Security & Trust

Last verified: 14 May 2026 · Updated when controls change

MediCare HIS stores hospital operational data and patient health information on behalf of healthcare providers. The security practices below describe what we run today, how we verify it, and how to report a problem. We publish this so customers, auditors and security researchers can hold us to it.

1. Transport security

Every byte that crosses the public internet is encrypted. We hold an external A+ grade from Qualys SSL Labs on every endpoint, and an A+ (10/10) from Mozilla Observatory on our HTTP security headers.

TLS 1.3 preferred, TLS 1.2 minimum — older protocols rejected.
HSTS with a 2-year max-age, includeSubDomains, and preload-eligible.
Strict Content Security Policy — no inline scripts, no third-party origins.
X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy all locked.
Universal SSL certificate covers the apex and every tenant subdomain.

2. Edge defense

All traffic flows through Cloudflare's global edge network before reaching our origin. The origin itself is locked to Cloudflare-only via an authenticated-pulls shared secret — direct attempts to bypass the edge and hit our servers are rejected at the network layer.

Authenticated Origin Pulls: only Cloudflare-fronted traffic reaches the application.
DDoS protection at the edge.
Bot Fight Mode with JavaScript challenges for suspicious clients.
Browser Integrity Check before traffic reaches origin.
Edge rate limiting on authentication endpoints (brute-force defense).

3. Identity & access

Multi-factor authentication is enforced for every privileged role, not just available. We support both authenticator apps (TOTP) and modern phishing-resistant passkeys, and we can enforce passkey-only sign-in for the most sensitive accounts.

MFA enforced server-side for administrative roles — no opt-out.
Passkey support (Face ID, Touch ID, Windows Hello, hardware keys).
Passkey-only mode available for the most sensitive roles — no password fallback.
Role-based access control with separate roles for clinical, operational, and administrative duties.
Per-account brute-force lockout with a sliding window — accidental typos don't compound, but a real distributed attack still trips the threshold.
Tamper-evident, cryptographically chained audit log of every user action.
Session secrets rotated; cookies marked httpOnly, sameSite, secure.

4. Data protection

Patient and operational data is encrypted in transit and at rest, with an additional client-side encryption layer on off-host backups so backup data is never legible to anyone but us — including our backup provider.

Encryption in transit: TLS 1.3 / 1.2 end-to-end.
Encryption at rest: managed disk encryption from our hosting provider.
Daily backups with SHA-256 hash manifests for tamper detection.
Off-host backup mirror in a separate cloud provider, on a separate billing account. Provider names are disclosed under our DPA to enterprise customers; we don't publish them in security context to keep the attack surface narrow.
Client-side AES-256-GCM envelope encryption on off-host backups — our backup provider sees only ciphertext + the authentication tag.
Server-side encryption on backup buckets as a second layer.
Tamper-evident audit log (cryptographic hash chain) of every user action.
Audit log mirrored to immutable off-host storage (object-lock in Compliance mode, 7-year retention) — even a compromised administrator cannot alter or delete historical audit entries.

5. Continuous monitoring

Security isn't a one-time setup. We run continuous, automated checks across multiple independent channels.

Uptime monitoring with multi-region probes — alerts to on-call within 5 minutes of any outage.
Domain breach monitoring via Have I Been Pwned — alerts if any @medicarehis.com address shows up in a future breach, paste, or info-stealer dump.
Certificate Transparency Monitoring — email alert if any Certificate Authority issues a TLS certificate for our domain (catches misissuance attacks).
Weekly automated dependency audit — high/critical vulnerabilities block deploys.
Secret-scanning in CI on every push and pull request.
Dependabot for grouped weekly security and minor-version updates.

6. Enterprise governance & compliance posture

Security isn't just code — it's a governance framework, a policy library, and a documented compliance trajectory. We publish ours so prospective customers and their auditors can see exactly where we stand against international standards rather than taking our word for it.

Five-pillar governance framework covering cybersecurity, clinical safety, infrastructure, identity & access, and data protection — each pillar mapped to specific technical controls in the codebase.
NHS-style clinical safety governance with a named Clinical Safety Officer function, hazard log discipline, and incident-review cadence borrowed from the most evolved healthcare security context in the world.
ISO/IEC 27001:2022 gap analysis mapping every Annex A control to current state — published as part of our standard customer due-diligence pack.
ISO 27799 healthcare overlay mapping — the controls written specifically for protected health information.
SOC 2 Type II roadmap — stage-gated path from current state to a Type II report, with the underlying controls already in place.
NHS Data Security & Protection Toolkit alignment — 9 of 10 National Data Guardian standards effectively met today.
Per-pillar policies (Information Security, Clinical Safety, Infrastructure, IAM, Data Protection, Incident Response, Acceptable Use, Vendor Management) version-controlled internally — each policy carries a change-management ledger.
Cross-reference table maps every governance claim to a specific implemented control — claims are auditable rather than aspirational. Available to procurement / auditors under NDA.

7. Independent verification

We don't just claim a security posture — we publish the external grades. These checks can be re-run against our production domain at any time.

Independent check	Result	Re-run at
Qualys SSL Labs	A+	`ssllabs.com/ssltest`
Mozilla Observatory	A+ (10/10)	`observatory.mozilla.org`
Sucuri SiteCheck	Clean (no blacklist, no malware)	`sitecheck.sucuri.net`

8. Vulnerability disclosure

If you've found a security issue in MediCare HIS, please email [email protected]. We follow RFC 9116 — our machine-readable contact is at /.well-known/security.txt.

We acknowledge legitimate disclosures within 2 working days.
We work with researchers in good faith and don't pursue legal action against people reporting issues responsibly.
Please don't test against production patient data or attempt denial-of-service.

9. Recent updates

Security is a continuous practice. Recent improvements, most recent first:

2026-05-14 — Published an eight-page procurement evidence pack at medicarehis.com/procurement for hospital procurement teams preparing board submissions: a company brochure, a security whitepaper (threat model, controls, verification, standards alignment, vulnerability disclosure), a deployment architecture with sub-processor table and tenant isolation details, a compliance roadmap (ISO 27001, ISO 27799, SOC 2, NHS DSP, DPA framework, cross-border data transfer per jurisdiction), an SLA & uptime page with response matrix and remedies, a support model with channels and escalation, and an onboarding methodology covering the six implementation phases. Every page is print-friendly so the pack can be saved to PDF without us hosting a binary.
2026-05-14 — Published a transparent comparison page at medicarehis.com/compare-ghims for hospitals evaluating GHIMS (the Ghana Health Service deployed HIS) versus MediCare HIS — segment-fit positioning, honest acknowledgement of where each system has the advantage, links to the evidence pack IT and compliance teams need for verification.
2026-05-14 — Ghana facilities can now submit their monthly DHIMS2 report automatically through the platform. Aggregate counts of outpatient attendance, admissions, lab tests, immunisations and maternity outcomes flow from operational records to Ghana Health Service's reporting system every month with no manual tally — and every submission is written to the tamper-evident audit log so the facility holds durable evidence of every report sent.
2026-05-14 — Content Security Policy violations are now reported to a tamper-evident audit endpoint — every blocked script or image load is logged within seconds, making real-world cross-site scripting attempts visible to operators rather than silent.
2026-05-14 — An automated weekly integrity check now walks the off-host audit chain end-to-end and surfaces any anomaly in our build system. Previously a manual quarterly check; now automatic with a clear failure signal.
2026-05-14 — Account-enumeration audit completed across every public sign-in surface. One subtle response-shape leak found and fixed; the remaining surfaces verified consistent. A regression test pins the invariant so a future change can't silently re-introduce it.
2026-05-14 — Field-level encryption primitive shipped for the highest-sensitivity identity fields (national ID, passport number). Adds a defence-in-depth layer on top of volume encryption — ciphertext-on-disk for the most regulator-attention-grabbing data classes.
2026-05-14 — Operator runbook published for the remaining DNS-level hardening — Certification Authority Authorization (restricts which CAs can issue certs for our domain), DNSSEC (signed DNS), MTA-STS + TLS Reporting (forces TLS on inbound mail), DMARC tightening, and per-endpoint Cloudflare WAF rules. Each step is independently shippable and reversible.
2026-05-14 — Backup cadence tightened from once a day to once an hour. Data recovery point objective dropped from ~24 hours to ~1 hour. A tiered local retention strategy keeps every hourly snapshot for the most recent 48 hours (fast point-in-time recovery during the operator-intervention window after an incident) and one snapshot per day for the rest of the 30-day window. Off-host immutable storage cadence increases automatically.
2026-05-14 — Critical incident alerts now reach the on-call via multiple independent channels — uptime webhook into our tamper-evident audit chain, server-side email through our own infrastructure, and mobile push notifications — so a single delivery path failure never delays incident response.
2026-05-14 — Published a reference-architecture gap map showing where the current implementation aligns with the enterprise architecture pattern, where we differ deliberately at our stage, and where we have planned uplifts — so customers can compare us against their own reference architectures with full transparency.
2026-05-14 — Published an enterprise governance framework covering five pillars (cybersecurity, clinical safety, infrastructure, identity & access, data protection & resilience), with per-pillar policies and per-standard compliance mappings — ISO 27001, ISO 27799, SOC 2, NHS DSP Toolkit — all version-controlled and customer-shareable.
2026-05-14 — Backup encryption key rotation tooling shipped — a multi-key registry lets old keys remain available for decryption of historical backups and audit chunks after the active key is rotated, so 7-year audit retention survives any number of rotations.
2026-05-14 — Historical audit-log backfill tool shipped — operators can retrospectively push pre-mirror audit entries to the immutable off-host store in the same format the live mirror uses, closing the gap where only entries from mirror activation onward were captured.
2026-05-14 — Added a forensic verifier for the off-host audit chain — operators can now confirm the chain-of-chunks linkage from outside the live system at any time.
2026-05-14 — Tightened brute-force lockout with a sliding rate-limit window and tamper-evident audit-chain entries on each lockout — honest typos no longer accumulate a permanent lock count, and lockout events survive off-host in the immutable mirror.
2026-05-14 — Read-flood anomaly detection added alongside the existing write-flood detector — both feed the tamper-evident audit chain so alerts persist off-host.
2026-05-14 — Outbound webhook destinations now go through an SSRF filter that rejects private IPs, loopback, cloud-metadata endpoints, and non-HTTPS — protects against admin-configured webhook URLs being used to scan internal infrastructure.
2026-05-14 — Passkey-only sign-in mode now available for privileged roles via a per-role configuration flag — phishing-resistant authentication with no password fallback.
2026-05-14 — Documented disaster-recovery drill that exercises the full off-host restore path quarterly without touching production.
2026-05-14 — Tamper-evident audit log is now mirrored to immutable off-host storage (Object Lock in Compliance mode, 7-year retention). Even a compromised administrator account cannot alter or delete historical audit entries.
2026-05-13 — Off-host backup mirror activated with client-side AES-256-GCM envelope encryption — backups are now stored as ciphertext in a separate cloud provider.
2026-05-13 — Authenticated Origin Pulls extended to cover every tenant subdomain — direct-to-origin bypass attempts now blocked at the edge.
2026-05-13 — Independent A+ grades confirmed on SSL Labs (all endpoints) and Mozilla Observatory (10/10 tests passed).
2026-05-13 — Have I Been Pwned domain monitoring enabled for medicarehis.com — breach + paste + info-stealer alerts armed.
2026-05-13 — Cloudflare Certificate Transparency Monitoring enabled — alerts on any new TLS certificate issuance for the domain.
2026-05-13 — MFA enforcement gate shipped for privileged roles, with both TOTP and passkey support.
2026-05-12 — Weekly automated dependency audit + TruffleHog secret scanning wired into CI; Dependabot enabled for security and minor-version PRs.

This page reflects the security state as of 14 May 2026. It is auto-generated from a single source of truth and regenerates whenever a security control is added, changed, or removed. The full internal audit-grade record (including specific configuration, verification commands, and open follow-up items) is available to enterprise customers under NDA — email [email protected] to request it.