> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://blueprint.ziro.health/llms.txt.
> For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://blueprint.ziro.health/_mcp/server.

# Cybersecurity Framework

Healthcare data is the most valuable target for cybercriminals. A single breach can destroy user trust, trigger regulatory penalties, and end your chances of partnering with health systems.

## Zero Trust Architecture

Traditional security assumed everything inside the network was trusted. Zero Trust assumes nothing is trusted:

* **Verify explicitly**: Authenticate and authorize every request
* **Least-privilege access**: Minimum access necessary for each role
* **Assume breach**: Design as if attackers are already in your system

## Encryption

| State      | Requirement       | Implementation                                 |
| ---------- | ----------------- | ---------------------------------------------- |
| At rest    | AES-256           | Database encryption, S3 server-side encryption |
| In transit | TLS 1.3           | All API endpoints, database connections        |
| On device  | Platform Keychain | iOS Keychain, Android Keystore                 |
| Backups    | AES-256           | Encrypted backup storage                       |

## Authentication and Access Control

* **Multi-factor authentication**: Required for all PHI access
* **Role-based access control**: Patient, clinician, admin, caregiver roles
* **Session management**: Automatic timeout, concurrent session limits
* **API authentication**: OAuth 2.0 with short-lived tokens
* **Biometric**: Fingerprint/face ID for mobile app access

## Incident Response

Prepare for the worst:

1. **Detection**: Automated monitoring for suspicious activity
2. **Containment**: Isolate affected systems immediately
3. **Investigation**: Determine scope and root cause
4. **Notification**: HIPAA requires notification within 60 days
5. **Recovery**: Restore from clean backup
6. **Post-mortem**: Document lessons learned and update controls

## Certification Paths

| Certification | What It Validates               | Timeline    |
| ------------- | ------------------------------- | ----------- |
| SOC 2 Type II | Security controls               | 6-12 months |
| HITRUST       | HIPAA security framework        | 6-18 months |
| ISO 27001     | Information security management | 6-12 months |
| ISO 13485     | Medical device QMS              | 6-12 months |