Data security and integrity is a high priority for Clarius. The software uses elliptical curve cryptography to keep your data safe. Even in the unlikely event that data is intercepted, it will be indecipherable to the intercepting party.
Images and patient information stored on the device are by default cached for 30 days before they are automatically removed. Information will never be removed before it is sent to the Clarius Cloud or sent via DICOM.
If the Clarius Cloud infrastructure is not the preferred method for storing data, Cloud storage can be disabled and subsequent methods such as sending to PACS via DICOM, or local device storage, can be used. If using DICOM, the appropriate software license must be enabled. At the end of each exam the user will be able to select from multiple DICOM destinations within the hospital. The exams will not be retained on smart devices once uploaded to DICOM.
Additional details can be read within Clarius' Information Security Whitepaper..
Physical Locations
All data stored on Clarius Cloud is stored in data centers located in Amazon Web Services' network. By default, the data is stored in Canada. Once a scanner is purchased and ready for provisioning, you will be asked to setup a new institution on Clarius Cloud and specify the location of where PHI is to be stored. Clarius currently support the following storage regions:
- Canada (Montreal)
- United States (Oregon)
- EU (Frankfurt)
- Australia (Sydney)
- Asia Pacific (Singapore)
Clarius does not store Patient Information outside to it's own Cloud. More information about Amazon's security measures can be found at https://aws.amazon.com/security/.
ePHI Storage
On the Clarius Cloud, patient information and images are stored in separated logical servers. Patient information are stored encrypted in the database server. Images are de-identified before being stored. The image files do not store any patient information within their records.
Clarius does not store ePHI outside of the Cloud,
Clarius uses Amazon AWS standard encryption method for storing both Patient Information and Images. In both cases, Amazon uses AES256 for encryption, which is FIPS compliant.
Important Note: Images, measurements, and findings can be shared by the exam owners without displaying/enabling access to patient data.
HIPAA Compliance
Clarius adopts the HITRUST CSF (Common Security Framework) as its security framework. The HITRUST CSF Assurance program is a common, standardized methodology to effectively and consistently measure compliance. The CSF integrates and harmonizes requirements from many authoritative sources such as ISO, NIST, PCI, HIPAA and others; it tailors the requirements to a healthcare organization based on specific organizational, system and regulatory risk factors.
Information regarding the HITRUST CSF can be found here.
Monitoring & Logging
The Clarius Cloud is continuously monitored (24x7x365) for security and operational purpose. Events traced are stored in a Security Information and Event Management (SIEM) solution hosted by a third party.
Actions that may threaten the secure environment or compromise the confidentiality of patient information are recorded and investigated.
Operations involving patient information are logged and can be reviewed anytime by the clients with administrative credentials. Logs cannot be changed or erased prior the six months retention period. Logs can be exported for long term retention.
Vulnerability Management
The Clarius Cloud regularly undergoes comprehensive internal vulnerability checks to validate the overall security of the system. Security is also validated by a independent third party.
Data Retention
Patient Information is stored for seven years by Clarius. The system is backed up every hour and the encrypted backups are stored and retained for 365 days.