At SHOEBOX Ltd. (“SHOEBOX”), the security of your data is critical. The purpose of this security statement is to provide a high-level overview of our security architecture, security frameworks, data handling methods, policies, procedures, certifications, and compliance.
About SHOEBOX Products
SHOEBOX® Audiometry Standard and SHOEBOX® Audiometry Pro are registered medical devices in certain jurisdictions. They are tablet-based audiometers that perform diagnostic hearing testing.
SHOEBOX® QuickTest is a tablet-based hearing screening test. SHOEBOX QuickTest is not a medical device.
SHOEBOX® Online is an online hearing screening test. SHOEBOX Online is not a medical device.
SHOEBOX® Data Management Portal is a cloud data storage system that is used to synchronize and store the data collected in association with the use of all SHOEBOX products. SHOEBOX Data Management Portal is not a medical device.
Collectively, we refer to these products as the “SHOEBOX Solutions”.
The products that run on iOS (iPad) are SHOEBOX® Audiometry Standard, SHOEBOX® Audiometry Pro, and SHOEBOX® QuickTest and are collectively referred to as SHOEBOX Apps.
All data captured using the SHOEBOX Apps is stored in a segregated database that is ‘firewalled’ from other iPad applications. Backups to non-compliant systems, such as a personal computer, are disabled. If selected, data is automatically backed up to a HIPAA compliant cloud-based server. Data is encrypted in transit and at rest once stored in the cloud.
SHOEBOX® Data Management Portal is built on top of Amazon’s HIPAA-compliant cloud infrastructure called AWS. Amazon follows industry-leading practices to protect customer data, and the security features in SHOEBOX Solutions are based on this solid foundation. Our policies and procedures document administrative, physical, and technical safeguards to ensure data security, integrity, and availability. The most modern techniques have been leveraged to design, build, test, and deploy our software in a reliable and secure manner. Built on legacy-free technology from the start, SHOEBOX Solutions have been architected with security as its main focus.
Data Privacy and Regulatory Compliance
Our policies and procedures were developed in consultation with U.S. and Canadian legal privacy experts, and designed to help ensure the privacy and security of data transmitted and hosted by our applications. The company maintains compliance with US HIPAA regulations, Canadian privacy legislation, and ISO13485 requirements. Independent third parties audit these policies and procedures. Audit reports are available upon request with a signed non-disclosure agreement.
Security and Risk Analysis
The company has conducted a complete security and risk analysis in accordance with the NIST 800-30 Risk Management Guide and has implemented mitigations for all conceived attack vectors. An external audit conducted by HIPAA Solutions RX concluded that “SHOEBOX had conducted one of the more thorough and comprehensive HIPAA Security/Privacy Risk Analysis seen over the years” and that the consultant “was unable to identify any significant risks/privacy vulnerabilities that have not been addressed by SHOEBOX”.
Business Associate Agreement (BAA) for HIPAA
SHOEBOX® Data Management Portal runs on Amazon’s HIPAA-compliant AWS system. SHOEBOX Ltd. has a signed BAA with Amazon. SHOEBOX Ltd. also offers a BAA to US customers of its SHOEBOX service.
Data Collection, Transmission, and Storage
The SHOEBOX Apps can be used to collect the following data:
- Patient audiograms
- Notes about the audiograms
- Patient name, chart number, date of birth, and gender
After creating an account, data collected from the SHOEBOX Apps is transmitted over an encrypted connection to the SHOEBOX® Data Management Portal unless the user disables this feature. All data stored in the SHOEBOX® Data Management Portal is encrypted using 256 bit AES. Depending on your location, the SHOEBOX® Data Management Portal, where your data will be stored, is hosted in either in a US or Canadian AWS data centre. Access requires authentication using a username and password created during setup.
Account Creation and Password Policy
During the purchase of the app, users are required to create an account with a username and password. The username must be the email address. Password complexity policies are configurable by Minimum Length, Require Letters & Numbers, Require Upper & Lower, Special Characters, Lockout Attempts, Lockout Length, Password Reuse, & Expiration. Before the account can be used, the user must verify the account by clicking on a link emailed to the user.
When the user initially sets their password, we hash the password with PBKDF2 using a secure, randomly-generated salt and store the hash in our database. A password is authenticated by comparing with the hashed version of the password stored in the database. The original plaintext values are never retained.
Passwords can be reset by using the ‘Forgot Password’ feature on the web portal. The system will send an email to the user with a link to reset their password.
The company has documented policies that prohibit the storage of Protected Health Information (PHI) at SHOEBOX offices or on SHOEBOX owned computers, email systems, or in any 3rd party services other than our HIPAA-compliant Amazon production servers. All data is hosted in the U.S. by Amazon. Data is physically secured in Amazon’s data warehouses only. These facilities are monitored and staffed 24×7 and the servers are protected in locked cages. Details of the extensive security features can be found here.
Access to the Production Environment
SHOEBOX Solutions are designed so that no SHOEBOX employee can access customer data, except under exceptional circumstances. Software developers only have access to a separate Staging environment. Deployment of software updates to production is done via a release team that has restricted access to only update software but will not have access to production data. Access to the production environment is protected using an authenticated VPN connection. Access also requires a second factor, one-time password card.
Access to customer data requires a special request from the customer and with the approval of senior management. All employees with access to the production system have been screened with criminal background checks.
Separation from Company Network
SHOEBOX’s internal company network is entirely separate from the production network. Access to production requires an authenticated VPN connection and one-time password card.
All machine ports are locked down with security groups using a firewall, leaving only a single port available to the traffic management network. All storage uses encrypted volumes at all times.
Internal and External Security Testing and Verification
SHOEBOX performs internal and external security testing to verify the integrity of our systems. Code is automatically scanned during our regular build process. Our employees are trained on standard security best practices for software development to minimize the chance of introducing vulnerabilities into our code. Our technology selection further encourages these practices. For example, SQL injection attacks are prevented by exclusive use of prepared statements for database access. In addition, we conduct regular peer reviews of code. New issues are tracked and assigned to our engineering team as part of our daily review process.
The company engages external penetration testers to validate security controls. Testing involves vulnerability testing of our network and application code.
Vulnerability Management and Patching
Our engineering team monitors security alerts from multiple sources. Alerts for security issues and patches for infrastructure are automatically generated. Security alerts are managed and prioritized in our issue tracking system. Validated issues are then assigned to our engineering team for remediation. All issues are recorded, assigned and closed in our issue management system.
Our engineering team conducts daily reviews of the backlog and issues are assigned according to priorities. Mission-critical issues are monitored daily and addressed immediately if there are implications to our production systems. Regular security patches are reviewed and applied on a bi-weekly basis.
All issues are tested in staging and QA environments prior to release. An ISO13485 compliant documented procedure and flowchart gates how features are scheduled, how they are tested, and how they are certified to be released into production.
OS and Database Hardening
We only use Amazon-certified pre-hardened OS images to build our platform. By default, our security policies state that all ports be closed, and then only opened to the minimum required to provide access to our services.
System Monitoring and Logging
Amazon Cloudwatch monitors the health of our systems. We also use a flexible and scalable system to centralize access logs, and we monitor those logs to look for suspicious activity. Logging covers all authentication attempts, as well as all create, update, delete, and view requests of patient data.
In the unlikely event of a breach, we have documented procedures to deal with security alerts, as well as a HIPAA-compliant breach notification policy. Upon detection of a breach, our policy dictates we notify customers without unreasonable delay, and in no case more than 10 business days.
Quality Assurance and Testing
SHOEBOX has an ISO 13485 compliant process for maintaining the quality of our software. Any code changes are tested using a combination of manual and automated regression tests. All code changes are tested in separate QA and Staging environments prior to release.
Business Continuity and Backups
Both SHOEBOX and Amazon have defined Emergency mode and Disaster recovery procedures designed to ensure business continuity in any situation.
Our backup system operates as follows:
- All data in the SHOEBOX® Data Management Portal is backed up daily.
- Daily backups are stored for 1 year.
- The database journal (incremental data changes) is backed up in real time.
- Database backups are stored on Amazon S3 and can be recovered in 6 hours.
- Data in the storage service, S3, is redundant with 3 copies of data in different physical locations.
Our backup strategy protects against irreversible database corruption.
System Availability and Redundancy
Our solution automatically scales resources based on load and balances across physically separated data centers.
Our system has been designed for 100% availability, however, if scheduled downtime is required, we will provide at least 48 hours prior notice.
As long as your account is active, any data backed up to your cloud account will be retained until you intentionally delete it. If you cancel or do not renew your cloud subscription, you will have 60 days to download your data after which it may be permanently deleted from the system.
Telephone and email support are available from 8am – 8pm Eastern Standard Time.
All employees with access to PHI have been trained on data privacy and HIPAA compliance.