Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Formatting
Table of Contents

What is Session Replay?

Session Replay is the ability to record user activity in ClinSpark that allows the support team to replay user sessions after the fact. This enables the team to diagnose user and application issues far more rapidly and effectively. Session Replay enables our support team to:

  • Understand the full context of a user issue when we receive a ticket. We can carefully review the user session around the time the issue occurred. This typically allows us to fully understand whether there is an application issue or a training issue, and offer rapid assistance.

  • Understand how to reproduce an issue, because we are able to see what the user sees and the steps leading to reported issues.

  • Provide a highly effective training review mechanism for students performing exercises. When a student indicates they have completed a task, or have an issue, the instructor can review the session to offer additional assistance if needed.

  • Provide an option to allow customers to review their own user sessions and gain the same benefits. Note that there are license charges for this.

Technical Details

Security Considerations

ClinSpark’s database already stores the full body of clinical and subject data, including Personal Health Information (PHI). Audit records show a record of all user actions. What Session Replay adds is a visual recording of the interactions a particular user made in the ClinSpark User Interface (UI). This recording is of course just as sensitive as the data itself, since it includes PHI and clinical data.

Because of this, our Session Replay tool is hosted within AWS data centers. This data streams directly to the Session Replay tooling, where it is stored alongside of the data from clinical operations. As such, there is no additional exposure risk, as all of the protections guarding the core application resources of ClinSpark are also in place for Session Replay data. It is viewable only by support staff, and optionally by customers who wish to access their own user sessions.

SessionStack

The Session Replay tool that we currently use is called SessionStack. It is designed as a SaaS application support tool, and our support team has access to user sessions in customer instances where it is installed.

The SessionStack vendor has no access to ClinSpark user sessions.

What we can see

For a given customer instance, in response to an issue we are able to see all user sessions. They are listed by username, time and duration.

...

From this list we can select individual user sessions and quickly understand what led up to a customer issue:

  1. Image Added

    The user record being shown

  2. The timeline of the session

What we can NOT see

Session Replay only records the contents of the ClinSpark browser tab. There is no way for it to see anything outside of ClinSpark itself, such as desktop activity or other browser tabs that are not ClinSpark.

It is NOT like screen sharing tooling (for example, WebEx) which can capture a whole desktop session.

The scope of what can be seen is narrowly limited to ClinSpark interactions, by design.

Enabled/disabled through configurations

Session Replay is enabled or disabled through a system configuration that is managed by our ‘superadmin’ users.

Which instances are configured with Session Replay?

PROD Main instances are OPT-IN. That means we will only configure a PROD Main instance with Session Replay once we receive customer permission to do so via Service Desk ticket.

All other customer instances are OPT-OUT. This means that by default, environments such as Sandbox, UAT, VAL, and PROD TEST will have Session Replay enabled. We do this to offer the best possible support when those lower environments are in use.

If customers do not want Session Replay enabled on a certain instance, they should reach out to us via standard project communication channels and/or service desk ticket and we will disable it accordingly.

Additionally, customers can work with us to ensure that it is only enabled only in certain environments, or only during certain critical times such as during onboarding and the first month after go-live.

Excluding Volunteer PHI

Customers who are concerned about PHI in recorded sessions can inform us that Session Replay should only be active for areas except for the Volunteer module. When configured accordingly, this implicitly excludes the volunteer PHI from the SessionStack database.

How long are sessions held?

Session recordings are accessible for 30 days.