Touch Surgery™ Enterprise transfers a video file, along with associated metadata, from the site of the procedure to a secure cloud storage site using AWS. We refer to this cloud storage site as the “Touch Surgery™ cloud platform”.

A video file is captured directly from the recording source, e.g. a laparoscopic camera system or an endoscope, by a hardware device called the DS1 Computer. Out-of-body video frames are redacted from the footage using our AI-powered technology, safeguarding sensitive data from being stored or transferred.

Metadata associated with the video are transferred to the Touch Surgery™ cloud platform along with the video file itself. Some examples of metadata include the time of the recording, the type of procedure, or the name of the operating clinician.

As an optional add-on, Touch SurgeryTM Enterprise can connect to your institution’s electronic medical records (EMR) or electronic health records (EHR), allowing videos and metadata to be linked to specific patient records.

For more information on EMR/EHR connectivity, contact [email protected]

Customer data collected by Touch SurgeryTM Enterprise can include any of the following:

For more detailed information on collected data, visit https://www.touchsurgery.com/privacy

Video metadata collected, transmitted, processed and stored by Touch SurgeryTM Enterprise, can

include any of the following:

Do not include the following information:

Touch SurgeryTM Enterprise transmits limited personal data – only what is necessary for the provision of agreed services. By default, we do not transmit any of the identifiers considered to be markers of protected health information (PHI), as defined by HIPAA regulations.

Medtronic Digital Surgery proactively performs privacy impact assessments to identify, assess and addresses privacy risks, and designs new products and applicable services in accordance with “privacy by design” principles. Additionally, Medtronic Digital Surgery uses standard templates and processes developed by the Privacy Program to ensure the appropriate privacy provisions are incorporated into third party contracts.

If your institution opts for the EMR/EHR Integration Add-on, patient data is transmitted to the Touch SurgeryTM cloud platform. This is necessary to provide the service of associating video data with specific patient records. The EMR/EHR Integration Add-on is optional.

Touch SurgeryTM Enterprise stores three copies of each uploaded surgical video. One primary copy, and two replicas in separate buckets in the same region. Multiple copies are stored across buckets for failover and recovery purposes. Authorized hospital users can choose to delete previously uploaded videos at any time from the Touch SurgeryTM Enterprise user interface. This action deletes the primary and replica copies. Daily full database backups are retained in AWS for 30 days, after which time they are automatically deleted.

The Touch SurgeryTM cloud platform is hosted in data centers provided by Amazon Web Services (AWS). All data transmitted by Touch SurgeryTM Enterprise remains in these data centers, and physical movement offsite is not required. Data is well-dispersed for failover and recovery purposes with one primary copy, and two replicas in separate buckets in the same region.

See the Data Hosting – Portability section for more information on data centers.

AWS provides the following cloud-native security tools to secure your data on Touch SurgeryTM Enterprise:

Furthermore, the Touch SurgeryTM cloud platform servers are run as EC2 instances on AWS, which uses Nitro technology. This technology includes a locked-down security model, prohibiting Amazon employees from accessing data from these servers.

The AWS Backup Service provides centralized, automated backup of Touch SurgeryTM Enterprise data stored on AWS. Videos are also separately backed up by Medtronic and uploaded to a separate AWS S3 bucket. Loss of data from a primary copy can be restored from a replica copy.

Yes. The most recent OWASP-based Touch SurgeryTM Enterprise penetration tests were performed by Synopsis on the web application/API, and iOS and Android mobile applications. Synopsis pen test services are CREST accredited. Medtronic Digital Surgery maintains a Risk Register of pen test findings (identified vulnerabilities), to include risk ratings, and Medtronic Digital Surgery’s plans to address
the vulnerabilities.

The DS1 Computer, which captures video data at the site of the procedure, uses the following encryption methods:

During transmission, data is encrypted using HTTPS/Transport Layer Security (TLS) 1.2. This applies for data transfer from your institution to the Touch SurgeryTM cloud platform, as well as from the Touch SurgeryTM cloud platform to the touchsurgery.com website, or the iOS or Android mobile apps. PKI certificates are issued by Amazon’s Certificate Authority (CA). They have a public key size of 2048 bits and are digitally signed with the SHA256WITHRSA signing algorithm.

At rest, data is stored in AWS S3 buckets with the AWS Relational Database Service (RDS). Encryption at rest is enabled on all S3 buckets. Daily storage volume snapshots require a Customer Managed Key (KMS-CMK), which is encrypted using a 256-bit AES-GCM algorithm.

Data transfer from your institution to the Touch SurgeryTM cloud platform uses your existing connection for outbound activity, and so benefits from the same level of security you have already established with your internet provider. Touch SurgeryTM Enterprise only requires ports 80, 123 and 443 to be open for HTTP and HTTPS traffic. More information on specific network requirements can be provided on request and will be provided as part of implementation.

Institution administrators manage your institution’s Touch SurgeryTM Enterprise account. They are responsible for user management and account-wide settings, which can impact all members of the institution. Additional training is provided to your appointed institution administrator on how to use these settings on behalf of your institution. There is no limit to the number of institution administrators you can have for your institution.

Institution administrators cover user management and account-wide settings. This includes:

Touch SurgeryTM Enterprise uses AWS’ Key Management Service (KMS) which is designed so that no one, including AWS employees, can retrieve the plaintext KMS Customer Managed Keys (KMS-CMK) from the service. Touch SurgeryTM Enterprise encryption keys are stored in AWS CloudHSM and are managed by Medtronic Digital Surgery engineers. AWS KMS uses Hardware Security Modules (HSMs) that have been validated under FIPS 140-2, or are in the process of being validated, to protect the confidentiality and integrity of the keys.

The AWS CloudTrail service is used by Touch SurgeryTM Enterprise to log and track AWS IAM user activity and API usage, including all management (i.e., web console) events performed in various AWS regions. CloudTrail and NGINX audit logs capture both external and internal user events.

The administrator of the account can request an audit log at any time by contacting [email protected].

Logs are maintained for the following periods:

Touch SurgeryTM Enterprise uses AWS CloudTrail, GuardDuty, and CloudWatch services for daily audit logging, monitoring, and alerting of security events occurring in its AWS cloud subscription account.

Users log into Touch SurgeryTM Enterprise through touchsurgery.com, or the iOS or Android mobile apps. When they enter their user ID and password, an access token request is sent to the authorization server via an API call. This API call verifies the user and returns to them an OAuth2 access token with a 6-hour time limit and a refresh token with an infinite time limit. With the token, the user can access specific resources in the Touch SurgeryTM cloud platform for which they are authorized, for example, accessing their own videos or videos shared with them by other users.

Once the 6-hour time limit ends, the access token is invalidated. An invalid access token can be exchanged for a new one if the user has a refresh token. Each refresh token is single use, and exchanging a refresh token will return a new access token and refresh token. This means the user does not have to log in again every six hours.

If your institution’s admin has enabled Session Timeouts, users will not receive a refresh token and their access tokens will be set to the duration specified by the administrator. The user will have to log in after their access token expires.

If your institution’s admin has enabled Multi-Factor Authentication (MFA), then all members of your institution logging into Touch SurgeryTM Enterprise who input a user ID and password are prompted to supply an additional 6-digit MFA code, which is emailed to them to receive their access token. This will also require users to log back in periodically. The session time out expiry is 24 hours by default and can be configured by institution admins.

If the user is still active, for example watching a video, they are not logged out immediately. A heartbeat will be sent (five minutes prior to the session expiring) to extend the session and not log the user out.

Medtronic Digital Surgery’s disaster recovery strategy involves having a secondary server. The secondary server is always running, and is used to back up business-critical data from the primary server.

Yes, Touch SurgeryTM Enterprise uses the AWS Backup service for centralized and automated backup of data across all AWS services in the cloud via the AWS Storage Gateway. Touch SurgeryTM also backs up videos and uploads them to a backup S3 bucket when processing is complete. The S3buckets can be physically located in different regions, depending on your configuration.

Continuous incremental RDS (Relational Database Service) backups occur every minute of Touch SurgeryTM Enterprise AWS RDS PostgreSQL databases. Full database backups are performed daily and retained for 30 days, after which time database backups begin to “fall off” the system. This does provide for swift restoration of primary copies with the replicas residing in other separate buckets in the same region.

All Touch SurgeryTM Enterprise data remains in AWS data centers, and physical movement of data offsite is not required. Data is well dispersed for failover/recovery purposes in 2 different AWS regions, and 3 availability zones. Loss of data from a primary copy can be quickly restored from a replica copy.

Yes, Amazon RDS snapshots are automatically encrypted with the same encryption key that is used to encrypt the source Amazon RDS database. This means use of AES-256 encryption using SSE-KMS customer keys unique to each specific AWS Region.

Yes. Touch SurgeryTM Enterprise applications are internally developed by Medtronic Digital Surgery engineers. The engineers are required to follow Medtronic’s Non-Validation Secure Design Requirements in the design, development, and maintenance of Touch SurgeryTM Enterprise applications. The requirements are based on best practices including Medtronic’s OWASP Application Security Verification Standard 4.0 for applications, and its Global Security Office (GSO) MobileApplication Development Procedure.

The Medtronic Digital Surgery engineering teams follow an agile development process using the Medtronic Digital Surgery Change Management Procedure. Sprints are planned in 2-week increments, or more often as needed. Tickets are created for all changes. All code representing Medtronic Digital Surgery products and services use source control with pull/push to the git repository provider. Git branches are used to introduce changes and create pull requests. Pull requests are reviewed and approved within the engineering team. Approval must be granted before the pull request is merged into the mainline branch. All code changes are accompanied by automated tests that are run regularly and provide assurances that the code changed reflect the specification provided, and that no regressions have been introduced in the code.

Yes. Medtronic Digital Surgery engineers scan for vulnerabilities in source code during the Software Development Life Cycle using a code analysis tool against the OWASP Top 10, Medtronic Digital Surgery also scan third party libraries used in the codebase for Common Vulnerabilities and Exposures (CVEs). The services used in Touch SurgeryTM Enterprise are virtualized via Docker, and these are also scanned for CVEs after being built. Our Kubernetes configuration is scanned for any potential misconfiguration that could result in security holes. The configuration of the AWS resources used by Touch SurgeryTM Enterprise are continuously scanned for vulnerabilities using AWS Security Hub, as well as a service called Dome9, by CloudGuard. When an engineer pushes a change to a remote branch in Bitbucket, the pipeline that is run includes the vulnerability scanning. The report is shown on the pipeline and fails the pipeline if the vulnerability level is rated High or above. Those vulnerabilities are remediated before a subsequent code release.