Security & Trust
Security is not a feature we added. It is the architecture we started with. Patient Protect was designed from the ground up by combining military-grade security infrastructure with clinical compliance expertise — an architecture assembled by our founder to solve a problem no single discipline could address alone.
Security architecture
Most compliance platforms encrypt data and call it secure. Patient Protect implements defense-in-depth — multiple independent security layers so that compromising one does not expose the system.
All data encrypted at rest using AES-256-CBC with authenticated encryption. ePHI is never stored in plaintext — not in the database, not in logs, not in backups.
NIST-approved, same standard used by U.S. government classified systems.
Every connection uses TLS 1.3 with forward secrecy. Downgrade attacks are blocked at the protocol level. No legacy cipher suites permitted.
HSTS enforced. Certificate transparency monitored.
No implicit trust. Every request is authenticated, authorized, and validated regardless of network origin. Session tokens are cryptographically bound to device fingerprints.
Defense-in-depth — compromise of one layer does not expose the system.
Real-time behavioral analysis detects anomalous access patterns — brute force, credential stuffing, session hijacking, and privilege escalation — before damage occurs.
Automated response pipeline: AppSensor → rate limiting → Fail2Ban → IP block.
Nine defined user roles with granular permissions. No shared accounts. Unique authentication per user with multi-factor enforcement. Session timeouts after inactivity.
Principle of least privilege enforced at every access point.
AWS-hosted with dedicated VPC, private subnets, and no public-facing database endpoints. PostgreSQL with parameterized queries — SQL injection is architecturally impossible.
Nginx reverse proxy with request filtering. No direct application exposure.
Every access, modification, and administrative action is logged with timestamp, user identity, IP address, and action detail. Logs cannot be modified or deleted by any user, including administrators.
Audit trails retained for 6+ years per HIPAA requirements.
Regular vulnerability scanning with zero Critical, High, or Medium findings. Attack surface continuously monitored. Breach simulation models real-world attack scenarios against your practice profile.
Independent security assessment — not self-reported.
Independent assessment
Patient Protect is independently scanned for network vulnerabilities, application security flaws, and configuration weaknesses. Our most recent assessment returned zero findings at Critical, High, or Medium severity levels.
This is not self-reported. Independent security assessment means an external party evaluates the system without our influence on the methodology or findings.
0
Critical, High, or Medium vulnerabilities
Latest independent security assessment
Who built this
CEO & Platform Architect
Chief Technology Officer
Chief Security Officer
Our own compliance
Patient Protect is a HIPAA business associate. We execute a BAA with every customer and maintain our own compliance program — not as a marketing exercise, but as an operational requirement.
Ready?
Patient Protect gives your practice the same security architecture that protects federal systems — at a price a five-person dental office can afford.
14-day free trial · No charge until trial ends
