Clarius Cloud

Clarius Information Security Architecture

Traditionally, patient data associated with medical devices has generally been stored within medical facilities. As healthcare technology has advanced and cloud storage has become more secure and convenient, alternative storage options are being offered.  For some, storage outside a medical facility raises concerns over the security of patient data storage. 

At Clarius, we take healthcare data management seriously.  We have implemented strict requirements for security, confidentiality, and privacy according to published standards.  The Clarius patient data management infrastructure incorporates controls and safeguards to protect Electronic Protected Health Information (ePHI) from unauthorized changes, and to ensure data is only accessible to those who are authorized.

Secure Exam Storage is a Priority

Unlike traditional ultrasounds systems that store exams on hard drives and allows users to export or download images to a thumb drive or CD, Clarius manages secure access to images on the Clarius Cloud. The Clarius App, which is on the mobile Device used for imaging, only temporarily stores encrypted exams. Patient data is not visible on the mobile device during imaging. Once Internet connectivity is available, stored images are securely transmitted to the Clarius Cloud. Patient information is deleted from the Clarius App after 30 days when the exam has been successfully stored on the secure Clarius Cloud or transmitted via DICOM to an institutes storage infrastructure.
All Clarius Cloud data is safely stored and can be only accessed by users with proper credentials.

By choosing DICOM, exams can be sent directly from the Clarius App to a Picture Archiving and Communication System (PACS).

Clarius Security Architecture

The Clarius Ultrasound Ecosystem consists of the Clarius Scanner, the Clarius App, and the Clarius Cloud.

info

Clarius Scanner

The Clarius Scanner does not store ePHI (Electronic Protected Health Information). During the scanning process, the image is streamed from the scanner to the Clarius App on the smart device. The Scanner can communicate with the Clarius App by using either an existing Wi-Fi connection, or through a Wi-Fi Direct connection. The Wi-Fi Direct channel is encrypted and private as long as the WPA 2 pre-shared key is not shared.

Clarius Cloud for Secure Storage

Each Clarius Scanner comes with 2 GB of secure storage.  Users can comment, share and archive images and exams.  Patient information is stored separately from the ultrasound image in an encrypted server. Only authorized users within an institution can access patient information associated with an image. All images that are shared outside an institution do not contain patient information.

Clarius App

Users can choose to enter patient data on the Clarius App, which is then associated with the images in an encrypted file. The Clarius Mobile App temporarily stores the images and patient information in a private, encrypted storage space on the smart device's operating system (OS).

On Apple devices this storage space is encrypted natively by iOS.

On Android devices, storage space is segregated from other apps on the device and from the user. Because rooting the device may break this Android-enforced protection, we recommend that Android users do not use rooted devices, and that they enable hard drive encryption.

Once the Clarius App successfully stores the image remotely (i.e. to the Clarius Cloud) the patient healthcare information is deleted from the device within 30 days.

*Clients who want to automatically store their Clarius Ultrasound Exams on their own Patient Archiving and Communication System (PACS), will be able select the DICOM option when available. By default, Clarius does not provide encryption in this type of implementation.

More Infomation

Access to the Cloud

Credentials are required to log into the Clarius App and into the Clarius Cloud. Passwords are encrypted and secured using the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. 

Clients are allowed to define their own password complexity mechanism when using Clarius Cloud.

Clarius cannot see or retrieve user passwords. Forgotten or lost passwords can be reset through the Forgot Password mechanism.

ePHI in the Cloud

On the Clarius Cloud, patient information and images are stored in separated logical servers. Patient information are stored encrypted in the database server. Images are de-identified before storage. The image file alone does not store any patient information on their records. Clarius does not store ePHI outside the Cloud.

Clarius uses Amazon AWS standard encryption method for storing both Patient Information and Images. In both cases, Amazon uses AES256 for encryption, which is FIPS 140-2 compliant.

NOTE:  images, measurements, and findings can be shared by the exam owners without showing/enabling access to patient data.

Cloud Communication

All communication established with the Clarius Cloud, either from Clarius App or from the user's browser, is encrypted by using at least 256-bit TLS 1.2 encryption across all services.  This is the same technology widely used by browsers in secure communications throughout the Internet. The cloud connection is used to pull user data, Clarius Scanner permissions, and settings from the cloud. Completed examinations are also pushed to the Clarius Cloud for long-term storage.

 

NOTE: TLS 1.2 is FIPS 140-2 compliant and uses the following protocols: ECDHE-RSA-AES256-GCM-SHA384

Compliance with HIPAA

Clarius adopts HITRUST CSF (Common Security Framework) as its security framework. The HITRUST CSF Assurance program is a common, standardized methodology to effectively and consistently measure compliance. The CSF integrates requirements from many authoritative sources such as ISO, NIST, PCI, HIPAA and others; it tailors the requirements to a healthcare organization based on specific organizational, system and regulatory risk factors.

Retention

Patient Information is stored for seven years by Clarius.

The system is backed up every hour. These encrypted backups are stored and retained for 365 days.

Physical Storage

All data is stored on the Clarius Cloud, which is stored in data centers located in Amazon's AWS data center in Canada. Clarius does not store Patient Information outside of the Clarius Cloud.

Monitoring

The Clarius Cloud is continuously monitored (24x7x365) for security and operational purpose. Events traced are stored in a Security Information and Event Management (SIEM) solution hosted by a third party. Actions that may threaten the secure environment or compromise the confidentiality of patient information are recorded and investigated.

Clarius Cloud is monitored by Alert Logic. More information on Alert Logic can be found at www.alertlogic.com

Logging

Operations involving patient information in the Clarius Cloud are logged and can be reviewed anytime by clients with administrative credentials. Logs cannot be changed or erased prior the six months retention period. Logs can be exported for long term retention.

Vulnerability Management

The Clarius Cloud regularly undergoes comprehensive internal vulnerability checks to validate the overall security of its system.

Clarius uses Tenable technology for regular vulnerability scans (more information at https://www.tenable.com/products/tenable-io)

The security of the Clarius Cloud is also validated by an independent third party (KPMG).