The TheraScan servers are hosted in an SSAE 16 Type II certified data facility.
The TheraScan servers are in a secure/locked cabinet behind a dedicated Cisco ASA firewall.
The systems run in a virtualized environment with the certification and repository functions on separate physical servers. Development and test environments are also on separate physical servers.
Records with PHI have field-level encryption via SSL with a randomized initialization vector stored on the host server and the randomized key on the remote certification server.
PHI, which can be included as part of the certified source document copy, is always encrypted when “at rest” in the system.
The decryption process is individually logged; recording the specific decrypted record id, the authorized requester as well as a date-time stamp. This log is viewable by the trial investigator.
Decryption can only be accomplished by the user who loaded the information, other site staff or the investigator-authorized monitor. Exceptions include study-specific documents without PHI such as the protocol or blank CRFs and documents loaded as part of a severe adverse event.
No direct database access is allowed to users. Access is via the secure web site.
All communication over the public internet is via the HTTPS, SSL or SSH protocols.
Access to the certification server is only via the RESTful web interface from known locations.
Daily backups are encrypted with a public key and then securely uploaded to a remote repository.
Incremental (record-level backups) are encrypted with a public key and uploaded to a remote database. Redundant records are regularly purged from the remote database.
The password-protected private keys needed for decryption are kept on an FIPS 140-2-validated encrypted flash drive in a secure location.
Monitors are required to use two-factor authentication. TheraScan uses a FIPS 140-2-validated system from Duo Security that utilizes mobile phones as the token.
Source document certification is made using SSL with a user-specific, password-protected, private key and SHA-256 signature algorithm. This is countersigned by the certification server with a server-specific private key and SHA-256 signature algorithm.
The user-specific public key, the certification-server public key and the SHA-256 hash “fingerprint” are stored on the certification server for use in verifying the authenticity of the certified source document copy.
The TheraScan system uses Oracle databases with an option for distributed repositories to utilize PostgreSQL.
Access-control to the system is processed through the database. A user may only access one study at a time.
TheraScan utilizes an “insert-only” model such that data records are neither updated nor deleted once in the table.
Access to specific information in the repository is granted via dynamic, user-specific, views that grant access based on the logged in user. These views do not contain PHI.
The primary table in the repository contains the encrypted certified object in a BLOB field and the related metadata in an XMLType field. The metadata does not contain PHI.
Authorization is managed via a two-factor process requiring both email and SMS tokens in order to activate a new user. Passwords require eight characters and must include upper and lowercase letters, numbers and special characters.
TheraScan uses HTML5 websockets for communication with the TWAIN device (scanner).
A study’s Informed Consent should include a section to recognize the loading of source documents to the TheraScan system for review by study monitors.