SHOEBOX™ is an iPad-based audiometer and cloud storage service that lets users perform clinically valid hearing tests and store the results in a way that is secure and compliant. SHOEBOX is the audiometry division of Clearwater Clinical Limited.
All data captured using the SHOEBOX app is stored in a segregated database that is ‘firewalled’ from other iPad applications. Backups to non-compliant systems, such as a personal computer, are disabled. If selected, data is automatically backed up to a HIPAA compliant cloud-based server. Data is encrypted in transit and at rest once stored in the cloud.
The SHOEBOX cloud service is built on top of Amazon’s HIPAA-compliant cloud infrastructure called AWS. Amazon follows industry-leading practices to protect customer data, and the security features in SHOEBOX are based on this solid foundation. Our policies and procedures document administrative, physical, and technical safeguards to ensure data security, integrity, and availability. The most modern techniques have been leveraged to design, build, test, and deploy our software in a reliable and secure manner. Built on legacy-free technology from the start, SHOEBOX has been architected with security as its main focus.
Data Privacy and Regulatory Compliance
Our policies and procedures were developed in consultation with U.S. and Canadian legal privacy experts, and designed to help ensure the privacy and security of data transmitted and hosted by our applications. The company maintains compliance with US HIPAA regulations, Canadian privacy legislation, and ISO13485 requirements. Independent third parties audit these policies and procedures. Audit reports are available upon request with a signed non-disclosure agreement.
Security and Risk Analysis
The company has conducted a complete security and risk analysis in accordance with the NIST 800-30 Risk Management Guide and has implemented mitigations for all conceived attack vectors. An external audit conducted by HIPAA Solutions RX concluded that “Clearwater had conducted one of the more thorough and comprehensive HIPAA Security/Privacy Risk Analysis seen over the years” and that the consultant “was unable to identify any significant risks/privacy vulnerabilities that have not been addressed by Clearwater”.
Business Associate Agreement (BAA) for HIPAA
Clearwater’s production system runs on Amazon’s HIPAA-compliant AWS system. Clearwater has a signed BAA with Amazon. Clearwater also offers a BAA to US customers of its SHOEBOX service.
Data Collection, Transmission, and Storage
The SHOEBOX app can be used to collect the following data:
- Patient audiograms
- Notes about the audiograms
- Patient name, chart number, date of birth, and gender
After creating an account with SHOEBOX, data collected from the app is transmitted over an encrypted connection to the SHOEBOX cloud service unless the user disables this feature. All data stored in the cloud service is encrypted using 256 bit AES. The SHOEBOX cloud service is hosted in the US by Amazon. Access requires authentication using a username and password created during setup.
Account Creation and Password Policy
During the purchase of the app, users are required to create an account with a username and password. The username must be the email address. User-generated passwords must be at least 8 characters and be complex (at least 1 uppercase & 1 lowercase & 1 number). Before the account can be used, the user must verify the account by clicking on a link emailed to the user.
When the user initially sets their password, we hash the password with PBKDF2 using a secure, randomly-generated salt and store the hash in our database. A password is authenticated by comparing with the hashed version of the password stored in the database. The original plaintext values are never retained by Clearwater.
Passwords can be reset by using the ‘Forgot Password’ feature on the web portal. The system will send an email to the user with a link to reset their password.
The company has documented policies that prohibit the storage of Protected Health Information (PHI) at Clearwater offices or on Clearwater owned computers, email systems, or in any 3rd party services other than our HIPAA-compliant Amazon production servers. All data is hosted in the U.S. by Amazon. Data is physically secured in Amazon’s data warehouses only. These facilities are monitored and staffed 24×7 and the servers are protected in locked cages. Details of the extensive security features can be found here.
Access to the Production Environment
The SHOEBOX system is designed so that no Clearwater employee can access customer data, except under exceptional circumstances. Software developers only have access to a separate Staging environment. Deployment of software updates to production is done via a release team that has restricted access to only update software but will not have access to production data. Access to the production environment is protected using an authenticated VPN connection. Access also requires a second factor, one-time password card.
Access to customer data requires a special request from the customer and with the approval of senior management. All employees with access to the production system have been screened with criminal background checks.
Separation from Company Network
Clearwater’s internal company network is entirely separate from the production network. Access to production requires an authenticated VPN connection and one-time password card.
Clearwater pays a premium for dedicated machines on Amazon’s cloud. All machine ports are locked down with security groups using a firewall, leaving only a single port available to the traffic management network. All storage uses encrypted volumes at all times.
Internal and External Security Testing and Verification
Clearwater performs internal and external security testing to verify the integrity of our systems. Code is automatically scanned during our regular build process. Our employees are trained on standard security best practices for software development to minimize the chance of introducing vulnerabilities into our code. Our technology selection further encourages these practices. For example, SQL injection attacks are prevented by exclusive use of prepared statements for database access. In addition, we conduct regular peer reviews of code. New issues are tracked and assigned to our engineering team as part of our daily review process.
The company engages external penetration testers to validate security controls. Testing involves vulnerability testing of our network and application code.
Vulnerability Management and Patching
Our engineering team monitors security alerts from multiple sources. Alerts for security issues and patches for infrastructure are automatically generated. Security alerts are managed and prioritized in our issue tracking system. Validated issues are then assigned to our engineering team for remediation. All issues are recorded, assigned and closed in our issue management system.
Our engineering team conducts daily reviews of the backlog and issues are assigned according to priorities. Mission-critical issues are monitored daily and addressed immediately if there are implications to our production systems. Regular security patches are reviewed and applied on a bi-weekly basis.
All issues are tested in staging and QA environments prior to release. An ISO13485 compliant documented procedure and flowchart gates how features are scheduled, how they are tested, and how they are certified to be released into production.
OS and Database Hardening
We only use Amazon-certified pre-hardened OS images to build our platform. By default, our security policies state that all ports be closed, and then only opened to the minimum required to provide access to our services.
System Monitoring and Logging
Amazon Cloudwatch monitors the health of our systems. We also use a flexible and scalable system to centralize access logs, and we monitor those logs to look for suspicious activity. Logging covers all authentication attempts, as well as all create, update, delete, and view requests of patient data.
In the unlikely event of a breach, we have documented procedures to deal with security alerts, as well as a HIPAA-compliant breach notification policy. Upon detection of a breach, our policy dictates we notify customers without unreasonable delay, and in no case more than 10 business days.
Quality Assurance and Testing
Clearwater has an ISO 13485 compliant process for maintaining the quality of our software. Any code changes are tested using a combination of manual and automated regression tests. All code changes are tested in separate QA and Staging environments prior to release.
Business Continuity and Backups
Both Clearwater and Amazon have defined Emergency mode and Disaster recovery procedures designed to ensure business continuity in any situation.
Our backup system operates as follows:
- All data in the SHOEBOX database is backed up daily.
- Daily backups are stored for 1 year.
- The database journal (incremental data changes) is backed up in real time.
- Database backups are stored on Amazon S3 and can be recovered in 6 hours.
- Data in the storage service, S3, is redundant with 3 copies of data in different physical locations.
Our backup strategy protects against irreversible database corruption.
System Availability and Redundancy
Our solution automatically scales resources based on load and balances across physically separated data centers.
Our system has been designed for 100% availability, however, if scheduled downtime is required, we will provide at least 48 hours prior notice.
As long as your account is active, any data backed up to your cloud account will be retained until you intentionally delete it. If you cancel or do not renew your cloud subscription, you will have 60 days to download your data after which it will be permanently deleted from the system.
Telephone and email support are available from 9-5pm Eastern Standard Time.
All employees with access to PHI have been trained on data privacy and HIPAA compliance.