by Luis Araujo, Manager, Information Security
HITRUST CSF Practitioner, CISSP, CISM, CISA
The Clarius Scanner is a fully-featured ultra-portable ultrasound device that provides high-quality and cost-effective imaging, while minimizing the limitations of traditional cart-based ultrasound. Clarius develops an ecosystem of data management tools as well as uses traditional storage tools, such as DICOM or exporting to persistent smart device storage. The solution as a whole is comprised of three main components:
- Clarius Scanner
- Clarius Ultrasound App
- Clarius Cloud
Traditionally, patient data associated with medical devices has been stored within medical facilities. As healthcare technology has advanced and cloud storage become more secure and convenient, alternative storage options are becoming available. Storage outside a medical facility can raise concerns over the security of patient data storage. Clarius takes healthcare data management seriously, and implements strict requirements for security, confidentiality, and privacy according to published standards. The Clarius patient data management infrastructure uses controls and safeguards to protect Electronic Protected Health Information (ePHI) from unauthorized changes and access.
Read PDF version
405 KB / PDF
Clarius security architecture
The Clarius ultrasound scanner is a portable, software-controlled, diagnostic ultrasound system used to acquire and process real-time, high-resolution ultrasound data. The device uses a system of Bluetooth and Wi-Fi-based technology to communicate with existing off-the-shelf tablets and smartphones. Protected Health Information (PHI) is not stored on the scanner at any point of the imaging process.
The scanner communicates wirelessly with the App through either an existing local Wi-Fi connection, or more commonly a dedicated Wi-Fi Direct connection.
When using Wi-Fi Direct, there is never any WAN or Internet exposure. The smart device and the scanner have a 1:1 connection. The scanner’s Wi-Fi Direct uses WPA2 security and connects with a password provided to the App and user. In most cases, the smart device can automatically connect to the Wi-Fi Direct network without user intervention, and the password is stored in the smart device operating system’s encrypted network settings cache. The Wi-Fi Direct password is randomly generated when the scanner comes out of production, and can be reset or manually set at any time by an authenticated user through the App.
Local Wi-Fi networks that support WPA2 can be used to connect through. The user enters the password into the App once, in which it is securely transmitted over Bluetooth for the scanner to connect. The scanner stores passwords encrypted using PBKDF2 with a SHA256 hash to inaccessible persistent storage within the device. At any time, an authenticated user can delete all cached network SSIDs and passwords from the scanner through a connected App.
The Wi-Fi connection between the App and the Scanner is composed of two channels. There is control channel used to exchange instructions. This is a TCP channel which is encrypted using TLSv1.2.
The second channel is used to send image data from the Scanner to the App. This is an unencrypted UDP channel.
No patient information is transmitted through either of these channels.
Bluetooth is used to negotiate an out-of-band handshake where network information and passwords are communicated. All traffic over Bluetooth is encrypted with both Bluetooth’s standard encryption modules as well as an extra layer of AES128 encryption. The AES key is randomized for each new Bluetooth connection and communicated using a public key method built upon RSA256.
Clarius Ultrasound App
The Clarius App runs on Android and iOS smart devices and is used as an interface for the ultrasound scanner. Preset workflow applications allow the user to control specific aspects of the imaging, such as ultrasound frequencies and depth of imaging. Other controls for data storage allow flexibility on how data is exported.
Users have the option to enter patient information on the App, which is then associated with the images for future storage considerations. The App temporarily stores the images and patient information in a private, encrypted storage space on the smart device’s operating system, which is segregated from other apps on the device by relying upon the smart device's app sandboxing and hard drive encryption. It is also segregated from other users of the Clarius App as long as users login with their own unique credentials (username/password). If the user has enabled auto-delete then the patient information, along with the corresponding exam data, will be automatically purged (default 10 days) after having been transmitted to the customer's PACS or to Clarius Cloud. The user can also manually delete this data at any time. It is up to the customer to provide the encryption mechanism (i.e. network layer encryption—e.g. WPA2) for transmitting PHI from the Clarius Ultrasound App to its PACS.
On smart devices powered by Apple iOS, Clarius relies on Apple's encryption protection. This feature can't be disabled by the user and it is managed by a combination of Apple's proprietary software and hardware, which is implemented by constructing and managing a hierarchy of keys, and builds on the hardware encryption technologies built into each iOS device. Apples uses AES-256 encryption. On smart devices powered by Android, Clarius recommends that users enable encryption of persistent storage. As rooting a device may break Android-enforced protection, Clarius recommends that Android users do not use rooted devices”
Once an exam has been performed, there are three possible storage solutions:
- Clarius Cloud Storage
- DICOM Store to Existing PACS (Picture Archiving and Communication System)
- Export to Camera Roll
The Clarius App periodically requires an Internet connection to update security certificates, as well as perform security or feature updates to the App. The user can choose how they connect to the Internet on the smart device, with common options for Wi-Fi being WPA2 or WPA2 Enterprise if their wireless routing equipment supports the standard.
Camera Roll Export
Users have the option to export images to the device’s local camera roll. This option is only available while data still resides within the separated App memory; once the retention timeframe has expired, local export will no longer be available. Exported images do not contain any PHI meta-data or burned-in PHI. In the future, a policy parameter will be available to completely disable camera roll export.
Clarius Cloud is an online archiving tool developed fully in-house by Clarius for exclusive use by healthcare practitioners with a Clarius ultrasound scanner. By default, Clarius Cloud is used for PHI permanent storage; however, users who want to store their exams on their own PACS are able to set up DICOM communications to bypass Cloud storage altogether. Clarius Cloud is built on an Amazon Web Services (AWS) framework that allows for optimal security and scalability. Each Clarius Scanner comes pre-allocated with 2GB of secure storage on Clarius Cloud. From a database perspective, PHI is stored separately from the actual ultrasound images, and both patient information and images are encrypted by default. Within an institution, only administrators and users who performed the examination can get access to the PHI and images stored.
Clarius Cloud database access
Physical Storage & Data Residency Compliance
All data stored on Clarius Cloud is stored in data centers located in Amazon Web Services’ network. By default, data is stored in Canada. When users receive their first scanner, they are asked to setup a new institution on Clarius Cloud and specify the location of where PHI is to be stored. Clarius currently support the following regions:
- Canada (Montreal)
- United States (Oregon)
- EU (Frankfurt)
- Asia Pacific (Singapore)
- Oceania (Sydney) - available upon request
Image data, patient records, business associate agreements, and audit logs are stored in the region specified by the user, while other institution data, such as exam metadata, institution members, and scanner information are solely stored in the main database located in Canada. There is no provisioning for migration of existing institutions from one region to another after the initial selection. Clarius does not store PHI outside of Clarius Cloud.
Operations involving PHI in Clarius Cloud are logged and can be reviewed anytime by clients with administrative credentials. Logs cannot be changed and are stored for the six months, according to the retention policy. Logs can be exported for long term retention at the users’ discretion.
Here are the lists of events being logged:
- Invite user
- Remove user
- Grant admin status
- Revoke admin status
- User sign in
- User sign out
Patient Data management
- Create patient
- Delete patient
- Modify patient data
- View exam
- View exam list
- Export exam
- Send exam for review
- Print report
- Claim scanner
- Release scanner (to be implemented)
- Audit audit log
- Export audit log
When reviewing an exam, the user has the option to export images. They are emailed a randomized link, which expires in 24 hours, to download a compressed file containing all the images within the exam, without any PHI included.
Accessibility and Credentials
Credentials are required to log into both the Clarius Ultrasound App and Clarius Cloud. On the Clarius Ultrasound App, the first login requires an Internet connection so that the credentials can be authenticated by the Clarius security infrastructure via Clarius Cloud. Afterward, users can continue to use the system without having to reauthenticate until the logout is performed. All passwords are encrypted using the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by the National Institute of Standards and Technology (NIST). Clarius staff do not have access to view, change, or retrieve user passwords. If a user forgets or loses their password, the password can be reset through a temporary link emailed to the client, which expires after 24 hours. Clarius Cloud provides clients the ability to define password security policies, such as minimum length, complexity, expiration, and re-use parameters.
HITRUST Security Framework
Clarius adopts the HITRUST Common Security Framework (CSF). The HITRUST CSF Assurance program is a common, standardized methodology to effectively and consistently measure compliance. The CSF tailors the requirements to a healthcare organization based on specific organizational, system, and regulatory risk factors, and integrates requirements from many authoritative sources, such as:
- International Organization for Standardization (ISO)
- National Institute of Standards and Technology (NIST)
- Health Insurance Portability and Accountability Act (HIPAA)
- GDPR (General Data Protection Regulation)
- And others
Clarius is compliant with HIPAA. As a business associate, Clarius follows the HIPAA Privacy Rule and the HIPAA Security Rule, in addition to the Breach Notification Rule. The HIPAA Compliance Statement can be found at clarius.com/compliance.
Clarius complies with the General Data Protection Regulation (GDPR). PHI, images, and personal user data managed by Clarius, such as customers' personal and marketing information related to European persons, are covered under the compliance regime. The GDPR Compliance Statement can be found at clarius.com/compliance.
Patient information and images on Clarius Cloud are stored for a minimum of seven years by Clarius.
Additional Operational Controls
Clarius Cloud is continuously monitored (24 x 7 x 365) for security and operational purposes by Alert Logic. Traced events are stored in a Security Information and Event Management (SIEM) solution hosted by a third party. Actions that may threaten the environment or compromise the confidentiality of PHI are recorded and investigated.
Clarius Cloud regularly has comprehensive internal vulnerability checks with Tenable technology to validate the overall security of its system. The security of Clarius Cloud is also validated by an independent third party.
The Clarius Ultrasound App can use DICOM Store to transmit PHI and examination data. DICOM network parameters are currently set up in Clarius Cloud by an administrator and transmitted to the App when the user initially logs in. Subsequent updates to information can be retrieved anytime the App has Internet connectivity on the smart device. When storing data over DICOM to PACS, institutions can set a policy to prevent any data going to Clarius Cloud. Clarius does not provide encryption between the App and the customers’ PACS. This security layer must be provided by the customer based on the network being used to transmit data.
Clarius also offers DICOM Modality Worklist support to retrieve PHI from a PACS supporting this function. When a user starts the App, they have the ability to choose a patient from a downloaded worklist. This worklist is only stored in physical memory while the App is running and is never stored to persistent storage.
The following summary lists the encryption types used between various modules within the Clarius ecosystem:
- Scanner to Ultrasound App Bluetooth: RSA256, AES128
- Scanner to Ultrasound App via Wi-Fi: TLSv1.2 (control channel only)
- Scanner to Ultrasound App via Wi-Fi Direct: WPA2
- App to Cloud: TLSv1.2
- TLSv1.2 is FIPS 140-2 compliant and uses the following protocols: ECDHE-RSA-AES256-GCM-SHA384
Configurable Security Policies
Settings defined in Clarius Cloud offer many policy configurations to help provide customers with the security tools required for their internal standards. These tools may apply to Clarius Cloud, the App, or both, and include:
- Password Security Requirements
- Two-factor Authentication (2FA) Requirements (Cloud only)
- PHI Physical Storage Location
- Scanner Authorization
- Last Known Location
- Clarius Cloud Storage Permissions
- Exam auto purge period (Clarius Ultrasound App only)
The following features are currently in development:
- Scanner Credential Sync Timeframe
- App Logout Permissions
- PHI Mandatory Field Entry
- Camera Roll Export Permissions
Using Clarius Without Clarius Cloud
Some customers may want to limit access to ePHI and Clarius Cloud if their institution security policies maintain a rigid structure and want to refrain from using any online tools. Clarius provides a solution that will allow its ultrasound devices to perform with a more traditional approach.
- Create a single Administrator account on Clarius Cloud, managed by the IT department
- Once logged into Clarius Cloud:
- Create and invite a new regular account into the system
- Set up appropriate DICOM information for storage and worklist servers
- Set minimum scanner credential timeframe (eg. 365 days) (Available upon request)
- Set password requirement to logout (To be implemented)
- Log into the Clarius Ultrasound App with the new created account
- Test Clarius Scanner and DICOM connectivity
- Provide users with smart devices as required