Skip to main content

Security overview

Veridian Health Partners designs Veridian Motion for healthcare and correctional use cases. This page summarizes what the application enforces and what hosting agencies must provide.
Veridian Motion is HIPAA-aligned, not HIPAA-certified. It is not CJIS-authorized or FedRAMP-authorized. Agencies choose hosting and operational controls to meet their obligations.

What Veridian Motion enforces (built today)

Access control

  • Staff: Email + password; TOTP MFA (available; enforced per deployment); RBAC
  • Patients: Patient ID + PIN; access limited to own data via RLS
  • Roles: pt, admin, it_admin — granted only by admin
  • Brute-force lockout on patient and staff login identifiers

Data protection

  • Row-level security on every Postgres table
  • Field-level PHI encryption
  • Private photo storage; authorized staff access only
  • No PII in browser localStorage on kiosk; in-memory patient session
  • No PHI in application logs
  • Hash-chained audit log for sensitive actions

Application hardening (kiosk)

  • Blocked external navigation, strict CSP, self-hosted fonts, idle auto-reset
  • Internal messaging only — no external egress

Clinical safety gate

  • AI output is non-diagnostic and PT-approved before patient release

What agencies / facilities must provide

RequirementOwner
BAA with covered entityAgency + Veridian Health Partners
CJIS / FedRAMP / GovCloud hosting environment (if required)Agency
MDM kiosk lockdown, device supervisionAgency IT + custody
Network segregation and firewall rulesAgency IT
Personnel screening and security trainingAgency
Physical security of kiosk locationAgency

Encryption

  • In transit: TLS for all connections
  • At rest: Cloud provider encryption plus field-level PHI encryption
  • Photos: Private storage; no public ACLs

Audit and monitoring

Sensitive actions write to a hash-chained, append-only audit log (enroll, assign, review, notes, roles, MFA reset, messages). Application logs exclude PHI. Audit entries use resource IDs and action types — not clinical content.

Incident response

See Incident response.

What’s next

HIPAA

Business Associate framing.

Data model & privacy

RLS and entities.

Roadmap

Planned security-related features (e.g., SSO).