Security and compliance
The advancement of technology has transformed the way medical images are transferred, stored and shared in clinical trials. Imaging Data Management (IDM) platforms like SliceVault have become a key element in imaging-based clinical trials. As the role of IDM platforms has evolved, the risk of security breaches has increased as well. Ensuring data confidentiality, allowing for system authentication and providing clear audit trails are necessities for every IDM platform provider.
Product overview
SliceVault is a cloud-based software that streamlines the transfer, management and analysis of medical images in clinical trials and related clinical research projects.
- Upload & Submission
- Quality Control
- Track & Manage
- Central Reading
Upload & Submission. Sites submit medical images through a secure cloud portal. Personal Health Information (PHI) is automatically removed in the process.
Quality Control. Qualified readers can perform manual quality control checks to ensure data quality and protocol compliance.
Track & Manage. SliceVault tracks all enrolled patients and imaging data. Queries can be issued, tracked and resolved within the same system.
Central Reading. Images can be analyzed by an Independent Review Board (IRP) using the optional Reader module or exported to external read environments.
To help organizations meet their security and compliance requirements, SliceVault is created and made available following strict Standard Operating Procedures (SOPs) designed to follow the requirements set forth in: FDA 21 CFR Part 11, HIPAA, ISO 9001:2015, and GDPR.
Regulatory compliance
FDA 21 CFR Part 11
FDA 21 CFR Part 11 provides guidance to suppliers who, in fulfilment of a requirement in a statute or another part of FDA’s regulations, maintain records or submit information to FDA. The regulation sets out controls for closed systems like SliceVault—how to protect records, limit system access, use secure and computer-generated audit trails, and perform authority checks to prevent unauthorized access.
There is no FDA 21 CFR Part 11 certification for IDM platform providers. SliceVault clients can access computerized systems validation specifications and records demonstrating SliceVault’s compliance.
HIPAA
HIPAA sets the standard for sensitive patient data protection. Anyone dealing with Protected Health Information (PHI) must have documented technical and physical security measures to ensure HIPAA compliance.
Complying with HIPAA is a shared responsibility between SliceVault and clients, including adherence to the Security Rule, Privacy Rule, and Breach Notification Rule. SliceVault is a HIPAA-compliant IDM platform and enters into Data Processing Agreements where required.
ISO 9001:2015
SliceVault’s Quality Management System (QMS) is designed to meet ISO 9001:2015 requirements and includes SOPs and records for software development, risk management, vendor assessment, CAPA, incident response, data recovery and more.
GDPR
GDPR imposes rules on organizations offering goods/services to EU residents or processing EU personal data. SliceVault provides sufficient guarantees and controlled procedures for data subject requests, DPIAs and breach notification. Clients involved in EU data processing receive GDPR commitments in a Data Processing Agreement.
Operational security
Malware protection
Operational systems are protected by industry-leading antimalware (Microsoft Antimalware for Azure) to provide real-time protection against viruses, spyware and other malicious software.
Monitoring
Incoming traffic to operational systems is inspected for suspicious behavior (e.g., botnet connections) using Microsoft Defender for Cloud. SliceVault staff continuously monitors system health to remain vigilant to potential threats and maintain high availability.
Incident management
SliceVault leverages Microsoft’s incident management processes for events affecting confidentiality, integrity or availability. Incident response aims to investigate, contain and remove threats quickly and efficiently. If an incident involves customer data, SliceVault will inform the customer and provide necessary investigative efforts without undue delay.
Security features
SliceVault provides a variety of security and compliance features that help protect data and maintain integrity, including access controls, workflow limitations, image de‑identification/PHI redaction, audit logging, and specialized processes to prevent untimely or illegal access.
Controlling access: user authentication & authorization
In closed systems, it is critical to limit access to valid users only and delegate access appropriately in workflows. The SliceVault IDM platform offers robust authentication with user-session authorization to ensure that only authorized users can access specific data and functions.
Authentication with username and password
- Users receive autogenerated credentials by email; on first login, users must change their password.
- Password & session policies
- Change password at least every 90 days
- Block after 5 failed login attempts
- Automatic logout after 60 minutes of inactivity
- New passwords cannot replicate the last 3 passwords
- Passwords must be ≥ 12 characters, include at least one digit and one capital letter (special characters allowed)
- Username and password cannot be empty
- Creating new user accounts is restricted to the Trial Administrator role.
Limiting workflow access
Trial Administrators can grant workflow authorization and data access to specific users or user groups through a dedicated admin interface, enabling fine‑grained control.
User roles (key restrictions):
| Role | Key restrictions |
|---|---|
| Investigator | Upload, submit and edit all data from own user group |
| Investigator (locked) | Read-only access to all data from own user group |
| Quality Control Manager 1 | Access & edit submitted data from specified user groups |
| Quality Control Manager 2 | Access & edit submitted data from specified user groups |
| Reader | Access & edit submitted data from specified user groups |
| Project Manager | Read-only access to submitted data from all user groups |
| Monitor | Read-only access to submitted data from specified user groups |
| Trial Administrator | Manage users and user groups, no data access |
| API | Query (read-only) and retrieve data from specified user groups |
Following the Windows principle of least privilege, no users are granted more privileges than required.
Data processing workflow
Access to data and functions is further restricted by the data processing workflow:
- Data Upload & Submission
- Initial Image Quality Control
- Final Image Quality Control
- Central Reading
For example, Investigators have editor privileges at the start of the workflow but read‑only access after submission to Initial Image QC.
DICOM de‑identification
Following industry best practices, SliceVault uses a standards‑based approach (DICOM PS 3.15) to ensure images are free of PHI. See the patient de‑identification page for details. In brief, PHI may be present in DICOM tags and pixel data; SliceVault performs automated tag redaction and redaction of burned‑in annotations (with qualified expert review where required) locally before transmission.
Audit trails
Audit logs are recorded daily for all users, roles and workflow steps. Entries are tamper‑resistant and include:
- Date and time for event
- User ID authorizing the change
- User group name
- Patient ID (when applicable)
- Visit ID (when applicable)
- Type of target ID and Target ID
- Type of action
- Details describing the change event
Change events include (non‑exhaustive): authentication (successful login, failed attempts, logout, session timeout); changes in user authorization or credentials; data import and de‑identification; image status and trial enrollment status; data download and removal (with reason); query lifecycle (new, reply, status changes); values/changes in form fields and form permissions.
Audit log files are securely stored as per FDA 21 CFR Part 11 requirements.
Service delivery
State‑of‑the‑art data centres
Powered by Microsoft Azure for high availability, low latency and scalability. Certifications include ISO 9001, ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2. Physical security uses layered controls such as access cards, alarms, vehicle barriers, perimeter fencing, metal detectors, biometrics and 24/7 monitoring.
Encrypting data in transit, at rest and on backup media
Client data is encrypted on disk, on backup media, across the internet and between data centers.
Low latency and highly available solution
Microsoft’s redundant infrastructure protects against data loss. Targets: RPO 24h and RTO 24h. Incident response includes moving services to other regions (outage) and rapid DNS management (DDoS). SliceVault’s design has achieved >99% uptime over the last year.
Web Application Firewall
All incoming traffic is routed through a Microsoft Azure Web Application Firewall (WAF) to protect against common web attacks (e.g., SQL injection, cross‑site scripting).
Data recovery
Disaster Recovery SOPs govern recovery of critical services with minimal business impact. All data uploaded to the SliceVault IDM platform is backed up daily and stored across primary and secondary locations.