Security whitepaper

§1

Threat model

MediCare HIS handles protected health information (PHI), payment and insurance data, and staff authentication credentials. We design controls against six adversary classes:

External unauthenticated attacker — scanning the internet for unpatched HIS deployments. Mitigated by Cloudflare WAF, rate limits, Authenticated Origin Pulls, no exposed admin interfaces.
Credential-stuffing / brute-force attacker — using leaked password databases against known clinical-staff usernames. Mitigated by Argon2id hashing, sliding-window per-account brute-force lockout, MFA enforcement on privileged roles, WebAuthn-only mode available, HIBP domain monitoring.
Insider with low-privilege access — a curious staff member browsing PHI they have no clinical reason to see. Mitigated by role-based access control, cross-tenant 404-not-403 isolation, every access logged to the tamper-evident audit chain, and anomaly detection on per-user read storms (thresholds tuned per deployment, alerts fire to the audit chain + on-call).
Insider with privileged platform access — a runtime administrator attempting to alter clinical history retrospectively. Mitigated by the off-host immutable audit-chain mirror to a separate provider's object-lock storage in Compliance mode with 7-year retention — even root-on-runtime cannot alter past chunks during the retention window.
Cloud-provider compromise — any single sub-processor being itself attacked. Mitigated by client-side AES-256-GCM envelope encryption on all off-host backups and audit chunks — the storage provider sees only ciphertext + AEAD tag. AES tag prevents silent corruption.
Supply-chain attack — malicious dependency injected via npm. Mitigated by weekly npm audit (high+critical block deploys), TruffleHog full-history secret scan on every push and PR, Dependabot weekly minor/patch updates, separation of dev and production dependencies.

§2

Controls by domain

Identity & access

Argon2id password hashing
MFA via TOTP and WebAuthn (FIDO2 passkeys)
WebAuthn-only mode for highest-sensitivity roles
Role-based access control across 18+ defined roles
Cross-tenant isolation (404 not 403 to defeat enumeration)
Sliding-window brute-force lockout with audit-chain logging
Session secret rotation enforced in production
HttpOnly + Secure + SameSite=Lax cookies
Two-person sign-off on controlled substances + blood transfusion
Self-witness rejection (one person can't witness themselves)

Transport security

TLS 1.3 preferred, TLS 1.2 minimum (1.0/1.1 rejected)
HSTS with 2-year max-age, includeSubDomains, preload-eligible
Authenticated Origin Pulls (Cloudflare-only origin access)
SSL Labs grade A+ on every endpoint
Strict Content Security Policy (script-src 'self', no unsafe-inline)
X-Frame-Options DENY + CSP frame-ancestors 'none'
X-Content-Type-Options nosniff
Referrer-Policy strict-origin-when-cross-origin
Permissions-Policy denying geolocation, microphone, camera, payment
Mozilla Observatory grade A+ (10/10 tests passed)

Data protection

Defence-in-depth encryption at rest: managed volume encryption + server-side bucket encryption + client-side AES-256-GCM envelope
Backup key registry supports rotation without invalidating historical backups
Hourly snapshots with 48h hot + 28d daily local retention + 30d age cap
Off-host backups in a separate cloud provider
Tamper-evident audit chain (cryptographic hash linkage)
Off-host immutable audit mirror (object-lock Compliance mode, 7-year retention)
Chain-of-chunks verifier scheduled weekly in CI
SSRF defence on outbound webhook URLs
Sentry PHI scrubbing including breadcrumbs
CSP violation reports written to the audit chain

Monitoring & incident response

UptimeRobot multi-region uptime probes (5-min interval)
Cloudflare Certificate Transparency monitoring
HIBP domain breach monitoring
Sentry error reporting with PHI-scrubbed events
Anomaly detection on write bursts and read floods
Multi-channel critical-alert pipeline (uptime webhook → audit chain + email + mobile push)
Account-enumeration parity tests pin auth-surface invariants
Permission matrix tests pin RBAC semantics
Weekly dependency audit (high+critical block deploys)
Documented incident-response policy with severity-tiered SLAs

§3

Verification — what your IT team can run independently

Every claim in this whitepaper is verifiable by an outside party with no special access. Three classes of verification:

Public web checks

Run from any browser, no credentials:

SSL Labs: ssllabs.com/ssltest
Mozilla Observatory: observatory.mozilla.org
Sucuri SiteCheck: sitecheck.sucuri.net
HSTS Preload eligibility: hstspreload.org
SecurityHeaders.com

Direct curl probes

Run from any terminal:

curl -I medicarehis.com — inspect response headers (HSTS, CSP, X-Frame-Options, etc.)
nslookup _dmarc.medicarehis.com — DMARC policy
Rate-limit + lockout behaviour can be observed by a sandboxed test account during an evidence call; thresholds are not published and are tuned per deployment.

Published artefacts

Read on this site:

Trust page — current control list
RFC 9116 security.txt at /.well-known/security.txt
Compliance roadmap
SECURITY-STATE PDF linked from the Trust page
External-recon response report

§4

Standards alignment

We map controls to four standards. Detail in the compliance roadmap.

ISO/IEC 27001:2022 — Annex A gap analysis covering all 93 controls. ~80% of technological controls (A.8) met by implemented controls with evidence per control (available to procurement / auditors under NDA). Formal certification at Stage 2 trigger (5+ paying hospitals).
ISO 27799:2016 — health-information security overlay. Per-theme mapping covering PHI protection, patient consent, clinical role-based access, audit logging, integration security, backup, personnel, and physical inheritance from cloud sub-processors.
AICPA SOC 2 Type II — roadmap published. Security (mandatory) + Availability + Confidentiality criteria at Stage 1. Processing Integrity and Privacy added at Stage 3.
NHS Data Security and Protection Toolkit — 9 of 10 National Data Guardian standards effectively met today; standard 3 (annual training records) closes at Stage 2 hiring.

§5

Vulnerability disclosure

Reports go to [email protected]. Discoverable via our RFC 9116 security.txt at medicarehis.com/.well-known/security.txt. Acknowledgement SLA: 2 working days. Severity-tiered fix SLA:

Critical — acknowledge 24h, first fix shipped within 7 days. Examples: active PHI exfiltration, full unauthenticated admin access, audit chain compromised.
High — acknowledge 72h, first fix shipped within 30 days. Examples: authenticated user accessing another tenant, persistent XSS in clinical workflow.
Medium — acknowledge 7 days, first fix shipped within 90 days.
Low — acknowledge 30 days, fix on best-effort basis.

External penetration testing: first formal engagement scheduled. Annual cadence thereafter per the incident-response policy. Bug bounty: Stage 2+ (not yet active).

Companion documents: Procurement evidence pack · Brochure · Deployment architecture · Compliance roadmap · SLA · Support · Onboarding