VannahHealthCloud

Security & Compliance

HIPAA compliance, data encryption, access control, and audit logging in VannahHealthCloud.

Security Overview

VannahHealthCloud is built with security-first principles to protect sensitive medical imaging data and ensure compliance with healthcare regulations.

Compliance Standards

StandardStatusScope
HIPAACompliantUS healthcare data protection
GDPRCompliantEU data privacy
DICOM Supplement 95ImplementedAudit trail logging
IHE ATNAImplementedAudit Trail and Node Authentication
SOC 2 Type IIIn progressSecurity controls audit

Data Encryption

Encryption at Rest

All stored data is encrypted using AES-256 encryption:

  • Database — PostgreSQL Transparent Data Encryption (TDE)
  • Object Storage — MinIO Server-Side Encryption (SSE-S3)
  • Backups — Encrypted with separate backup encryption keys
  • DICOM Files — Encrypted at the storage layer

Encryption in Transit

All data transfers are encrypted:

  • HTTPS/TLS 1.3 — All web traffic and REST APIs
  • DICOM TLS — Medical image transfers secured with mutual TLS
  • Internal TLS — Service-to-service communication encrypted
  • Database Connections — SSL-encrypted PostgreSQL connections
Client ──── TLS 1.3 ────→ Load Balancer
Load Balancer ─ TLS 1.2+ ─→ Application Services
Services ──── TLS ────────→ Database / Storage
Modalities ── DICOM TLS ──→ Orthanc Gateway

Access Control

Role-Based Access Control (RBAC)

RolePermissions
Super AdminFull system access, user management, configuration
AdminFacility management, user CRUD, report configuration
RadiologistView studies, create reports, access viewer
TechnologistView worklist, verify image quality, basic metadata
Referring PhysicianView reports and images for their patients
StudentView assigned studies, learning resources only

Authentication

  • JWT Tokens — Stateless authentication with short-lived access tokens
  • Refresh Tokens — Secure token rotation for session continuity
  • OAuth 2.0 / OpenID Connect — SSO integration with identity providers
  • Multi-Factor Authentication (MFA) — TOTP-based second factor
  • Password Policy — Minimum 8 chars, uppercase, lowercase, number, special char

Session Management

  • Access tokens expire after 15 minutes
  • Refresh tokens expire after 7 days
  • Maximum 5 concurrent sessions per user
  • Automatic session invalidation on password change
  • Rate limiting: 100 requests per minute per user

Audit Logging

What Gets Logged

Every significant action is recorded in the audit log:

Event TypeExamples
AuthenticationLogin, logout, failed attempts, MFA events
Data AccessStudy viewed, report opened, patient lookup
Data ModificationReport created/edited, study metadata changed
DICOM EventsC-STORE received, C-FIND query, C-MOVE transfer
Admin ActionsUser created/modified, role changed, config updated
System EventsService start/stop, backup completed, errors

Audit Log Format

{
  "timestamp": "2026-01-15T10:30:00Z",
  "eventType": "DATA_ACCESS",
  "action": "STUDY_VIEWED",
  "userId": "usr_abc123",
  "userName": "dr.smith",
  "role": "radiologist",
  "resourceType": "Study",
  "resourceId": "1.2.840.113619.2.55.3.123456",
  "patientId": "PAT001",
  "ipAddress": "192.168.1.50",
  "userAgent": "Mozilla/5.0...",
  "result": "SUCCESS"
}

Audit Retention

  • Online: 90 days (searchable in real-time)
  • Archive: 7 years (compliant with HIPAA retention requirements)
  • Immutable: Audit logs cannot be modified or deleted

Network Security

Firewall Rules

# Inbound (Public)
ALLOW  TCP  443   0.0.0.0/0        # HTTPS (Web + API)
ALLOW  TCP  4242  <known-modality-IPs>  # DICOM from modalities

# Inbound (Internal)
ALLOW  TCP  5432  <app-servers>     # PostgreSQL
ALLOW  TCP  9000  <app-servers>     # MinIO
ALLOW  TCP  5672  <app-servers>     # RabbitMQ

# Outbound
ALLOW  TCP  443   0.0.0.0/0        # HTTPS (updates, integrations)
DENY   ALL  ALL   0.0.0.0/0        # Default deny

DDoS Protection

  • Cloudflare WAF — Web application firewall
  • Rate Limiting — Request throttling per IP/user
  • Geo-blocking — Restrict access to authorized regions
  • Bot Protection — Challenge suspicious traffic

Vulnerability Management

Security Scanning

  • Container Scanning — Trivy scans on every Docker image build
  • Dependency Scanning — Automated CVE detection in npm/pip packages
  • SAST — Static Application Security Testing in CI/CD pipeline
  • Penetration Testing — Annual third-party penetration tests

Incident Response

  1. Detection — Automated alerting on anomalous activity
  2. Containment — Isolate affected systems immediately
  3. Investigation — Analyze audit logs and system state
  4. Recovery — Restore from clean backups if necessary
  5. Post-mortem — Document findings and implement fixes
  6. Notification — Inform affected parties per regulatory requirements

Integrations

Connect VannahHealthCloud with RIS, EMR/EHR, HMS, and diagnostic devices using HL7, FHIR, and DICOM protocols.

Deployment Guide

Step-by-step instructions for deploying VannahHealthCloud in cloud and on-premise environments.

On this page

Security OverviewCompliance StandardsData EncryptionEncryption at RestEncryption in TransitAccess ControlRole-Based Access Control (RBAC)AuthenticationSession ManagementAudit LoggingWhat Gets LoggedAudit Log FormatAudit RetentionNetwork SecurityFirewall RulesDDoS ProtectionVulnerability ManagementSecurity ScanningIncident Response