ImageMoverMD, Corp (“ImageMover”) is committed to ensuring the confidentiality, privacy,
integrity, and availability of all electronic data it receives, processes and/or transmits on behalf
of its Customers or Partner’s Customers.
Providers have rapidly adopted mobile and tablet technologies. With provider adoption of
smartphones now greater than 80%, ImageMover is well positioned to leverage these devices
for the secure capture of medical images. The risk of losing a mobile device with patient infor-
mation provides an enormous incentive for hospitals to implement a HIPAA (Health Insurance
Portability and Accountability Act) compliant mobile capture solution such as ImageMover Mo-
The ImageMover software suite is comprised of a mobile app (for our secure mobile image cap-
ture solution) and an on-site VM (Virtual Machine) appliance hosted at the client site for the
rest of the suite. We offer encounter-centric workflow-based solutions that are typically
launched via a standard yet secure web link directly from the customer EHR (Electronic Health
As providers of compliant, on-premises software used by health providers, ImageMover strives
to maintain compliance, proactively address information security, mitigate risk for its custom-
ers, and assure if a breach occurs we will completely and effectively communicate that infor-
mation in a timely manner.
HIPAA Security Standards
ImageMover complies with HIPAA and the Health Information Technology for Economic and
Clinical Health (HITECH) Act, which regulate how personal information is handled throughout its
life cycle, from collection to use and disclosure, storage, accessibility and disposal. They impact
all areas of the health care industry and is designed to improve the portability and continuity of
health benefits. Specifically, HIPAA requires the adoption of sound practices for protecting the
confidentiality of all patient information in any form.
All businesses, regardless of their size, which engage in the handling, maintenance, storage or
exchange of private health or patient-related information, are subject to HIPAA. ImageMover,
as a technology partner to Health Care Organizations, is committed in our efforts to ensure the
confidentiality, integrity and availability of all protected electronic information. We are dedi-
cated to the privacy and security of our customers’ information and facilitate compliance with
the overall spirit and intent of the HIPAA requirements. Should any future updates take place in
the laws concerning HIPAA, ImageMover is well positioned to incorporate any new compliance
requirements. This level of due diligence provides our health care customers the confidence to
deploy their secure image capture and routing workflows without risking non-compliance.
ImageMover provides the healthcare customer with a suite of security mechanisms to ensure
the highest standards of patient confidentiality and overall data protection with regards to elec-
tronic Protected Health Information (ePHI) and in accordance with HIPAA.
HIPAA security compliance is not achieved with a single piece of hardware, software, or pro-
cess. All IT technologies and processes must work together to create a secure environment.
Each security practice was considered within our own technological environment. The following
is a summary of the HIPAA Security Rule standards.
HIPAA security standards are divided into the following categories:
In general, this section of the HIPAA Security Rule describes administrative procedures that include formal practices governing the implementation of security measures and the conduct of personnel. We have documented, formal practices to manage the selection and implementation of these safeguards and guide the conduct of our personnel in relation to the protection of information.
This category focuses on the mechanisms required for the protection of physical computer systems, equipment and the building in which ePHI is stored. We adhere to documented procedures which manage the protection of physical computer systems and related buildings and equipment from fire, intrusion, and other natural and environmental hazards.
This category covers general processes used to protect data and to control access to ePHI. These also include authentication controls and transmission security, such as data encryption to protect integrity and confidentiality of data.
The ImageMover suite consists of several applications. The mobile application utilizes an Apple
(i.e. iOS) or Android phone app and VM based functionality, whereas the other suite applica-
tions (e.g. Uploaders, Modality) rely upon the VM functionality only.
The ImageMover VM runs on Ubuntu Linux and consists of Apache and Angular web services
that provide the browser endpoint URL (Uniform Resource Locator) to which the patient con-
text is passed by the EHR. Proprietary server software performs the image, video, DICOM (Digi-
tal Imaging and Communications in Medicine), HL7 (Health Level 7), and XDS (Cross-Enterprise
Document Sharing) processing and routing.
The application suite UI can integrate with your institution's EHR or HIS (Hospital Information
System) and send the resulting data to your PACS (Picture Archival System), VNA (Vendor Neu-
tral Archive), and/or Modality Worklist Server. ImageMover essentially acts as intelligent mid-
dleware to facilitate healthcare “imaging” workflows.
The mobile applications’ phone app utilizes SSL (Secure Socket Layer) certificates and a whitelist
server to ensure that only valid and secure users are capturing and sending data to the VM-
based server. No patient demographic data is ever present on the phone, but only an obfus-
cated link to the actual patient information on the server itself. Also, the appliance UI browser
requires certificates to ensure secure communications.
The ImageMover VM server utilizes an in-memory datastore that is accessible via a custom API.
This ensures that some of the security flaws associated with SQL (Structured Query Language)
databases are not an issue, and that the storage of the patient demographic and encounter in-
formation is transient only.
Application Security Measures
ImageMover follows best practices for software engineering and system hardening. Authentica-
tion with ImageMover requires the user to launch the suite UI from within the EHR. This means
that a user must already be authenticated to your institution's EHR system to use ImageMover.
The ImageMover server runs as a service on an internally-hosted VM in your infrastructure and
does not require a logged-in user in order to run. It does not require any special user accounts
in your institution's user directory (e.g. Active Directory). ImageMover mobile clients require
only that the ImageMover mobile application be installed on their mobile device in order to
scan the QR code and then capture data.
Remote access to the server is restricted to authorized ImageMover support personnel via pub-
lic-private key infrastructure. Our systems leverage a host-based firewall to prevent unauthor-
ized network access. Operating system checks for required security patches will occur nightly,
as well as any unattended updates. ImageMover application suite patches are attended and will
occur during maintenance windows per the customer’s needs. All web traffic is required to use
HTTPS (HyperText Transfer Protocol - Secure).
Measures taken to harden ImageMover systems include disabling all boot devices other than
the system root volume, requiring a VPN to access the system remotely, limiting SSH access to
users with valid key-pairs, host-based firewall limiting inbound access to all ports other than
TCP (Transmission Control Protocol) port 443, and appropriate sandboxing for all ImageMover
applications. All network transmissions use TLS (Transport Layer Security) v1.3 or higher, if and
ImageMover has security measures in place to help protect against the loss, misuse or altera-
tion of information under our control.
These general measures include:
● our ImageMover server software resides behind the customers’ firewall
● the encryption of data using the TLS method
● the server must have valid SSL certificate matching the hostname, intermediate certs
must be provided, and the root CA (Certificate Authority) must be widely recognized
● the use of a randomized session token ID that points to the actual patient PHI infor-
mation on the fire-walled ImageMover server
● photos, videos, and patient information are only ephemerally stored on the server for
processing and transmission to the final destination(s)
The ImageMover mobile product is the most security-vulnerable part of the suite since it also
contains a mobile device app. Thus, the mobile product underwent a dedicated vulnerability as-
sessment by the security auditing firm Rapid7 (www.rapid7.com) and no vulnerabilities were
identified. By design, no PHI is ever present on mobile devices.
The mobile phone app measures include:
● the mobile app is generally unaware of any PHI – it communicates data associated with
a session token
● the user must scan a QR (Quick Response) code to connect to the randomized session
● the mobile app is only aware of the session identifier once connected
● the app must successfully validate the scanned QR code against a whitelist service
● certificate pinning to communicate with the whitelist service
● images & videos are purged from memory immediately upon successful transmission. If
temporary files are created when capturing video, they are removed from the phone af-
ter transmission or when the app exits.
● the mobile app session token has a timeout after which no more data can be sent to the
In the event a critical bug or security vulnerability is discovered in any portion of the suite, cus-
tomers will be notified immediately.
Standard EHR Integration Model
We use a standard EHR vendor-supported integration model. When launched, the EHR passes
information to our on-premises server via HTTPS. We configure our HTTPS settings to maintain
an A+ rating from SSL Labs.
The passed-in patient and encounter data includes, but is not limited to, the patient name,
MRN, DOB, gender, and the encounter identifier. This data is stored ephemerally via a custom
server API, and this data cannot be retrieved via the API. The patient and encounter data are
associated with a random session identifier. All data is purged from the server datastore upon
successful transmission to the enterprise medical imaging archive (e.g. PACS/VNA).
The on-premises appliance is completely hosted by the customer. No PHI ever egresses their
network to the Internet.
The ImageMover server VM can be deployed as an Open Virtual Appliance (OVA) file. Once in-
stalled, the server can receive patient information passed from the EHR by invoking the Image-
Mover URL via the HTTPS network protocol.
The standard mechanism through which data is passed to the URL is an HTTPS ‘GET’. Due to the
fact that the VM is within the customer’s secure environment, and only authorized personnel
are permitted to access the EHR, this is quite secure. However, if a client is still concerned that
passing data via GET can expose client details in the URL of the browser, ImageMover can op-
tionally deploy an HTTPS ‘POST’ mechanism. In this approach, a proxy intercepts the request
into the very beginning of the HTML body.
Additionally, the parameters passed to the URL can be provided via a “SMART on FHIR” imple-
mentation, where SMART = Substitutable Medical Applications & Reusable Technologies and
FHIR = Fast Health Information Resources. This provides a built-in security authorization mecha-
People and Access
ImageMover performs background reference checks for employees and annual HIPAA training
for all employees.
All access and user identity management functionalities are completely controlled within the
EHR system; user management is not performed within the ImageMover application.
Most administration of provided appliances is performed via automation. Only designated indi-
viduals have privileges to release automation changes. Any manual access, if applicable, is per-
formed by qualified employees via secure mechanisms.
ImageMover engineers will require VPN (Virtual Private Network) access to the VM over TCP
port 443. TCP port 443 must also be open to all EMR clients (such as Epic Hyperspace) and mo-
bile devices for the ImageMover application suite to function. TCP port 443 is typically used for
access to web services over HTTPS and is one of the more common ports to leave open in pro-
duction systems. This port is typically highly monitored by hospital security and thus an allowed
For inside-network deployments, the ImageMover server must have network access to out-
bound TCP traffic on port 443. For network DMZ (Demilitarized Zone) deployments, the server
must have network access to inbound and outbound TCP traffic on port 443. Without this ac-
cess, ImageMover cannot provide critical systems maintenance and configuration updates.
Should the need arise, ImageMover systems engineers will work with your institution's support
team to schedule and perform emergency changes. At this time, no change management pro-
cesses are required for releases to production. Our engineers will work with your institution’s
support team to coordinate these maintenance windows.
If required by an ImageMover partner/reseller, then some maintenance activities may be per-
formed by their trained personnel.
Third Party Security
Business associate agreements and/or other business agreements are utilized with all partners,
third parties and vendors with whom we share information that requires them to implement
appropriate security procedures to maintain confidentiality, privacy, integrity, and availability of
any electronic PHI.
ImageMover is a HIPAA-compliant transit system. No electronic PHI data persists on either the
client mobile device or the server. PHI that may be viewed by the system is limited to patient
demographics already visible from within the EHR. Transmitted files are stored temporarily, ei-
ther until successfully transmitted to your institution's PACS, for example, or until the configu-
rable timeout period elapses. The system will not handle any credit card data or Social Security
numbers. The source data will be raw images, videos, or DICOM files captured by users desig-
nated by your institution. The data output from the system will typically be DICOM files viewed
on a downstream system managed by your institution. The server does not persist to a data-
base, instead uses an in-memory transient datastore. The ImageMover suite of applications
does not perform data retention as it is a processing and transit system only.
No images or videos are ever stored on mobile devices and are only stored transiently for the
duration of a configurable session timeout on the on-premises appliance. The transient datas-
tore is contained within the on-premises vendor provided hardware. A database is not utilized
to store any data persistently. Data is then purged upon successful transmission of images to
the medical imaging archive.
PHI is also never logged unless explicitly requested by a customer for auditing. In this case, we
write PHI directly to a special log file that is not the default logging file.
ImageMover mobile retains activity logs on the application server for 30 days by default. These
logs contain date, time, and transaction information; they do not contain any data pertaining to
queries, inquiries, who viewed a patient record, how long they looked at it, or what they looked
at. ImageMover can configure the system to transmit these logs to the syslog destination of
your institution's choosing. ImageMover support personnel receive alerts regarding any system
Although we have made concerted efforts to securely transmit data, transmission over the In-
ternet cannot be considered 100% secure. If you discover a vulnerability, please disclose it to us
by contacting our Customer Support team or emailing firstname.lastname@example.org with de-