Ethics & Regulations

Information Security in the TailorPath System

TailorPath protects the system against malicious data input or harmful code through multiple layers of technological and operational defenses, aligned with global regulations and best practices.

Identity and Access Management

  • All authentication interfaces (administrators, physicians, and end-users) require multi-factor authentication (MFA) via [AWS SES & AWS SNS].
  • Passwords are securely encrypted using strong hashing algorithms (e.g., bcrypt). It will use SHA256 on the application level and AWS KMS on the server level.
  • Session management follows security best practices, including short-lived tokens and HTTP-only cookies.
  • Login attempts are rate-limited to mitigate brute-force attacks using AWS WAF and log failed attempts in an immutable audit log table. It will also protect from OWASP top 10 vulnerabilities.
  • Role-based access control (RBAC) is enforced through DRF permissions & JWT claims to ensure users only access data and functions permitted for their role. Also, each tenant’s data is fully isolated in its own dedicated PostgreSQL schema, ensuring strict tenant-level separation and enhanced HIPAA-grade security.

Data Encryption and Privacy

  • All data, particularly Protected Health Information (PHI), is encrypted in transit (TLS/SSL) and RDS encryption at rest (AES-256 via AWS KMS and EBS Volumes or virtual storage).
  • Encryption keys are centrally managed using AWS Key Management Service (KMS). Use AWS-CloudTrail for cloud activities and CloudWatch for application logs for auditing.
  • Sensitive information is never stored in logs or temporary caches.

Application Security and API Protection

  • Input validation and sanitization are enforced across all entry points.
  • Protections are applied against injection attacks, cross-site scripting (XSS), and cross-site request forgery (CSRF) using AWS WAF (Web Application Firewall).
  • APIs are governed by RBAC policies and further protected by JWT token.

File and Upload Management

  • File uploads are restricted to approved formats and size limits.
  • Uploaded files are scanned using AWS Lambda (ClamAV), Amazon Macie, and S3 Quarantine/Safe buckets and stored securely in isolated environments. There will be no direct access to S3 bucket as it will be accessed via CloudFront so no endpoint exposure.
  • Access permissions managed by KMS encryption, IAM Roles & Presigned URLs prevent execution of malicious code disguised as file uploads.

Monitoring, Logging, and Audit Controls

  • All critical actions such as logins, data access, password changes, or patient record updates are logged in secure, immutable audit trails (PostgreSQL pgAudit, App-level audit table).
  • Continuous monitoring of infrastructure and applications is enabled via CloudWatch & AWS GuardDuty to detect anomalies or suspicious activity.
  • Logs are centralized and analyzed to provide full traceability for compliance purposes.

Infrastructure Hardening and Operational Security

  • All communication is restricted to secure HTTPS channels (Application Load Balancer).
  • Strong separation between development, testing, and production environments managed through AWS Elastic Kubernetes Service.
  • Perform penetration testing, vulnerability scans (Amazon Inspector), automated patch management (AWS Systems Manager Patch Manager) periodically.
  • Network segmentation, firewall rules, and intrusion detection/prevention are enforced using CloudFront, WAF, ALB, and GuardDuty.

Incident Response and Security Operations

  • Security events are continuously monitored with automated anomaly detection via GuardDuty.
  • Incident response workflows trigger automated alerts and escalations using CloudWatch & Amazon SNS.
  • Forensic investigation and reporting are supported by centralized logging and monitoring.

Backup, Disaster Recovery, and Data Lifecycle

  • Encrypted backups of sensitive data are maintained with versioning through AWS RDS Snapshots and S3 with Versioning.
  • Disaster recovery plans are regularly tested to ensure business continuity, with orchestration handled by AWS Elastic Disaster Recovery (DRS) + AWS Backup or some manual approach.
  • Data retention and deletion policies are automated using Amazon S3 Lifecycle Policies + AWS Backup Policies to comply with privacy requirements.

High Availability and Scalability

  • The system architecture is designed for high availability with redundancy across multiple environments using Kubernetes autoscaling mechanisms.
  • Load balancing and auto-scaling are implemented using Elastic Load Balance to ensure resilience under variable workloads.
  • Cross-region replication or multi-zone deployment via Amazon RDS Cross-Region Read Replicas, S3 Cross-Region Replication, Route 53 DNS Failover revents downtime and data loss.

Privacy and Regulatory Compliance

  • TailorPath complies with HIPAA, GDPR, and ISO 27001 standards.
  • Security and privacy controls are embedded by design to prevent unauthorized access, misuse, or system disruption.

Multi-Tenancy Isolation

  • Utilizing distinct schemas (database tables) for each tenant in a PostgreSQL database, so every Care Center will have its own dedicated set of database tables.
type your search