Security · December 8, 2025
By Sarah Kim, Head of Security
After deploying our medical imaging API across 340+ healthcare facilities, we've developed strong opinions about what HIPAA-compliant API design actually looks like in practice — as opposed to what compliance consultants tell you on a slide deck.
The single most impactful architectural decision we made was implementing zero-knowledge encryption from day one. Our servers never have access to decrypted PHI. All imaging data is encrypted client-side using AES-256-GCM with keys derived from the customer's master key, which never leaves their infrastructure.
Every API call generates an immutable audit log entry that includes the authenticated identity, action performed, resources accessed, and a cryptographic hash of the response payload. These logs are streamed to a separate, append-only store that even our infrastructure team cannot modify.
Our API key system supports granular scopes down to individual DICOM attributes. A viewer application might only have study:read and series:read permissions, while a PACS integration needs study:write and imaging:stream. This has prevented every lateral movement scenario our red team has tested.
We built a real-time compliance dashboard that shows the current state of all security controls — encryption status, access patterns, anomaly detection alerts, and certificate expiry timelines. When an auditor asks "how do you ensure X?", our customers can show them a live dashboard instead of a policy document.
Security isn't a checkbox — it's a continuous engineering discipline. If you're building healthcare APIs, we hope these lessons help you avoid some of the pitfalls we encountered along the way.