UNICORN start 1.

3
Privacy and Security Manual

cytiva.com
Table of Contents
1 Introduction ........................................................................................... 3

2 Privacy and security environment ....................................................... 4

3 Authentication, authorization and audit logging .............................. 5

3.1 Access controls ........................................................................................................................... 6
3.2 Audit logging and accountability controls ....................................................................... 8
3.3 Patient privacy content management ............................................................................... 9

4 Information protection ......................................................................... 10

4.1 Network security ........................................................................................................................ 11
4.2 Data storage and encryption ................................................................................................. 13
4.3 External connections ................................................................................................................ 14

5 System protection ................................................................................. 15

6 Remote access ....................................................................................... 17

7 Personal information collected by the product ................................. 18

8 Additional privacy and security considerations ................................ 19

2 UNICORN start 1.3 Privacy and Security Manual 29688975 AA

1 Introduction
About this manual
This manual describes the privacy and security considerations of the use of UNICORN™
start.

Purpose of this manual

This manual describes the expected intended use of UNICORN start, the privacy and
security capabilities included, and how these capabilities are configured.

Introduction to privacy and security

This manual assumes that the reader understands the concepts of privacy and security.
Security protects both system and information from risks to confidentiality, integrity,
and availability. Security and privacy work together to help reduce risk to an acceptable
level. In healthcare, the privacy, security, and safety must be balanced, relating to the
intended use of the product.
The customer is encouraged to use risk management procedures to assess and
prioritize privacy, security, and safety risks. Using the risk management, the customer
can determine how to best leverage the capabilities provided within the product.

Product description
UNICORN start is not a medical device and shall not be used in any clinical procedures
or for diagnostic purposes. It is used to control the non-medical device ÄKTA™ start.

Contact information
For specific privacy and security inquiries, use the contact form found at
cytiva.com/contact.

UNICORN start 1.3 Privacy and Security Manual 29688975 AA 3

2 Privacy and security environment
Privacy and security in the environment
UNICORN start has been designed for an intended use with the following expectations
of privacy and security protections, that should be included in the environment where
UNICORN start will be used:
The assumption for UNICORN start related to Privacy and Security elements is as
follows:
• It is recommended that the computer hosting UNICORN start resides in a controlled
environment.
• It is recommended that the Microsoft®Windows® password of the computer
hosting UNICORN start is changed immediately after the installation of UNICORN
start.
• Parts of the internal communication in UNICORN start use unencrypted protocols.
• UNICORN start does not have user management.

4 UNICORN start 1.3 Privacy and Security Manual 29688975 AA

3 Authentication, authorization and audit
logging
About this chapter
UNICORN start includes a broad assortment of capabilities to enable privacy and
security. This chapter describes the ability and use of these privacy and security
capabilities.

In this chapter

Section See page

3.1 Access controls 6

3.2 Audit logging and accountability controls 8

3.3 Patient privacy content management 9

UNICORN start 1.3 Privacy and Security Manual 29688975 AA 5

3.1 Access controls
Introduction
The access control on UNICORN start is used to help control access to customer
information on the system. Access control includes user account creation, assigning
the privileges, and other features.

Identity provisioning
The provisioning of user accounts requires the steps of account creation, maintenance,
and removal of the account when it is no longer needed. A user account is created to be
used by a specific individual. This user account is associated with access rights, and is
recorded in system security log files.
UNICORN start does not support user management and therefore this section is not
applicable for UNICORN start.

User authentication
The user authentication step verifies that the user attempting to access the system is
indeed the user associated with the specific account. This section describes the
administration of the authentication system.
The UNICORN start software is deliberately designed with no authentication and data
protection. The user must protect data if it is sensitive and completely relies on
customer security measures. The UNICORN start software is closely tied to the ÄKTA
start system and can only run on that instrument. This provides a way for customers to
get introduced to the UNICORN and ÄKTA platform and allows them to move to
advanced software and systems depending on their needs.
It is recommended to configure the computer hosting UNICORN start, with Windows-
based identity and access controls as a part of the customer responsibility. This is
applicable if UNICORN start data is considered sensitive and used for research purpose.
Windows identity and access management consists of policies and technologies for
ensuring that the proper people have the appropriate access to the computer. This
enables customers to define access control in a Windows environment and secure their
data. The following are some recommended Windows-based policies and technologies:

Windows access Describes access control in Windows, which is the process of

control authorizing users, groups, and computers to access objects on the
network or computer. Key concepts that make up access control are
permissions, ownership of objects, inheritance of permissions, user
rights, and object auditing.

6 UNICORN start 1.3 Privacy and Security Manual 29688975 AA

 Credential Guard Introduced in Windows 10 Enterprise, Credential Guard uses
(domain) virtualization-based security to isolate secrets so that only privileged
system software can access them. Unauthorized access to these
secrets can lead to credential theft attacks, such as Pass-the-Hash or
Pass-The-Ticket. Credential Guard helps prevent these attacks by
protecting NTLM password hashes and Kerberos Ticket Granting
Tickets.
Credential Guard Remote Credential Guard helps you to protect your credentials over a
(remote desktop) remote desktop connection by redirecting the Kerberos requests back
to the device that is requesting the connection.
User Account Provides information about UAC, which helps prevent malware from
Control (UAC) damaging a PC and helps organizations deploy a better-managed
desktop. UAC can help block the automatic installation of unauthorized
apps and prevent inadvertent changes to system settings.
VPN technical VPN lets you give your users secure remote access to your company
guide network. Windows 10 adds useful new VPN profile options which help to
manage how users connect to the network.

For more information, visit http://www.microsoft.com.

Assigning access rights

Assigning access rights is the administrative process for connecting permissions with
user accounts.
Access to UNICORN start must be controlled by the customer using Windows login
credentials. It is highly recommended to change the default Windows password after
the installation of UNICORN start.

UNICORN start 1.3 Privacy and Security Manual 29688975 AA 7

3.2 Audit logging and accountability controls
Introduction
Privacy and security information logging and control provide accountability through
security surveillance, auditable records, and reporting.
The audit log resides in the UNICORN start database. There is no information about
users saved as there is no user management.

8 UNICORN start 1.3 Privacy and Security Manual 29688975 AA

3.3 Patient privacy content management
Patient privacy
UNICORN start does not handle (create, transfer, or store) patient data, therefore the
patient privacy consent is not applicable to UNICORN start.

UNICORN start 1.3 Privacy and Security Manual 29688975 AA 9

4 Information protection
About this chapter
This chapter describes privacy and security operations, and contains guidelines for the
preparation of a secure environment for UNICORN start.

Defense in depth
Security operations are best implemented as part of an overall "defense in depth"
information assurance strategy. This strategy is used throughout an information
technology system that addresses personnel, physical security, and technology. The
layered approach of defense in depth limits the risk that the failure of a single security
safeguard allows to compromise the system.

In this chapter

Section See page

4.1 Network security 11

4.2 Data storage and encryption 13

4.3 External connections 14

10 UNICORN start 1.3 Privacy and Security Manual 29688975 AA

4.1 Network security
Wired network security
Cytiva strongly recommends that UNICORN start and ÄKTA start system are operated
in a secure network environment that is protected from unauthorized intrusion.
UNICORN start is a standalone installation and can be connected to ÄKTA start system
only through USB cable.
UNICORN start can be distributed into UNICORN start client, UNICORN start
instrument server, and UNICORN start database:
• UNICORN start Client is the software consisting of the Administration, Method
Editor, Evaluation, and System Control modules.
• UNICORN start Instrument Server is a process that controls an ÄKTA start system
that is supported by UNICORN start.
Firewall protection is one of the effective ways of isolating and protecting UNICORN
start installations. It is assumed that firewall is active on computer where UNICORN
start is installed, that blocks both inbound and outbound communication unless there
are firewall rules allowing it.

System interconnections
Firewall settings for the computer with UNICORN start
Inbound traffic from the UNICORN start Client.
Outbound traffic to the ÄKTA start system database.

Port Protocol Direction Program Source/Destination

40500-40510 TCP Inbound UNICORN start UNICORN start Instrument

Instrument Server
Server.exe
50000-50009 UDP Outbound VIDmain.exe N/A for ÄKTA start system
40500-40510 UDP Inbound VIDmain.exe N/A for ÄKTA start system
60030-60033 TCP Outbound p950_drv.exe N/A for ÄKTA start system
60130-60133 TCP Outbound p950_drv.exe N/A for ÄKTA start system
60230-60233 TCP Outbound p950_drv.exe N/A for ÄKTA start system
60330-60333 TCP Outbound p950_drv.exe N/A for ÄKTA start system

Firewall settings for the UNICORN Database (SQL Server®)

Inbound traffic from the UNICORN start Client and UNICORN start Instrument Servers.
No outbound traffic is initiated by the SQL Server to UNICORN start.

UNICORN start 1.3 Privacy and Security Manual 29688975 AA 11

 Port Protocol Direction Program Source/Destination

1434 UDP Inbound SQL Server Browser

Any Any Outbound Sqlservr.exe SQL Server outbound

Schematic diagram of a UNICORN start connection

Wireless network security

Radio signals are used in a wireless network communication, therefore wireless devices
require special security consideration. Effective techniques and tools exist for
improving the security of wireless communication. This section describes the
characteristics for wireless connections for UNICORN start.
UNICORN start only works on ÄKTA start system and this system does not have
wireless communication capability. Therefore, wireless security is not applicable for
UNICORN start.

Removable media security

Process data can be exported from the UNICORN start system using a USB memory
stick. However, it is strongly recommended that the company policies related to
removable media shall be applied to the computer hosting UNICORN start.

12 UNICORN start 1.3 Privacy and Security Manual 29688975 AA

4.2 Data storage and encryption
Data at rest security
UNICORN start stores data in a persistent storage, this includes methods, results, log
files, system, and user data. The persistent storage consists of one or more Microsoft
SQL Server Express Editions. The access to the storage is not encrypted. Hence, it is
highly recommended that the UNICORN start system is installed in a secure
environment.

Data integrity capabilities

UNICORN start does not support capabilities to assure that data is not inappropriately
modified.

De-identification capabilities
UNICORN start is not a medical device and does not handle (create, transfer, or store)
patient data. Therefore UNICORN start does not contain de-identification
(anonymization and pseudonymization) capabilities.
No Privacy Information (PI) is collected by UNICORN start.

Business continuity
A disaster recovery of the UNICORN start database is done by regular restore of
database backup. Hence, it is very important to apply an appropriate schedule for the
database backups. However, it is recommended that the database backups are stored
on secured media and are made available whenever a restore of the database is
required.

UNICORN start 1.3 Privacy and Security Manual 29688975 AA 13

4.3 External connections
Security controls provided by the cloud
provider
UNICORN start is not hosted on a third party cloud environment. Cloud security
controls are not applicable.

14 UNICORN start 1.3 Privacy and Security Manual 29688975 AA

5 System protection
Introduction
This chapter describes the guidelines for how to configure and maintain the product in
a way that continuously protects privacy and security.

Protection from malicious attacks

The computing environment is increasingly hostile, and threats continue to grow from
denial of service attacks and malicious software, including computer viruses, worms,
Trojan horses, and other malware. Vigilant defense on many levels is required to keep
the systems free from intrusion by malicious software. The protective features are
enabled as part of the third-party hosting service.
This product is designed to be used in an environment where commercial antivirus
software is used to detect the presence of malicious software (virus, Trojan horse,
worm, etc.). The use and configuration of the specific antivirus software is encouraged.
Note: During virus scans, the performance of UNICORN start can be affected and
therefore it is recommended to perform scans when the ÄKTA start system,
which UNICORN start controls, is not in use. It is recommended to apply the
current organizational policies and procedures regarding antivirus software.
For more information on Malicious Software Protection, refer to the following two white
papers by the Joint NEMA/COCIR/JIRA Security and Privacy Committee:
• Defending Medical Information Systems Against Malicious Software, December
2003, http://www.medicalimaging.org/policy-and-positions/joint-security-and-
privacy-committee-2/.
• Patching Off-the-Shelf Software Used in Medical Information Systems, October
2004, http://www.medicalimaging.org/policy-and-positions/joint-security-and-
privacy-committee-2/.

Server and workstation security

This section is not applicable for UNICORN start.

Patch management practices

The customer is responsible for maintaining the computer hosting UNICORN start. This
maintenance includes the following:
• Applying operating system patches.
• Applying operating system upgrades.
• Applying operating system configuration changes.
• Applying operating system routine maintenance.

UNICORN start 1.3 Privacy and Security Manual 29688975 AA 15

 • Applying UNICORN start patches.
• Applying UNICORN start upgrades.
• Applying UNICORN start configuration changes.
• Applying UNICORN start routine maintenance.
Furthermore, any malware protection software installed must also be maintained by
the customer. This maintenance includes management of patches, upgrades,
configuration change, and routine maintenance.
Questions or incident reports regarding cyber security related to UNICORN start can be
done via the appointed Cytiva Key Account Manager or the Cytiva Service Personnel.
The appointed Cytiva personnel will take care of the customer case and forward it to the
organization within Cytiva responsible for UNICORN start. The case can be of one or
more of the following categories:
• A security enhancement is requested in UNICORN start.
• A security incident has occurred related to the usage of UNICORN start.
• A general question about the existence of security related patches for UNICORN
start.
• A general question about the availability of online material such as documentation
and similar.

16 UNICORN start 1.3 Privacy and Security Manual 29688975 AA

6 Remote access
Introduction
Often the most efficient and cost-effective ways for Cytiva to provide service is to
connect to UNICORN start remotely. Every effort is made to make sure that this
connection is as secure as possible. This chapter describes the security measures for
remote access connections.

Remote connection
Remote connection to the product is not applicable.

UNICORN start 1.3 Privacy and Security Manual 29688975 AA 17

7 Personal information collected by the
product
Personal information
UNICORN start is not a medical device and does not handle (create, transfer, or store)
patient data. UNICORN start does not collect personal information.
UNICORN start has free text input fields that can be considered PI depending on what is
entered by the user. The most prominent free text input fields are method, start, run,
and evaluation notes. However, there are other input fields that can be used for
entering PI, for example, method, and result names.

18 UNICORN start 1.3 Privacy and Security Manual 29688975 AA

8 Additional privacy and security
considerations
Additional risks
UNICORN start has been designed with privacy and security functionality integrated
into the core design. However, there exist privacy and security residual risks that must
be mitigated when UNICORN start is integrated into the work environment. This section
describes some risks that should be imported into the risk assessment of the
deployment of UNICORN start for proper mitigation.
UNICORN start does not have user authentication. It must be controlled by the
customer using Windows login credentials. As a privacy and security measure, it is
recommended that the Windows password of the computer hosting UNICORN start is
changed immediately after the installation of UNICORN start.

UNICORN start 1.3 Privacy and Security Manual 29688975 AA 19

cytiva.com/unicornstart
Cytiva and the Drop logo are trademarks of Global Life Sciences IP Holdco LLC or an affiliate.
UNICORN and ÄKTA are trademarks of Global Life Sciences Solutions USA LLC or an affiliate doing business as Cytiva.
Microsoft, Windows, and SQL Server are registered trademarks of Microsoft Corporation.
All other third-party trademarks are the property of their respective owners.
© 2021 Cytiva
UNICORN © 2021 Cytiva
Any use of UNICORN is subject to Cytiva Standard Software End-User License Agreement for Life Sciences Software Products. A
copy of this Standard Software End-User License Agreement is available on request.
All goods and services are sold subject to the terms and conditions of sale of the supplying company operating within the Cytiva
business. A copy of those terms and conditions is available on request. Contact your local Cytiva representative for the most
current information.
For local office contact information, visit cytiva.com/contact
29688975 AA V:1 06/2021