Siemens Healthcare GmbH

Henkestr. 127
91052 Erlangen
Germany

BEST

The teamplay receiver removes data types that could be used for the (re-)identification of patients completely or replaces them by a pseudonym or a less precise value such as an age range in a reliable manner. The extent of the data minimisation depends on the privacy profile that is chosen by the user, with the strictest of these providing for true anonymisation of patient data for teamplay Dose and Usage. Thus, teamplay lives up to the principle of data minimisation in an exemplary manner.

Comprehensive, intelligible and up-to-date documentation is in place which informs the teamplay users about their responsibilities as controllers when it comes to the processing of personal data.

ATTENTION

Regarding the processing of patient data, it must be highlighted that users of teamplay qualify as controllers whereas Siemens Healthcare GmbH acts as a processor on behalf of the users. Customers are advised that – depending on the chosen privacy profile – the legitimate use of the service may require the collection of patients’ consent and release from medical confidentiality. More detailed information on this topic is available below at “Details” as well as in the Short Public Report.

SUMMARY

Siemens Healthcare GmbH provides the cloud-based service teamplay that can be accessed via https://teamplay.siemens.com. The service is offered to hospitals and other medical facilities making use of devices for medical imaging (e.g., computer tomography (CT) or magnetic resonance imaging (MRI) devices). The modules Dose and Usage enable the users of devices for medical imaging to monitor the efficiency of the utilisation of these devices as well as the radiation dose consumption. This way they can improve their image acquisition procedures and identify radiation doses which are as low as reasonably achievable to meet clinical needs.

teamplay also supports secure exchange of image data with other teamplay users for collaboration purposes in virtual groups.
Monitoring 1 (due in 2022/05) showed that the previous sentence is not accurate anymore due to minor ToE changes made subsequent to recertification (cf. below at Details). Thus, this sentence had to be deleted / striked out.

teamplay consists of web-based services, which are deployed as a cloud service on the teamplay platform, and a software-only gateway (“teamplay receiver”) to be installed in, e.g., a hospital network. The teamplay receiver acts as an intermediary between the hospital computer systems and the web-based services.

In respect of the amount of patient data to be processed, Siemens Healthcare GmbH provides different options to the users of the service. If the user chooses the strictest of the preconfigured settings of the service (“privacy profiles”), then only anonymous data is processed by teamplay within the modules Dose and Usage. When one of the two remaining privacy profiles is chosen, patient data is pseudonymised, but still constitutes personal data.

DETAILS

Recert 2021/09

Monitoring 1 (due in 2022/05):

The ToE has changed slightly (renaming of one module and reduction of the respective functionality): Images has been renamed to DICOM Hub and does no longer provide the functionality to share DICOM studies. An updated version of the SPR has been produced and published to reflect this.

Recert as such:

In addition to the functionalities that were already covered by the previous recertification, the target of evaluation of the current recertification includes the following (newly designed) functionalities:

• Insights
• Reports
• Mammo Dashboard

teamplay Cardio is no longer part of the EU deployment and therefore no longer part of this recertification.

In detail, the ToE of this recertification consists of the following components:

• teamplay Receiver, to be installed as a gateway service with the operator (teamplay user);
• teamplay Platform, with the modules Usage, Dose, Protocols, Images and Store;
• legal and technical interfaces with the sub-processors Microsoft Ireland Operations Ltd., Siemens Healthcare Private Limited (India) and Auth0 Ltd.;
• the new functionalities already mentioned above.

Not part of the target of evaluation (ToE) are

• further services and products of Siemens Healthcare GmbH such as teamplay for markets outside the EU/EEA and the website www.healthcare.siemens.de with general product information;
• further applications accessible in teamplay Store nor their operation or procurement;
• the Microsoft Azure Cloud and components of the data centres (contractual clauses with Microsoft and technical-organizational measures implemented by Microsoft were reviewed during the re-evaluation, but the recertification does not refer to the Azure Cloud as such, but only to the teamplay service as provided by Siemens Healthcare to EU/EEA customers);
• the Auth0 platform and its PaaS;
• the operational environment of the user including tablets, apps or smartphones.

The re-evaluation showed that teamplay continues to meet all applicable EuroPriSe requirements. Further information can be found in the short public report.

Recert 2019/03

In addition to the functionalities that were already covered by the previous recertification, the target of evaluation of the current recertification includes the following (new) functionalities:

• Images / Images Research
• Store
• Cardio

In detail, the ToE of this recertification can be specified as follows:

The ToE of the teamplay recertification consists of the following components:

• teamplay Receiver, to be installed as a gateway service with the operator (teamplay user);
• teamplay Platform, with the modules Usage, Dose, Protocols, Images and Images Research, Store and Cardio;
• legal and technical interfaces with the sub-processors Microsoft Ireland Operations Ltd., Siemens Healthcare Private Limited (India) and Siemens Medical Solutions USA Inc.

Not part of the target of evaluation (ToE) are

• further services and products of Siemens Healthcare GmbH such as teamplay for markets outside the EU/EEA and the website www.healthcare.siemens.de with general product information;
• further applications accessible in teamplay Store nor their operation or procurement;
• the Microsoft Azure Cloud and components of the data centres (contractual clauses with Microsoft and technical-organizational measures implemented by Microsoft were reviewed during the re-evaluation, but the certification does not refer to the Azure Cloud as such, but only to the teamplay service as provided by Siemens Healthcare to EU/EEA customers);
• the Auth0 platform and its PaaS;
• the operational environment of the user including tablets, apps or smartphones.

The re-evaluation showed that teamplay continues to meet all applicable EuroPriSe requirements. Further information can be found in the short public report.

Initial Cert 2016/10

teamplay is offered as a basic and as a premium account. It is worth noting that the premium account encompasses all functionalities of the basic account. The target of evaluation of the teamplay certification is the premium account as it is provided to EU customers. More precisely, the ToE consists of the following modules / components of said premium account:

• The modules “usage”, “dose” and “protocols” (cf. the Short Public Report for details);
• the “teamplay receiver” (software to be installed in the IT environment of the users of the service);
• the web-based services that allow for the use of the modules “usage”, “dose” and “protocols”;
• legal and technical interfaces with the sub-processors Microsoft Ireland Operations Ltd. and Siemens Healthcare Private Limited (India).

Excluded from the target of evaluation is teamplay as it is offered to the US market or to other markets outsited of the EU/EEA. In addition, the following modules / components of teamplay as it is provided to EU customers do not form part of the ToE either:

• The module “images” which allows for the collaborative use of data and images as well as for the establishment of an online community;
• authentication of users via the Siemens Corporate Authorisation Service that provides an alternative login functionality for teamplay;
• the Microsoft Azure Cloud as such (including components of the data centres that are used for the provision of the teamplay service to EU customers);
• the IT environment of the teamplay users.

When providing the teamplay service, Siemens Healthcare acts as a processor on behalf of the users of the service. This means that the responsibility for the lawful processing of patient data lies with the users (controllers). Depending on the privacy profile that is chosen by a user, the utilisation of the service will involve the processing of anonymised patient data only or the processing of pseudonymised patient data that – despite of its pseudonymisation – still qualifies as personal data. Siemens Healthcare GmbH informs (prospective) users of the service about the fact that it is their responsibility to collect patients’ consent and/or release from medical confidentiality prior to uploading patient data to teamplay if they choose a privacy profile which does not provide for the anonymisation of patient data. In such a case, the users of the service can revert to a high-quality template for the collection of patients’ consent / release from medical confidentiality that is made available to them by Siemens Healthcare GmbH.

Legal Evaluator

Dr. Irene Karper LL.M.Eur.
datenschutz cert GmbH
Konsul-Smidt-Str. 88a
28217 Bremen
Germany

Technical Evaluator (since 10/2018)

Dr. Irene Karper LL.M.Eur.
datenschutz cert GmbH
Konsul-Smidt-Str. 88a
28217 Bremen
Germany

Technical Evaluator (until 10/2018)

Dipl. Math. Ralf von Rahden
datenschutz cert GmbH
Konsul-Smidt-Str. 88a
28217 Bremen
Germany