Security Practices
Our Commitment to Security
At myCARI, protecting your health information is our top priority. We employ industry-leading security measures to ensure your data remains private and secure. As a healthcare application handling Protected Health Information (PHI), we implement security controls that meet or exceed HIPAA requirements.
Compliance Framework
| Standard | Status | Description |
|---|---|---|
| HIPAA | Implemented | Security controls aligned with HIPAA requirements |
| SOC 2 Type II | Via Infrastructure | GCP infrastructure is SOC 2 certified |
| GDPR | Implemented | Data protection practices aligned with GDPR |
| CCPA | Implemented | California Consumer Privacy Act requirements addressed |
Technical Security Measures
Encryption
| Layer | Technology | Details |
|---|---|---|
| In Transit | TLS 1.3 | All network communications use the latest TLS encryption |
| At Rest | AES-256 | All stored health data encrypted with industry-standard encryption |
| Key Management | Google Cloud KMS | Automatic key rotation, hardware security modules |
| End-to-End | Curve25519 + AES-256-GCM | Care team messages encrypted on-device |
End-to-End Messaging Encryption
| Component | Implementation | Details |
|---|---|---|
| Key Exchange | X25519 (Curve25519) | Elliptic curve Diffie-Hellman for secure key agreement |
| Message Encryption | AES-256-GCM | Authenticated encryption with associated data |
| Private Key Storage | Device Secure Enclave | Keys never leave your device |
| Public Key Storage | Server-side | Public keys stored for key exchange only |
Authentication
| Feature | Implementation | Details |
|---|---|---|
| Biometric | Face ID / Touch ID | Recommended for secure, convenient access |
| Password | Minimum 6 characters | Firebase Auth with secure password storage |
| Social Sign-In | Apple Sign-In, Google Sign-In | OAuth 2.0 with secure token exchange |
| Session Management | Token-based sessions | Automatic expiration and refresh |
| Token Security | JWT with short expiry | Secure storage in device keychain |
| Brute Force Protection | Rate limiting | Request rate limits per endpoint to prevent abuse |
Infrastructure Security
| Component | Implementation | Details |
|---|---|---|
| Cloud Provider | Google Cloud Platform | HIPAA Business Associate Agreement (BAA) signed |
| Data Centers | SOC 2 Certified | US-based GCP data centers with physical security |
| Load Balancing | Global HTTPS Load Balancer | SSL/TLS termination with automatic certificate management |
| Web Application Firewall | Cloud Armor | OWASP rule sets, DDoS protection |
| Network Security | VPC isolation | Private networking with strict network policies |
| Database | Cloud SQL | AES-256 encryption, private IP connectivity |
| Secrets Management | Secret Manager | Encrypted storage for API keys and credentials |
| Monitoring | Cloud Logging & Monitoring | Automated alerting for security and performance |
Application Security
| Measure | Implementation | Details |
|---|---|---|
| Code Security | Static analysis | Automated security scanning in CI/CD pipeline |
| Dependency Management | Automated updates | Regular dependency updates and vulnerability scanning |
| Input Validation | Server-side validation | All inputs sanitized to prevent injection attacks |
| API Security | Rate limiting, authentication | All endpoints require authentication |
| Secure Development | OWASP guidelines | Development follows secure coding practices |
Data Isolation and Multi-Tenancy
Per-User Data Isolation
Each user's health data is logically isolated at the database level. Row-level security policies ensure that users can only access their own data. All database queries are scoped to the authenticated user's context.
Care Team Security
Care team access is explicitly granted by users. Each care team member can only view data for patients who have granted them access. Access can be revoked at any time by the user. All care team actions are logged and auditable.
Organizational Security
Access Control
| Control | Implementation | Details |
|---|---|---|
| Principle of Least Privilege | Role-based access | Staff only access systems required for their role |
| Multi-Factor Authentication | Required for all staff | MFA required for all internal systems |
| Access Reviews | Quarterly reviews | Regular audits of staff access permissions |
| Background Checks | Pre-employment | Background checks for all employees with data access |
Staff Training
| Training | Frequency | Details |
|---|---|---|
| HIPAA Training | Annual | Comprehensive HIPAA privacy and security training |
| Security Awareness | Quarterly | Phishing simulations and security best practices |
| Incident Response | Annual | Procedures for handling security incidents |
Vendor Security
All third-party vendors with access to PHI are required to sign Business Associate Agreements (BAAs). Vendors undergo security assessments before onboarding. We maintain an inventory of all vendors with data access and conduct annual reviews.
Incident Response
Response Capabilities
| Capability | Implementation | Details |
|---|---|---|
| Detection | 24/7 monitoring | Automated alerting for security anomalies |
| Response Team | Dedicated team | Trained incident response personnel |
| Containment | Automated and manual | Rapid isolation of affected systems |
| Recovery | Documented procedures | Tested backup and recovery processes |
| Post-Incident | Root cause analysis | Lessons learned and preventive measures |
Breach Notification
In the event of a data breach affecting your information, we will notify you within 72 hours of discovery, as required by HIPAA and applicable state laws. Notifications will include details about the breach, steps we are taking, and recommendations for protecting yourself.
Audit Logging
Event Types
| Event Category | Examples | Details |
|---|---|---|
| Authentication Events | Login, logout, failed attempts | All authentication activities logged |
| Data Access | View, create, update, delete | All PHI access recorded with timestamps |
| Administrative Actions | Permission changes, settings | Configuration and access changes tracked |
| Care Team Events | Access granted, revoked | Care team membership changes logged |
| Export Events | Data exports, reports | All data export activities recorded |
Retention Policy
Audit logs are retained for 6 years as required by HIPAA. Logs are stored in tamper-evident, append-only storage. Access to audit logs is restricted and itself logged.
Your Role in Security
Best Practices
| Practice | Why It Matters |
|---|---|
| Use a strong, unique password | Prevents unauthorized account access |
| Enable Face ID/Touch ID | Adds biometric layer of protection |
| Keep your iPhone updated | Security patches protect against vulnerabilities |
| Keep myCARI updated | App updates include security improvements |
| Don't share your login credentials | Your credentials are for your use only |
| Review care team access regularly | Verify who has access to your data |
| Use secure Wi-Fi networks | Avoid public networks for sensitive data |
| Enable device passcode | Protects data if device is lost or stolen |
Reporting Security Issues
If you discover a security vulnerability or suspect unauthorized access to your account:
- Email: security@mlpipes.ai
- Include details about the issue and steps to reproduce if applicable
- We will acknowledge receipt within 24 hours
We do not pursue legal action against security researchers who act in good faith and follow responsible disclosure practices.
Healthcare Provider Security
Standards-Based Integration
| Standard | Implementation | Details |
|---|---|---|
| FHIR | R4 Specification | Fast Healthcare Interoperability Resources for data exchange |
| SMART on FHIR | App authorization | Secure authorization for healthcare apps |
| OAuth 2.0 | Authorization framework | Industry-standard authorization protocol |
| PKCE | Proof Key for Code Exchange | Enhanced security for mobile OAuth flows |
| Epic MyChart | Patient portal integration | Secure connection to Epic EHR systems |
Physical Security
Data Center Security
All data is stored in Google Cloud Platform data centers that feature:
- 24/7 security personnel and video surveillance
- Biometric access controls and multi-factor authentication
- Environmental controls and fire suppression systems
- Redundant power and cooling systems
- SOC 2 Type II certification
Device Recommendations
To maximize security when using myCARI:
- Use a device passcode of at least 6 digits (or alphanumeric)
- Enable automatic device locking after brief inactivity
- Enable Find My iPhone for remote wipe capability
- Avoid jailbroken devices
- Only download myCARI from the official App Store
Questions?
We are happy to answer any questions about our security practices.
Security Team: security@mlpipes.ai
Privacy Team: privacy@mlpipes.ai
General Support: support@mlpipes.ai
Mailing Address:
MLPipes LLC
5725 S Valley View Blvd Ste 5 PMB 471045
Las Vegas, Nevada 89118-3122 US