Security overview
Veridian Health Partners designs Veridian Motion for healthcare and correctional use cases. This page summarizes what the application enforces and what hosting agencies must provide.What Veridian Motion enforces (built today)
Access control
- Staff: Email + password; TOTP MFA (available; enforced per deployment); RBAC
- Patients: Patient ID + PIN; access limited to own data via RLS
- Roles:
pt,admin,it_admin— granted only by admin - Brute-force lockout on patient and staff login identifiers
Data protection
- Row-level security on every Postgres table
- Field-level PHI encryption
- Private photo storage; authorized staff access only
- No PII in browser localStorage on kiosk; in-memory patient session
- No PHI in application logs
- Hash-chained audit log for sensitive actions
Application hardening (kiosk)
- Blocked external navigation, strict CSP, self-hosted fonts, idle auto-reset
- Internal messaging only — no external egress
Clinical safety gate
- AI output is non-diagnostic and PT-approved before patient release
What agencies / facilities must provide
| Requirement | Owner |
|---|---|
| BAA with covered entity | Agency + Veridian Health Partners |
| CJIS / FedRAMP / GovCloud hosting environment (if required) | Agency |
| MDM kiosk lockdown, device supervision | Agency IT + custody |
| Network segregation and firewall rules | Agency IT |
| Personnel screening and security training | Agency |
| Physical security of kiosk location | Agency |
Encryption
- In transit: TLS for all connections
- At rest: Cloud provider encryption plus field-level PHI encryption
- Photos: Private storage; no public ACLs
Audit and monitoring
Sensitive actions write to a hash-chained, append-only audit log (enroll, assign, review, notes, roles, MFA reset, messages). Application logs exclude PHI. Audit entries use resource IDs and action types — not clinical content.Incident response
See Incident response.What’s next
HIPAA
Business Associate framing.
Data model & privacy
RLS and entities.
Roadmap
Planned security-related features (e.g., SSO).
