Privacy Policy

Overview

ImageMoverMD, Corp (“ImageMover”) is committed to ensuring the confidentiality, privacy,

integrity, and availability of all electronic data it receives, processes and/or transmits on behalf

of its Customers or Partner’s Customers.

Providers have rapidly adopted mobile and tablet technologies. With provider adoption of

smartphones now greater than 80%, ImageMover is well positioned to leverage these devices

for the secure capture of medical images. The risk of losing a mobile device with patient infor-

mation provides an enormous incentive for hospitals to implement a HIPAA (Health Insurance

Portability and Accountability Act) compliant mobile capture solution such as ImageMover Mo-

bile.

The ImageMover software suite is comprised of a mobile app (for our secure mobile image cap-

ture solution) and an on-site VM (Virtual Machine) appliance hosted at the client site for the

rest of the suite. We offer encounter-centric workflow-based solutions that are typically

launched via a standard yet secure web link directly from the customer EHR (Electronic Health

Record) system.

As providers of compliant, on-premises software used by health providers, ImageMover strives

to maintain compliance, proactively address information security, mitigate risk for its custom-

ers, and assure if a breach occurs we will completely and effectively communicate that infor-

mation in a timely manner.

HIPAA Security Standards

ImageMover complies with HIPAA and the Health Information Technology for Economic and

Clinical Health (HITECH) Act, which regulate how personal information is handled throughout its

life cycle, from collection to use and disclosure, storage, accessibility and disposal. They impact

all areas of the health care industry and is designed to improve the portability and continuity of

health benefits. Specifically, HIPAA requires the adoption of sound practices for protecting the

confidentiality of all patient information in any form.

All businesses, regardless of their size, which engage in the handling, maintenance, storage or

exchange of private health or patient-related information, are subject to HIPAA. ImageMover,

as a technology partner to Health Care Organizations, is committed in our efforts to ensure the

confidentiality, integrity and availability of all protected electronic information. We are dedi-

cated to the privacy and security of our customers’ information and facilitate compliance with

the overall spirit and intent of the HIPAA requirements. Should any future updates take place in

the laws concerning HIPAA, ImageMover is well positioned to incorporate any new compliance

requirements. This level of due diligence provides our health care customers the confidence to

deploy their secure image capture and routing workflows without risking non-compliance.

ImageMover provides the healthcare customer with a suite of security mechanisms to ensure

the highest standards of patient confidentiality and overall data protection with regards to elec-

tronic Protected Health Information (ePHI) and in accordance with HIPAA.

HIPAA security compliance is not achieved with a single piece of hardware, software, or pro-

cess. All IT technologies and processes must work together to create a secure environment.

Each security practice was considered within our own technological environment. The following

is a summary of the HIPAA Security Rule standards.

HIPAA security standards are divided into the following categories:

ADMINISTRATIVE SAFEGUARDS

In general, this section of the HIPAA Security Rule describes administrative procedures that include formal practices governing the implementation of security measures and the conduct of personnel. We have documented, formal practices to manage the selection and implementation of these safeguards and guide the conduct of our personnel in relation to the protection of information.

PHYSICAL SAFEGUARDS

This category focuses on the mechanisms required for the protection of physical computer systems, equipment and the building in which ePHI is stored. We adhere to documented procedures which manage the protection of physical computer systems and related buildings and equipment from fire, intrusion, and other natural and environmental hazards.

TECHNICAL SAFEGUARDS

This category covers general processes used to protect data and to control access to ePHI. These also include authentication controls and transmission security, such as data encryption to protect integrity and confidentiality of data.

Architecture

The ImageMover suite consists of several applications. The mobile application utilizes an Apple

(i.e. iOS) or Android phone app and VM based functionality, whereas the other suite applica-

tions (e.g. Uploaders, Modality) rely upon the VM functionality only.

The ImageMover VM runs on Ubuntu Linux and consists of Apache and Angular web services

that provide the browser endpoint URL (Uniform Resource Locator) to which the patient con-

text is passed by the EHR. Proprietary server software performs the image, video, DICOM (Digi-

tal Imaging and Communications in Medicine), HL7 (Health Level 7), and XDS (Cross-Enterprise

Document Sharing) processing and routing.

The application suite UI can integrate with your institution's EHR or HIS (Hospital Information

System) and send the resulting data to your PACS (Picture Archival System), VNA (Vendor Neu-

tral Archive), and/or Modality Worklist Server. ImageMover essentially acts as intelligent mid-

dleware to facilitate healthcare “imaging” workflows.

The mobile applications’ phone app utilizes SSL (Secure Socket Layer) certificates and a whitelist

server to ensure that only valid and secure users are capturing and sending data to the VM-

based server. No patient demographic data is ever present on the phone, but only an obfus-

cated link to the actual patient information on the server itself. Also, the appliance UI browser

requires certificates to ensure secure communications.

The ImageMover VM server utilizes an in-memory datastore that is accessible via a custom API.

This ensures that some of the security flaws associated with SQL (Structured Query Language)

databases are not an issue, and that the storage of the patient demographic and encounter in-

formation is transient only.

Application Security Measures

ImageMover follows best practices for software engineering and system hardening. Authentica-

tion with ImageMover requires the user to launch the suite UI from within the EHR. This means

that a user must already be authenticated to your institution's EHR system to use ImageMover.

The ImageMover server runs as a service on an internally-hosted VM in your infrastructure and

does not require a logged-in user in order to run. It does not require any special user accounts

in your institution's user directory (e.g. Active Directory). ImageMover mobile clients require

only that the ImageMover mobile application be installed on their mobile device in order to

scan the QR code and then capture data.

Remote access to the server is restricted to authorized ImageMover support personnel via pub-

lic-private key infrastructure. Our systems leverage a host-based firewall to prevent unauthor-

ized network access. Operating system checks for required security patches will occur nightly,

as well as any unattended updates. ImageMover application suite patches are attended and will

occur during maintenance windows per the customer’s needs. All web traffic is required to use

HTTPS (HyperText Transfer Protocol - Secure).

Measures taken to harden ImageMover systems include disabling all boot devices other than

the system root volume, requiring a VPN to access the system remotely, limiting SSH access to

users with valid key-pairs, host-based firewall limiting inbound access to all ports other than

TCP (Transmission Control Protocol) port 443, and appropriate sandboxing for all ImageMover

applications. All network transmissions use TLS (Transport Layer Security) v1.3 or higher, if and

when available.

ImageMover has security measures in place to help protect against the loss, misuse or altera-

tion of information under our control.

These general measures include:

● our ImageMover server software resides behind the customers’ firewall

● the encryption of data using the TLS method

● the server must have valid SSL certificate matching the hostname, intermediate certs

must be provided, and the root CA (Certificate Authority) must be widely recognized

● the use of a randomized session token ID that points to the actual patient PHI infor-

mation on the fire-walled ImageMover server

● photos, videos, and patient information are only ephemerally stored on the server for

processing and transmission to the final destination(s)

The ImageMover mobile product is the most security-vulnerable part of the suite since it also

contains a mobile device app. Thus, the mobile product underwent a dedicated vulnerability as-

sessment by the security auditing firm Rapid7 (www.rapid7.com) and no vulnerabilities were

identified. By design, no PHI is ever present on mobile devices.

The mobile phone app measures include:

● the mobile app is generally unaware of any PHI – it communicates data associated with

a session token

● the user must scan a QR (Quick Response) code to connect to the randomized session

● the mobile app is only aware of the session identifier once connected

● the app must successfully validate the scanned QR code against a whitelist service

● certificate pinning to communicate with the whitelist service

● images & videos are purged from memory immediately upon successful transmission. If

temporary files are created when capturing video, they are removed from the phone af-

ter transmission or when the app exits.

● the mobile app session token has a timeout after which no more data can be sent to the

server

In the event a critical bug or security vulnerability is discovered in any portion of the suite, cus-

tomers will be notified immediately.

Standard EHR Integration Model

We use a standard EHR vendor-supported integration model. When launched, the EHR passes

information to our on-premises server via HTTPS. We configure our HTTPS settings to maintain

an A+ rating from SSL Labs.

The passed-in patient and encounter data includes, but is not limited to, the patient name,

MRN, DOB, gender, and the encounter identifier. This data is stored ephemerally via a custom

server API, and this data cannot be retrieved via the API. The patient and encounter data are

associated with a random session identifier. All data is purged from the server datastore upon

successful transmission to the enterprise medical imaging archive (e.g. PACS/VNA).

The on-premises appliance is completely hosted by the customer. No PHI ever egresses their

network to the Internet.

The ImageMover server VM can be deployed as an Open Virtual Appliance (OVA) file. Once in-

stalled, the server can receive patient information passed from the EHR by invoking the Image-

Mover URL via the HTTPS network protocol.

The standard mechanism through which data is passed to the URL is an HTTPS ‘GET’. Due to the

fact that the VM is within the customer’s secure environment, and only authorized personnel

are permitted to access the EHR, this is quite secure. However, if a client is still concerned that

passing data via GET can expose client details in the URL of the browser, ImageMover can op-

tionally deploy an HTTPS ‘POST’ mechanism. In this approach, a proxy intercepts the request

and injects the provided body, in either JSON (JavaScript Object Notation) or as a form submit,

into the very beginning of the HTML body.

Additionally, the parameters passed to the URL can be provided via a “SMART on FHIR” imple-

mentation, where SMART = Substitutable Medical Applications & Reusable Technologies and

FHIR = Fast Health Information Resources. This provides a built-in security authorization mecha-

nism.

People and Access

ImageMover performs background reference checks for employees and annual HIPAA training

for all employees.

All access and user identity management functionalities are completely controlled within the

EHR system; user management is not performed within the ImageMover application.

Most administration of provided appliances is performed via automation. Only designated indi-

viduals have privileges to release automation changes. Any manual access, if applicable, is per-

formed by qualified employees via secure mechanisms.

Maintenance

ImageMover engineers will require VPN (Virtual Private Network) access to the VM over TCP

port 443. TCP port 443 must also be open to all EMR clients (such as Epic Hyperspace) and mo-

bile devices for the ImageMover application suite to function. TCP port 443 is typically used for

access to web services over HTTPS and is one of the more common ports to leave open in pro-

duction systems. This port is typically highly monitored by hospital security and thus an allowed

communications port.

For inside-network deployments, the ImageMover server must have network access to out-

bound TCP traffic on port 443. For network DMZ (Demilitarized Zone) deployments, the server

must have network access to inbound and outbound TCP traffic on port 443. Without this ac-

cess, ImageMover cannot provide critical systems maintenance and configuration updates.

Should the need arise, ImageMover systems engineers will work with your institution's support

team to schedule and perform emergency changes. At this time, no change management pro-

cesses are required for releases to production. Our engineers will work with your institution’s

support team to coordinate these maintenance windows.

If required by an ImageMover partner/reseller, then some maintenance activities may be per-

formed by their trained personnel.

Third Party Security

Business associate agreements and/or other business agreements are utilized with all partners,

third parties and vendors with whom we share information that requires them to implement

appropriate security procedures to maintain confidentiality, privacy, integrity, and availability of

any electronic PHI.

Data Integrity

ImageMover is a HIPAA-compliant transit system. No electronic PHI data persists on either the

client mobile device or the server. PHI that may be viewed by the system is limited to patient

demographics already visible from within the EHR. Transmitted files are stored temporarily, ei-

ther until successfully transmitted to your institution's PACS, for example, or until the configu-

rable timeout period elapses. The system will not handle any credit card data or Social Security

numbers. The source data will be raw images, videos, or DICOM files captured by users desig-

nated by your institution. The data output from the system will typically be DICOM files viewed

on a downstream system managed by your institution. The server does not persist to a data-

base, instead uses an in-memory transient datastore. The ImageMover suite of applications

does not perform data retention as it is a processing and transit system only.

No images or videos are ever stored on mobile devices and are only stored transiently for the

duration of a configurable session timeout on the on-premises appliance. The transient datas-

tore is contained within the on-premises vendor provided hardware. A database is not utilized

to store any data persistently. Data is then purged upon successful transmission of images to

the medical imaging archive.

PHI is also never logged unless explicitly requested by a customer for auditing. In this case, we

write PHI directly to a special log file that is not the default logging file.

Logging

ImageMover mobile retains activity logs on the application server for 30 days by default. These

logs contain date, time, and transaction information; they do not contain any data pertaining to

queries, inquiries, who viewed a patient record, how long they looked at it, or what they looked

at. ImageMover can configure the system to transmit these logs to the syslog destination of

your institution's choosing. ImageMover support personnel receive alerts regarding any system

failures.

Summary

Although we have made concerted efforts to securely transmit data, transmission over the In-

ternet cannot be considered 100% secure. If you discover a vulnerability, please disclose it to us

by contacting our Customer Support team or emailing support@imagemovermd.com with de-

tails.