Skip to content

Security Whitepaper roclub Teleoperations Platform

roclub Teleoperations Platform Security Program

At roclub, we strive for the highest standards of data protection and security. The Teleoperation Platform is a comprehensive SaaS solution that fulfils your needs with a privacy-by-design approach, leveraging state-of-the-art architecture. roclub’s security posture is independently confirmed by regulatory certification authorities and penetration testers.

We are ISO 27001 certified and adhere to applicable regulations such as the GDPR and applicable data privacy laws. Our Teleoperations Platform is a certified medical device as per indications of the US Food and Drug Administration (FDA).

For any inquiries, please contact us at informationsecurity@roclub.com

Basic Information

Core Features

roclub Teleoperation Platform is a system (software application and hardware component) intended for

  • Remote Scanning

    Operate and control imaging equipment from a distance, allowing technologists to perform scans on patients without being physically present at the scanner.

  • Remote (application) support

    Possibility for less skilled technologist on site to get real-time tips and tricks from experienced colleagues remotely.

  • Remote Education

    Significant opportunities to train technologists, especially in settings where access to in-person training or advanced equipment is limited.

Solution Architecture

Please see Solution Architecture

Network Requirements

The Remote Operator workstation and Connector are each embedded in customer networks to enable communication for the teleoperation. roclub provides customers with concise specification of the data transmitted, enabling networks to setup their firewall configuration with minimal permissions.

Please refer to the following links for the required network setup for the Connector’s and Remote Operator's subnet:

Firewall Configuration | Technical Requirements for the Connector
Firewall Configuration | Technical Requirements for the Remote Operator

Hardware Requirements

roclub provisions a Connector which enables a flawless work experience for the Local Operator.
For the Remote Operator’s workstation, minimum hardware specifications must be given to guarantee a smooth workflow. Please visit the following link for a comprehensive list of requirements to the workstation:

Hardware Requirements | Technical Requirements for the Remote Operator

Update Procedures

Updates to the roclub connector, app or the cloud backend are executed with the objective of minimal disruption to customers. A minimal-invasive approach is employed, ensuring that core functionalities such as the remote scanning sessions remain unaffected whenever possible. In case downtime is required, the update schedule is aligned with customers to minimize any inconvenience.

Updates are communicated to the users via an in-app banner announcing the nature and schedule of planned changes. Communication with customers is proactive, informing them if any action is required on their part or if new features are introduced.

In the event of any issues during the update procedure, fallback mechanisms are in place to revert to the previous stable version.

Cloud Computing

The roclub backend is used for the management of the Connectors and remote sessions. This includes authentication and authorization management for systems and users; starting, conducting and terminating remote sessions; Connector status and performance monitoring; scheduling and execution of updates and the transmission of anonymized system logs.

At no point, patient data is stored or transmitted unencrypted to the cloud infrastructure.

roclub employs top-grade subcontractors for the hosting of the cloud services, ensuring the highest standards of security and availability. All subcontractors undergo a strict due diligence check for data privacy law compliance. This includes the GDPR for EU customer data and applicable data privacy laws for the US. Additionally, adherence to our information security policy for suppliers is checked in line with our certified Information Security Management System according to ISO 27001. This check is executed before they are first employed and annually re-evaluated. roclub recognizes customer data residency requirements: All customer data stored resides in Germany.

If new subcontractors are to be added, the customer is informed two weeks in advance and is given the possibility to seek clarification or object in line with the Data Processing Agreement between roclub and the customer.

The list of all subcontractors is published at List of Subcontractors

Personal Data / Patient Data

roclub processes data, including personal data, as part of our service offerings. The contractual stipulations are defined in the Data Processing Agreement (DPA).

The processing and storage of personal identifiable information (PII) is kept to a minimum.

PII stored and processed includes app user contact information (e.g. name, mail address, company affiliation) and profile data (e.g. photo, job title); the organization’s contact person and legal representative’s contact information (e.g. name, mail address, telephone number) and the company’s payment information.

Additionally, if the option “public marketplace” is enabled by the customer, we offer the creation of profiles for technologists which are publicly available for marketplace members.

Patient data, solely processed as part of the video stream is secured by hardware-based TLS 1.3 encryption directly on the roclub Connector. roclub employs secure end-to-end encryption to the Remote Operator’s browser-based app. A decryption of the employed encryption method during transit is not possible. The video stream is not stored in any way.

Even though the video transmission is not decryptable for roclub employees, a qualified confidentiality obligation according to §9 Art. 1 MBO-Ä, §203 StGB and §35 Art. 6 SGB 1 has been signed by all company actors. This covers first and foremost the confidentiality of patient data.

User Account Information

User accounts are managed by a central identity provider, part of the roclub cloud backend services. The identity service provides logical tenant separation for each customer and supports Multifactor Authentication (MFA) with time-based one time password (TOTP), e.g. Google Authenticator.

The default password policy requires minimum at least one of each: upper and lower case letter, number and special character. Customers can request domain verification to be enabled for their organization, only allowing account registrations from the defined mail address domain. Our identity provider also supports SSO with customer AD, including Google and Microsoft Entra ID.

Security Controls

Secure Configuration

Secure configuration include tamper-proof stickers on the hardware device, deactivation of unused ports and blocking of unknown USB devices. Encryption mechanisms are executed hardware-based (Trusted Platform Module). Specific information about required endpoints for network hardening is provided to the customer. Security events and logging parameters for hardware and cloud backend are centrally managed by roclub and leveraged, beneath other purposes, for anomaly detection.

Secure Authentication

The identity service is based on the least privilege, need to know and need to use principles. Authentication mechanisms are described in User Account Information and can be customized at the customer’s request.

Attribute-Based Access Control

roclub employs a sophisticated attribute-based access management concept. “Organization Admin”, “Dispatcher” and “Users” have different permissions. Specific functionalities, such as starting a remote session on the Connector, are reserved for specific roles.

Once the organization is setup by roclub, the customer’s organization admin can manage the role attribution.

Cryptographic methods

In order to safeguard customer data, state-of-the-art encryption is used. The video stream to the Remote Operator, and the control signals back to the Connector, are securely encrypted using the TLS 1.3 protocol end-to-end. The roclub Connector encrypts the video signal hardware-based directly on the device.

The roclub app holds customer and app user data, encrypted at rest through AES-256 and on transit through TLS 1.2 or higher.

Remote Access

On request, authorized roclub staff is able to access the roclub Connector for the initial setup or troubleshooting sessions. Only anonymized user data and telemetric metadata is accessible. It is not possible to retrieve the video signal in this way.

Equally on request by the customers, roclub staff can be invited to teleoperation sessions for training or troubleshooting purposes.

Network Controls

The customer is responsible for connectivity of the Connector and the operators. It is recommended to setup a separate subnet for the Connector.

roclub makes available a detailed list about necessary ports and endpoints for customers to setup their networks in a least permissive way.

Capacity Management

The roclub Connector provides a performant basis for your teleoperation sessions. Connector health and capacity usage is monitored by roclub with proactive alerts should thresholds be surpassed. In case customer action is required, a roclub representative will get into contact with the customer.

The roclub backend consists of autoscaling services, adapting to the current load and thus making sure enough capacity for a smooth teleoperation workflow is available.

Logging and Auditing

User actions and system events on the roclub Connector and cloud backend are logged for troubleshooting and auditing purposes. roclub holds different metrics and traces for services. This includes user activities like joining or leaving a session, inviting participants etc. No video content or patient data is persisted.

Vulnerability Management

roclub’s code base is continuously scanned for vulnerabilities. This is done via the automated creation of a Software Bill of Material (SBOM) which, in consequence, is compared against more than 10 different, renowned vulnerability databases. If vulnerabilities are found, they are assessed using a certified vulnerability assessment and management procedure, including provisions for safeguarding confidentiality, integrity and availability of the solution, as well as patient safety.

Vulnerability patching is prioritized according to the assessed severity.

Incident response and management

An information security incident procedure is defined and communicated with all roclub staff. The procedure contains a step-by-step guide that is to be followed when an incident is observed, including provisions to contain and eradicate the incident, recover from it and notify stakeholders.

Operational incidents can be reported by the customer from within the app, including defining the criticality of the incident which defines its resolution priorization. Dedicated roclub staff will assess the incident and contact the ticket creator to align on next steps.

Third-party certifications and pentests

roclub operates on an ISO 27001 certified Information Security Management System (ISMS) with yearly audits. The valid certificate can be accessed at Information Security Management System according to ISO 27001.

The roclub Teleoperation Platform is certified as a medical device by the US Food and Drug Administration (FDA) for the US market. Access the premarket notification here.

A C5 certificate as defined by the German BSI (Bundeszentrum für Sicherheit in der Informationstechnik) is currently in preparation.

Externally conducted pentests are executed on a yearly basis by the Johner Institut, a renowned company focussed on security for medical devices. If vulnerabilities are identified, they are managed as per vulnerability management process.

Shared Responsibilities

The Teleoperation Platform is a solution fully managed by roclub according to customer needs. However, the customer shares responsibility for the operational security:

  • The networks the roclub Connector and Remote Operator operate in is customer-owned and -managed infrastructure. As such, the security of these networks, including the firewall, falls under the customer’s responsibility. roclub provisions a detailed list of necessary port and domain whitelisting settings to support the secure configuration of the networks.
  • The Remote Operator uses a browser-based application to access the Teleoperation Platform. As such, the necessary hardware and software (i.e. operating system and browser) need to be provisioned by the customer.

FDA Cybersecurity Guidance

roclub will follow cybersecurity guidance issued by the FDA as appropriate.
roclub recognizes the principle described in FDA cybersecurity guidance that an effective cybersecurity framework is a shared responsibility among multiple stakeholders (e.g., medical device manufacturers, health care facilities, patients and providers), and is committed to drawing on its innovation, engineering and pioneering skills in collective efforts designed to prevent, detect and respond to new and emerging cybersecurity threats.

While FDA cybersecurity guidance is informative as to adopting a risk-based approach to addressing potential patient harm, it is not binding and alternative approaches may be used to satisfy FDA regulatory requirements. The representations contained in this whitepaper are designed to describe roclub’s approach to cybersecurity of its medical devices and to disclose the security capabilities of the devices/systems described herein. Neither roclub nor any medical device manufacturer can warrant that its systems will be invulnerable to cyberattack. roclub makes no representation or warranty that its cybersecurity efforts will ensure that its medical devices/systems will be error-free or secure against cyberattack.