Overview
Radical Imaging LLC takes cybersecurity seriously.
For the software to be used in a secure manner, you must follow a number of best practices which are outlined in the following sections.
User Responsibilities
Account Configuration
To protect patients' privacy and medical information, it is important to secure the computer or mobile devices used to access FlexView. The level of security required depends on your organization's computer and network policies and procedures. Small healthcare practices can benefit from following the guide provided by the U.S. Department of Health and Human Services: "Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices."
When choosing a password, users should select passwords that have not been previously used on other sites. This reduces the risk of unauthorized access should another password-protected account become compromised. Using a password generator and password manager can help create and store unique passwords.
When using FlexView, users must use a compatible and up-to-date browser. Using FlexView with an incompatible or outdated browser may result in unexpected software behavior or security risks.
Static WADO Configuration
When configuring your Static WADO data source, use the principle of minimal privilege. I.e., restrict the permissions of the account keys to the minimal privilege required for FlexView to function. In particular, the keys should only have read access.
We suggest that you deploy your Static WADO server behind an authentication service protected by JWT (JSON Web Tokens) authentication with a short time-to-live (TTL).
AWS HealthImaging Configuration
When configuring your AWS HealthImaging data source, use the principle of minimal privilege. I.e., restrict the permissions of the account keys to the minimal privilege required for FlexView to function. In particular, the keys should only have read access to the HealthImaging resources.
Ports and Networking
FlexView is run on the cloud and accessed by users in their web-browser. Therefore, there are network ports or interfaces, other than those used by the web-browser, that send or receive data for this device.
Software Bill of Materials
A software bill of materials (SBOM) will be provided upon request. Please email info@flexview.com. Please provide the FlexView version number with your request.
The SBOM is updated automatically for each released version of FlexView and it uses the SPDX 2.2 file format.
Maintenance
Software Updates
Software updates will be deployed without requiring any action from the user. Updates are verified prior to deployment.
Please email info@flexview.com for a log of all changes made to the software.
Backups
FlexView will not store any medical images. Those data are only stored in the organization’s data source (e.g., PACS) and will be only temporarily accessed by FlexView for viewing, annotating, or analysis purposes. Thus, the organization is responsible for all backups of their medical images.
FlexView also will not store any payment information. Stripe, the payment processor, securely stores those data and handles backups for them directly.
However, FlexView will store access information for the organization’s data source (e.g., PACS server credentials) in encrypted form and other data necessary for service, such as first and last names, emails, and login passwords. These data will be backed up daily by our IT staff along with the rest of our cloud data, as a part of our disaster recovery procedures.
Logs
FlexView will log user actions such as button clicks and navigation history, system events such as configuration changes, start-up, and shutdown, security-related events such as login attempts and network anomalies, and other application errors and warnings.
To store the logs, FlexView uses CloudWatch, a well-tested and secure centralized logging system from Amazon AWS. CloudWatch provides a unified view of all logs and allows for search, filtering, alerting, and automated security analysis.
End of Life
If you stop using the FlexView software, to close an account, users should contact support at info@flexview.com. Upon request, the support team at FlexView will delete the user account and any connections to their data sources. User contact information will be deleted with the user account. FlexView will continue to store log files for one year. Log files can be deleted on request.
All closed account data will be removed one year after account deactivation.
Responding to Cybersecurity Incidents
If you believe your FlexView account has been compromised, contact your IT department and also notify Radical Imaging at info@flexview.com.
You may also want to take a few additional steps after contacting Radical Imaging:
First, change your password to prevent further unauthorized access. Second, check your account and data source settings to verify if any changes have been made without your knowledge. Finally, monitor the activity on your organization's data source (e.g., PACS) for any unusual access. If there is any unusual activity, you should change your data source configuration settings immediately to prevent further unauthorized access.