Data security and integrity is a high priority for Clarius. The software uses elliptical curve cryptography to keep your data safe. Even in the unlikely event that data is intercepted, it will be indecipherable to the intercepting party.
Of note is that Clarius by default does not require any patient information to be input or to accompany the exam, at all; no patient information is ever required in order to perform the live exam itself, nor to save the exam images. Your institution may elect to require some mandatory fields be filled, however this takes a conscious act by your administrator to enable.
Images and patient information stored on the device are by default cached for 10 days before they are automatically removed. Information will never be removed from the Clarius App if a successful export outside of the Clarius App has not occurred. For more information please see Automatically Deleting Exams.
If the Clarius Cloud infrastructure is not the preferred method for storing data, Cloud storage can be disabled and subsequent methods such as sending to PACS via DICOM, or local device storage, can be used.
If using DICOM, the appropriate software license must be enabled. At the end of each exam the user will be able to select from multiple DICOM destinations if multiple DICOM connections are configured. The exams will not be retained on smart devices once uploaded to DICOM, pending the purge interval. For more information please see Automatically Deleting Exams.
Additional details can be read within Clarius' Information Security Whitepaper.
Physical Locations
All data stored on Clarius Cloud is stored in data centers located in Amazon Web Services' network. By default, the data is stored in Canada. Once a scanner is purchased and ready for provisioning, you will be asked to setup a new institution on Clarius Cloud and specify the location of where PHI is to be stored. Clarius currently support the following storage regions:
- Canada (Montreal)
- United States (Oregon)
- EU (Frankfurt)
- Australia (Sydney)
- Asia Pacific (Singapore)
- Japan (Tokyo)
Clarius does not store Patient Information outside to its own Cloud. More information about Amazon's security measures can be found at https://aws.amazon.com/security/.
ePHI Storage
On the Clarius Cloud, patient information and images are stored in separated logical servers. Patient information are stored encrypted in the database server. Images are de-identified before being stored. The image files do not store any patient information within their records.
Clarius does not store ePHI outside of the Cloud.
Clarius uses Amazon AWS standard encryption method for storing both Patient Information and Images. In both cases, Amazon uses AES256 for encryption, which is FIPS compliant.
Important Note: Images, measurements, and findings can be shared by the exam owners without displaying/enabling access to patient data.
HIPAA Compliance
Clarius adopts the HITRUST CSF (Common Security Framework) as its security framework. The HITRUST CSF Assurance program is a common, standardized methodology to effectively and consistently measure compliance. The CSF integrates and harmonizes requirements from many authoritative sources such as ISO, NIST, PCI, HIPAA and others; it tailors the requirements to a healthcare organization based on specific organizational, system and regulatory risk factors.
Information regarding the HITRUST CSF can be found here.
Monitoring & Logging
The Clarius Cloud is continuously monitored (24x7x365) for security and operational purpose. Events traced are stored in a Security Information and Event Management (SIEM) solution hosted by a third party.
Actions that may threaten the secure environment or compromise the confidentiality of patient information are recorded and investigated.
Operations involving patient information are logged and can be reviewed anytime by the clients with administrative credentials. Logs cannot be changed or erased prior the six months retention period. Logs can be exported for long term retention.
Vulnerability Management
The Clarius Cloud regularly undergoes comprehensive internal vulnerability checks to validate the overall security of the system. Security is also validated by a independent third party.
Data Retention
Patient Information is stored for seven years by Clarius. The system is backed up every hour and the encrypted backups are stored and retained for 365 days.