Security Practices
A detailed overview of the technical and organizational security measures Shepard Health implements to protect clinical data and electronic Protected Health Information (ePHI).
Security at a Glance
- AES-256-GCM encryption for all ePHI at rest (field-level encryption)
- TLS 1.2+ for all connections, TLS 1.3 for audio transmission
- Argon2id password hashing (memory-hard, GPU-resistant)
- TOTP multi-factor authentication with encrypted secrets
- SHA-256 hash-chain tamper-evident audit logging
- Role-based access control with minimum necessary enforcement
- Automatic PHI redaction using 18 HIPAA Safe Harbor identifiers
- Biometric authentication (Face ID, Touch ID, fingerprint)
- Hosted on SOC 2 Type II certified infrastructure
1. Encryption
1.1 Encryption at Rest
All electronic Protected Health Information (ePHI) stored in the database is encrypted at the field level using AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode). This means each individual sensitive field is independently encrypted, not just the disk or database volume.
Encrypted fields include clinical note content, patient identifiers, redacted transcripts, safety considerations, differential diagnoses, MFA secrets, and flashcard content.
1.2 Encryption in Transit
All network communication is encrypted using TLS (Transport Layer Security). Audio recordings transmitted for transcription use TLS 1.3, the latest and most secure version of the protocol.
1.3 Crypto-Shredding
Shepard supports crypto-shredding as a data destruction method. By securely deleting encryption keys, all data encrypted with those keys is rendered permanently unreadable, even if the ciphertext persists in backups.
2. Authentication
2.1 Password Security
User passwords are hashed using Argon2id, a memory-hard algorithm specifically designed to resist GPU-based brute-force attacks. Argon2 won the Password Hashing Competition in 2015 and is recommended by OWASP for password storage.
2.2 Multi-Factor Authentication (MFA)
TOTP-based multi-factor authentication is available for all accounts. MFA secrets are encrypted at rest using AES-256-GCM, and backup codes are stored as hashed values. Users generate time-based one-time passwords using standard authenticator apps.
2.3 Session Management
Sessions are managed using JWT (JSON Web Tokens) with strict lifecycle controls:
If a refresh token is reused (indicating potential theft), the entire token family is revoked, forcing re-authentication across all sessions.
2.4 Biometric Authentication
The mobile app supports Face ID, Touch ID (iOS), and fingerprint authentication (Android). Biometric credentials are managed by the device operating system's secure enclave and never leave the device.
2.5 Account Protection
Accounts are protected against brute-force attacks with rate limiting: 5 failed login attempts per account trigger a temporary lockout. Additionally, IP-level and global rate limits prevent credential stuffing and automated attacks.
3. Access Control
3.1 Role-Based Access
Shepard implements a strict role hierarchy with minimum necessary access enforcement. Each role can only access the data and features required for its function.
| Role | Access Level | Description |
|---|---|---|
| Patient (Free/Plus) | Patient Data Only | Own health concerns, medications, visit recordings |
| Student | Basic Clinical | Clinical features with educational guardrails |
| Resident | Standard Clinical | Full clinical features with supervision context |
| Attending | Full Clinical | All clinical features, extended data retention |
| Admin | Administrative | User management, audit review |
| Superadmin | Full Administrative | Admin role assignment, system configuration |
3.2 Minimum Necessary Enforcement
Role-specific field filtering ensures that each role sees only the data elements necessary for their function. Students see fewer PHI fields than attendings. Administrative roles can manage users but clinical data access is separately controlled.
3.3 Emergency Access (Break-Glass)
Authorized clinicians can activate break-glass access in clinical emergencies. This requires a documented reason, triggers an immediate high-priority security alert, and all actions are logged with enhanced detail for subsequent review.
4. Audit Logging
4.1 Tamper-Evident Audit Trail
Every PHI access event is recorded in a tamper-evident audit log using a SHA-256 hash chain. Each log entry includes a cryptographic hash of the previous entry, creating an unbreakable chain. If any entry is modified or deleted, the chain integrity verification will detect the tampering.
What is logged:
Every read and write of PHI, including user ID, role, action type, IP address, and timestamp. Export actions (PDF generation, clipboard copy) are also logged. All administrative operations (role changes, subscription grants, user management) are independently audited.
4.2 Log Security
The secure logger automatically redacts sensitive data from log output, including JWTs, passwords, email addresses, Social Security numbers, and PHI patterns. This prevents accidental exposure of sensitive information in server logs.
5. PHI Protection
5.1 Automatic Redaction
Before any clinical data is stored or transmitted for AI processing, Shepard automatically detects and removes all 18 HIPAA Safe Harbor identifiers:
- Names (patient names, common first and last names)
- Geographic data (addresses, zip codes smaller than initial 3 digits)
- Dates (birth dates, admission dates, discharge dates)
- Phone numbers, fax numbers, email addresses
- Social Security Numbers, Medical Record Numbers
- Health plan beneficiary numbers, account numbers
- Certificate/license numbers, vehicle/device identifiers
- Web URLs, IP addresses, biometric identifiers
5.2 Defense in Depth
PHI protection is enforced at three independent layers:
- Client-Side Redaction: Regex-based pattern matching before data leaves the device
- PHI Safety Guard: Client-side validation that blocks unredacted content from being saved or exported
- Server-Side PHI Safety Gate: Middleware that automatically redacts clinical content in API request bodies before database persistence
Each layer operates independently, so a failure in one layer does not compromise the others.
5.3 De-Identified Audit Entries
Patient identifiers that appear in audit logs are salted and hashed using SHA-256 before storage. This allows correlation of actions for a specific patient without storing identifiable information in the audit trail.
6. Network Security
6.1 Rate Limiting
Granular rate limits protect all API endpoints from abuse:
6.2 Bot Protection
Automated attack detection identifies suspicious patterns including SQL injection attempts, cross-site scripting (XSS), and bot-like user agents. Offending IP addresses are automatically blocked for 1 hour.
6.3 Input Validation
All API request bodies are validated against strict schemas using Zod (a TypeScript-first schema validation library). Queries use parameterized statements through Drizzle ORM, preventing SQL injection at the database layer.
6.4 SOC 2 Type II Certified Infrastructure
Shepard's application hosting, database storage, and compute infrastructure runs on a platform that has achieved SOC 2 Type II certification. This means the underlying infrastructure has been independently audited by a third-party CPA firm and verified to meet rigorous standards for:
- Security: Protection against unauthorized access to systems and data
- Availability: Systems are operational and accessible as committed
- Confidentiality: Information designated as confidential is protected appropriately
This third-party certification provides an additional layer of assurance beyond Shepard's own application-level security controls.
7. Mobile Device Security
| Feature | Description |
|---|---|
| Jailbreak/Root Detection | Clinical features restricted on compromised devices |
| Secure Credential Storage | iOS Keychain / Android Keystore via expo-secure-store |
| Screenshot Protection | Clinical content hidden when app is backgrounded |
| Biometric Lock | Optional Face ID / Touch ID / fingerprint for app access |
| Session Timeout | 15-minute access token expiry with forced re-authentication |
8. Data Retention and Destruction
8.1 Retention Periods
| User Type | Clinical Data Retention |
|---|---|
| Student | 90 days |
| Resident | 1 year |
| Attending | 2 years |
| Patient | Per user preference |
8.2 Data Destruction
Shepard supports multiple data destruction methods:
- Standard deletion: Database record removal with audit logging
- Crypto-shredding: Encryption key destruction renders all ciphertext permanently unreadable
- Account purge: Complete removal of all user data with 60-day soft-delete recovery window
A background scheduler runs daily to automatically purge expired sessions and clinical data that exceeds retention periods.
9. Vulnerability Management
Shepard maintains a proactive security posture through:
- Regular dependency auditing and security scanning
- Input validation on all API endpoints
- Secure error handling that never exposes internal details to clients
- Security-focused code review for all changes affecting ePHI
- Logging redaction to prevent accidental PHI exposure in server logs
10. Reporting Security Issues
If you discover a security vulnerability or have concerns about Shepard's security practices, please contact us immediately:
Security Team: security@shepardhealth.ai
Compliance Inquiries: compliance@shepardhealth.ai
We take all security reports seriously and will acknowledge receipt within 24 hours.