to the

computer is possible only after the user has logged on and has
been authorized. This requires that the security system must be
configured immediately after its activation. At least, the follow-
ing must be done: B.2

Proceed as follows: B.2

❏ Backup of the system.

→ Page B.4–7
❏ Log on under the default “Administrator” account and open
the syngo MR Security Configuration console.
→ Page B.2–22

0.0

B.2–16 Operator Manual

Safety standards in syngo MR Information for Administrators

❏ Create user accounts for every user who will work with the
workstation. Do not forget to create at least one user account
that is intended to stand in as both an administrator and
security administrator.
→ Page B.2–25
❏ Please check the personal administrator account(s) inten-
sively to make sure they work properly. After finishing and
testing the security configuration, we recommend to disable
the built-in “Administrator“ or to set an individual password
for it.
→ Page B.4–1
❏ Create the groups and roles of your user model. Add the cor-
responding users to those groups and roles. Do not forget to
assign the user account(s) intended as administrator both to
the groups and roles “Administrators” and “SecurityAdmins”.
→ Page B.2–35
❏ Create patient groups to define the various data access
rights (= permissions). Assign them the desired user groups
and set up the “default” patient group. If necessary, you can
also set individual permissions at user level.
→ Page B.2–48

0.0

syngo MR 2006T B.2–17

Information for Administrators Safety standards in syngo MR

❏ Restrict the permissions of the “Everyone” group according

to your strategy.
→ Page B.1–5
❏ For all roles, define the privileges for the function execution
rights. If necessary, you can also set individual privileges at
user level.
→ Page B.2–63
– Restrict the privileges of the “Everyone” role according to
your strategy and check for effective privileges that are
inherited from the various roles assigned and from the
“Everyone” role.
→ Page B.1–5
– Make sure that there is at least one full privileged user
account (fall-back user).
❏ Configure the audit trail.
→ Page B.2–71
❏ To avoid loss of configuration data, the system must be
backed up again.
→ Page B.4–7
❏ After setup, you must check the security configuration on
your real-world workflow carefully.
We recommend to log on as any user type defined and to
check the execution of all functions for inconsistencies. B.2

❏ Inform every user about their account, the emergency

account and any relevant passwords.

0.0

B.2–18 Operator Manual

Safety standards in syngo MR Information for Administrators

Securing the System B.2 By activating the syngo MR security system, the customer ser-
vice technician turns your system into a system with high data
protection level. The service technician needs the appropriate
service key for service level 7. B.2

Normally, the security system is not activated during the system

installation. To secure your system, you will have to instruct a
service technician as to which security options you want to be
enabled. B.2

B.2

CAUTION
Source of danger: There is no undo! B.2

Consequence: After activating the security system, access

is limited to only the defined users. Once the security
system is activated, it is not possible to deactivate it
(instead, you would have to re-install the complete syngo
MR system on the computer from scratch). B.2

Remedy: Make sure you have read and completed all

preparatory steps. Back up your system before activating
the security system. B.2

✧ Log on under a service account and choose the Options >

Service > Local Service menu item from any task card.

0.0

syngo MR 2006T B.2–19

Information for Administrators Safety standards in syngo MR

After authorization, the Service Software window opens: B.2

✧ In the Configuration section, go to the Security settings

page.
✧ Select the Local security features that you want to activate:

0.0

B.2–20 Operator Manual

Safety standards in syngo MR Information for Administrators

User management Activates user management which is the basis for all other security options. When
activating any other security option, the user management will also be switched on
automatically.
Data access check Access to data is always provided in accordance with the current permissions. If this
check box is not selected, you cannot restrict any data access rights.
Functional check Access to functions is always provided in accordance with the privileges granted to a user
role. If this check box is not selected, you cannot restrict the use of functions.
Auditing Access to the system and configured actions are recorded in an audit trail.

✧ If the workstation is connected to a network, select the

Enable trusted host functionality check box to establish a
secure system to your network partners and services.
Only trusted hosts will answer queries or allow data transfer. B.2

✧ To enhance the security of the remote service access to your

computer, select the SSL encryption check box.
Selecting this option enables the secure HTTPS protocol, which
uses the SSL (Secure Socket Layer) protocol for authentication
and data encryption. B.2

✧ To confirm, click Save and Finish in the status bar of the win-
dow.
✧ End the service session and log off.
After a restart of the system, only authenticated and authorized
persons can use the workstation. B.2

0.0

syngo MR 2006T B.2–21

Information for Administrators Safety standards in syngo MR

Opening the Security You need “Administrator” and “SecurityAdmin” rights to config-
Configuration Console B.2 ure the security system. B.2

✧ Log on as administrator or as a user with administrative.

→ Page B.3–5
✧ From any task card, choose the Options > Security Config-
uration menu item.
After authorization, the syngo MR Security Configuration
console is displayed. B.2

✧ By clicking an item in the tree view on the left-hand side, you

display the various pages for set-up.

0.0

B.2–22 Operator Manual

Safety standards in syngo MR Information for Administrators

B.2

TIP
Use the Show/Hide Console Tree icon if the tree view
does not appear after start-up. B.2

❏ Security Configuration is intended for one security admin-

istrator only.
❏ User Management for managing user, groups and roles with
the following sub-folders:
– Users for creating and setting up user accounts
– Internal Users for checking built-in and internal system
accounts
– DICOM Nodes for checking those accounts that are auto-
matically created for all configured network partners
– Groups for managing the user groups and the group
members
– Roles for managing the roles and their owners

0.0

syngo MR 2006T B.2–23

Information for Administrators Safety standards in syngo MR

❏ Security Management with:

– Data Access Permissions for defining the access rights
to any data
– Functional Privileges for defining the function execution
rights based on the users/roles view
On the right-hand side, you see the settings page that has been
selected on the left-hand side. B.2

B.2

TIP
The items to be recorded in the audit trail are configured in
the Audit Trail Viewer Console (→ Page B.2–88) and
storing parameters are set up in the Audit Trail
Configuration dialog box (→ Page B.2–77). B.2

0.0

B.2–24 Operator Manual

Safety standards in syngo MR Information for Administrators

Configuration of user accounts B.2

User Accounts B.2 For every user who will work with the system, create a user
account and assign a password. B.2

A user account that is no longer required, can be disabled or

deleted (for example, if the user quits). B.2

B.2

NOTE
Always work in the syngo MR Security Configuration,
never use the Microsoft Management Console (MMC) to
create or to manage user accounts. syngo MR expands the
Windows-related security system by a data security
management and distinguishes between groups and
roles. B.2

Note that the syngo MR security system only makes use of

some fundamental levels of security granted to users by the
Windows operating system. Moreover, the syngo MR security
system has its own security concept. B.2

0.0

syngo MR 2006T B.2–25

Information for Administrators Safety standards in syngo MR

Special User Accounts B.2 The security system comes with some default and some inter-
nal user accounts, and automatically generates DICOM Node
user accounts. B.2

❏ Default users are delivered with the software and contain, for
example, the Administrator, the LocalServiceUser and the
RemoteServiceUser.
❏ All internal users are essential for the system and indicated
as such. We strongly recommend not changing the pass-
words of these users.
❏ DICOM nodes are required for remote network functions.
They are created as soon as you configure the DICOM ser-
vices (AET). You can only change the password and the
group assignment of these users.
For a detailed list of the internal user accounts see
→ Page B.2–2. B.2

0.0

B.2–26 Operator Manual

Safety standards in syngo MR Information for Administrators

Handling of Passwords B.2 The password of a user in syngo MR never expires, but the
users are allowed to change their passwords on their own
(depending on your security policy). B.2

You can assign a user a new password at any time. B.2

B.2

CAUTION
Source of danger: User access may be prevented due to
forgotten or unknown accounts or passwords, or wrong
setup (for example, in case of an emergency). B.2

Consequence: Inaccessible system. B.2

Remedy: Do not forget to define a general user account for

emergency access and assign it to a group and a role both
called "EmergencyAccess". B.2

Regardless as to whether you specify a password for the

emergency account or not, users shall be prohibited from
changing any passwords (especially for the emergency
account). B.2

The users shall contact you immediately in case of

problems. B.2

Creating a new User One basic task for configuration is the creation of the necessary
Account B.2 user accounts. A number of general user accounts come pre-
installed with the system. B.2

It is not possible to rename a user account. If you mistype it

here, delete the account and create a new one. B.2

0.0

syngo MR 2006T B.2–27

Information for Administrators Safety standards in syngo MR

B.2

NOTE
Misuse of the emergency account defeats the security
system! B.2

Patient data acquired and processed during emergency

access is logged in the audit trail as belonging to the
emergency account. As a result, the identity of the user
involved cannot subsequently be determined. The
ownership of any data recorded this way must be altered
and the data newly assigned. B.2

Ensure that all users have been properly informed about the
use of the emergency access account and the use of the
password. Misuse of the account is illegal! B.2

✧ Open the syngo MR Security Configuration console.

→ Page B.2–22
B.2

✧ In the tree on the left-hand side, open the User Manage-

ment folder.

0.0

B.2–28 Operator Manual

Safety standards in syngo MR Information for Administrators

✧ Right-click the Users folder and choose New > User from
the context menu.
Or B.2

✧ Select the Users folder and choose the Action > New >
User menu item.
The User tab card is displayed: B.2

✧ Enter the desired user information.

0.0

syngo MR 2006T B.2–29

Information for Administrators Safety standards in syngo MR

Name Name of the user account (= logon name). Note, that the name has to be unique within
the system. The user name is not case sensitive. Only alphanumeric characters are
allowed.
Full name Information that helps to identify the user, for example, first, second name and title of the
user.
Description Further information about the user (for example, his/her department).
New Password The password that has to be entered by the user in order to log on to a workstation. The
password is case sensitive.
Confirm Password For validation purposes, the password has to be entered a second time.
According to the hospital’s security policies, users in syngo may be allowed to change
passwords on their own.
Account is disabled If selected, the user account is set up but the user cannot log onto the system. You may
use this option, for example, for users who are off-site for some time.
Password never This option is selected by default and cannot be changed: The user’s password does not
expires expire regularly (for example, this setting is important for the EmergencyAccess account).
User cannot change If selected, the user cannot change the password on their own. For the
password EmergencyAccess, we strongly recommend to disable the change of password.

✧ To store, click Apply and continue to create other user

accounts.
Or B.2

✧ Click OK to store and close the dialog box.

After OK, the list of current users appears. B.2

0.0

B.2–30 Operator Manual

Safety standards in syngo MR Information for Administrators

Selecting a User Account To select a user account for editing: B.2

for Editing
✧ Open the syngo MR Security Configuration console.
B.2

→ Page B.2–22
✧ On the left-hand side, open the User Management folder.
✧ Click the Users folder.
All available user accounts are displayed on the right-hand side.
You can identify the users by the information in the Name, Full
Name and Description columns. B.2

✧ To edit a user account, double-click the entry on the right-

hand side.

Modifying a User Account You can change the account properties or enable/disable an
and Passwords B.2 account. Also it is possible to change the password for normal
users and DICOM Nodes. B.2

B.2

NOTE
We strongly recommend not to change passwords of any
internal user accounts, otherwise important system
services may no longer work properly. B.2

0.0

syngo MR 2006T B.2–31

Information for Administrators Safety standards in syngo MR

It is not possible to rename an account, because if a user has

already worked with this account, some data objects may exist
with the data security level inherited from this user. To correct
mistakes, delete and create the account instead. B.2

✧ Double-click the desired user account.

The User tab card is displayed with the current properties for
this user account. B.2

0.0

B.2–32 Operator Manual

Safety standards in syngo MR Information for Administrators

✧ On the User tab card, you can change the Full Name and
the Description of the user account.
✧ To change a password, type the desired password into the
New Password field and repeat it in the Confirm Password
field.
✧ To disable/enable the account, select/clear the Account is
disabled check box.
✧ To prevent users from changing their password, select the
User cannot change password check box.
The Member of tab card lists all groups (for data access) this
user is assigned to. B.2

The Owner of tab card lists all roles (for use cases or functional
privileges) this user owns. B.2

✧ Click Apply to save the settings.

Or B.2

✧ Click OK to save and close the dialog box.

To configure another account, you must close the dialog box.
This opens the list of all user accounts. B.2

0.0

syngo MR 2006T B.2–33

Information for Administrators Safety standards in syngo MR

Deleting a User Account B.2 You can delete user accounts that are no longer needed. B.2

B.2

NOTE
For reason of system integrity, it is not possible to delete
internal users, DICOM nodes, and special users. B.2

✧ Right-click the desired user account and choose Delete from

the context menu.
Or B.2

✧ Select the desired user account and choose the Action >
Delete menu item.
✧ Confirm the security notice with Yes.
The user account is deleted. B.2

0.0

B.2–34 Operator Manual

Safety standards in syngo MR Information for Administrators

Configuration of groups and roles B.2

About Groups and Roles B.2 The syngo MR security system makes use of users, groups
and roles. B.2

❏ Groups are used to configure the same data access rights for
a group of people (for example, everyone who works in a par-
ticular ward).
We recommend that you create a user group for every team
or department of your user model. Then you assign the user
accounts that belong to that group.
❏ Roles are used to configure the same function execution
privileges for people with similar tasks (for example, physi-
cians, nurses, or assistants).
You then assign the user accounts that will own that role.

Built-in Groups and Roles B.2 By default, some general groups and roles are already
installed. They are created automatically when you install the
Windows operating system and syngo MR. These groups and
roles are named identically: B.2

❏ Emergency_Access
❏ SecurityAdmins
❏ syngoServiceUsers

0.0

syngo MR 2006T B.2–35

Information for Administrators Safety standards in syngo MR

No Group Hierarchies B.2 Note that you cannot plan sub-groups (groups-in-groups), such
as “Hospital” for hospital-wide permissions and “Neurology” for
defining permissions for people working in the neurology
department of the hospital.
B.2

Configuration Levels B.2 The security configuration provides you two different ways to
assign group members and owners of roles. Which one you
prefer depends on your interest; it is often useful to switch
between both: B.2

❏ Starting at the Users level easily provides a good overview

about the current memberships of the user and lets you eas-
ily pick the desired groups or roles for this user.
❏ Starting at Groups or Roles level gives you a good overview
of which users have already been assigned to the group or
role under configuration.

Creating a new Group or Because groups and roles handled almost identically, their han-
Role B.2 dling is described here together. B.2

Take a look at your outline from the preparatory steps to create

the groups and roles. B.2

It is not possible to create groups in groups or sub-roles to set

up a hierarchy of rules and rights. B.2

0.0

B.2–36 Operator Manual

Safety standards in syngo MR Information for Administrators

To create a new group or role: B.2

✧ Open the syngo MR Security Configuration console.

→ Page B.2–22
✧ On the left-hand side, open the User Management folder.

✧ Right-click the Groups or the Roles folder and choose

New > Group or New > Role from the context menu.
Or B.2

✧ Select the Groups or the Roles folder and choose the

Action > New menu item.

0.0

syngo MR 2006T B.2–37

Information for Administrators Safety standards in syngo MR

The Group respectively the Role tab card is displayed: B.2

✧ Enter a Name and a Description that helps to identify the

group or role.

0.0

B.2–38 Operator Manual