Skip to main content

Overview

The Nurse Handoff Helper handles Protected Health Information (PHI) and must be deployed with strict security measures. This guide covers essential security practices for HIPAA compliance and data protection.
This application processes Protected Health Information (PHI). Non-compliance with HIPAA regulations can result in significant penalties. Consult with your organization’s compliance officer before deploying to production.

HIPAA Compliance Considerations

Business Associate Agreements (BAA)

Ensure you have signed Business Associate Agreements with:
  • Supabase: Required for database hosting (Supabase BAA)
  • Anthropic: Required for Claude AI integration (Anthropic Enterprise)
  • Hosting provider: Required for your application hosting
BAAs are typically only available on enterprise plans. Verify BAA availability before selecting your service providers.

HIPAA Technical Safeguards

The application must implement:
  1. Access Controls: Authentication and authorization for all users
  2. Audit Controls: Logging of all PHI access
  3. Integrity Controls: Protection against unauthorized data alteration
  4. Transmission Security: Encryption of data in transit

Minimum Necessary Standard

Configure the application to:
  • Only display patient information relevant to the nurse’s current assignment
  • Implement role-based access control (RBAC)
  • Log all data access for audit purposes

API Key Management

Environment Variables Security

API keys must NEVER be committed to version control. The .env file is already in .gitignore - keep it that way.
Secure storage locations:
  • Development: .env file (gitignored)
  • Production: Environment variables in hosting platform
    • Heroku: Config Vars
    • Vercel: Environment Variables
    • AWS: Systems Manager Parameter Store
    • Railway: Environment Variables

API Key Types and Security

Supabase Keys

# Client-safe (exposed to browser)
VITE_SUPABASE_URL=https://your-project.supabase.co
VITE_SUPABASE_ANON_KEY=eyJhbGc...

# Server-only (NEVER expose to browser)
SUPABASE_SERVICE_KEY=eyJhbGc...
Anon Key (VITE_SUPABASE_ANON_KEY):
  • Safe to expose in frontend code
  • Limited by Row Level Security (RLS) policies
  • Cannot bypass security rules
  • Used for authentication and authorized queries
Service Role Key (SUPABASE_SERVICE_KEY):
  • NEVER expose to frontend
  • Bypasses all RLS policies
  • Full admin access to database
  • Only used in backend server
  • Required for creating nurse accounts
  • Rotate regularly (every 90 days recommended)

Anthropic API Key

# Server-only - NEVER expose to browser
ANTHROPIC_API_KEY=sk-ant-...
Security measures:
  1. Server-side only: All AI requests are proxied through the backend (server/index.js:27-29, server/index.js:62-142)
  2. Never exposed: Key never sent to browser
  3. Request validation: Backend validates all requests before forwarding
  4. Rate limiting: Implement rate limits to prevent abuse
The backend architecture already keeps the API key secure by requiring all AI requests to go through the Express server. Never modify this to call the Anthropic API directly from the frontend.

Key Rotation Policy

Establish a regular key rotation schedule:
  • Supabase Service Role Key: Every 90 days
  • Anthropic API Key: Every 180 days
  • After security incident: Immediately
  • After team member departure: Within 24 hours
Rotation process:
  1. Generate new key in provider console
  2. Update production environment variables
  3. Test application functionality
  4. Revoke old key
  5. Document rotation in security log

Data Encryption

Encryption in Transit

All production deployments MUST use HTTPS/TLS. Unencrypted HTTP connections expose PHI to interception.
Requirements:
  • SSL/TLS certificate (Let’s Encrypt recommended)
  • TLS 1.2 or higher
  • Strong cipher suites
  • HSTS (HTTP Strict Transport Security) headers
Configure HSTS in Express: 
// Add to server/index.js
app.use((req, res, next) => {
  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
  next();
});

Encryption at Rest

Database encryption:
  • Supabase encrypts all data at rest by default
  • Verify encryption is enabled in your Supabase project settings
  • Consider column-level encryption for highly sensitive fields
File uploads:
  • Images are processed in memory (server/index.js:20-24)
  • Not persisted to disk by default
  • If storing images, use encrypted storage (S3 with encryption, etc.)

Encryption in Memory

Image uploads are handled in memory: 
// server/index.js
const storage = multer.memoryStorage();
const upload = multer({
  storage,
  limits: { fileSize: 10 * 1024 * 1024 }, // 10MB limit
});
This prevents sensitive images from being written to disk.

Authentication and Authorization

Supabase Auth Configuration

The application uses Supabase Auth for user management: Security settings:
  1. Password requirements:
    • Minimum 8 characters
    • Require uppercase, lowercase, number, special character
    • Password history (prevent reuse of last 5 passwords)
  2. Multi-factor authentication (MFA):
    • Enable MFA for all users
    • Support TOTP (Time-based One-Time Password)
  3. Session management:
    • Session timeout: 8 hours (adjust based on shift length)
    • Require re-authentication for sensitive operations
    • Implement automatic logout on inactivity

Role-Based Access Control

While the current implementation authenticates nurses, consider implementing roles:Recommended roles:
  • nurse - Standard access to assigned patients
  • charge_nurse - Access to all patients in unit
  • admin - User management and system configuration
Implementation:
  1. Add role column to nurses table
  2. Implement RLS policies based on roles
  3. Check roles in middleware:
const checkRole = (allowedRoles) => {
  return async (req, res, next) => {
    const user = req.user; // From auth middleware
    if (!allowedRoles.includes(user.role)) {
      return res.status(403).json({ error: 'Forbidden' });
    }
    next();
  };
};

Account Security

Nurse account creation: The /api/nurses/create-accounts endpoint (server/index.js:580-717):
  • Requires SUPABASE_SERVICE_KEY
  • Generates temporary passwords
  • Auto-confirms email addresses
  • Links auth accounts to nurse records
Secure the account creation endpoint:
  • Only accessible from internal network
  • Implement API authentication
  • Log all account creation events
  • Distribute temporary passwords securely (not via email)
Temporary password policy: 
const tempPassword = `Temp${nurse.id}${Date.now()}`;
Improvements:
  • Use cryptographically secure random passwords
  • Force password change on first login
  • Expire temporary passwords after 24 hours

Data Protection

Input Validation

Validate all user inputs to prevent injection attacks: Current validation: 
if (!req.file) {
  return res.status(400).json({ error: "No image file provided" });
}
Enhanced validation: 
// Validate file type
const allowedTypes = ['image/jpeg', 'image/png', 'image/jpg'];
if (!allowedTypes.includes(req.file.mimetype)) {
  return res.status(400).json({ error: 'Invalid file type' });
}

// Validate file size
if (req.file.size > 10 * 1024 * 1024) {
  return res.status(400).json({ error: 'File too large' });
}

// Sanitize filename
const sanitizedName = path.basename(req.file.originalname);

SQL Injection Prevention

Supabase client uses parameterized queries by default, preventing SQL injection: 
// Safe - parameterized query
const { data } = await supabase
  .from('patients')
  .select('*')
  .eq('mrn', req.params.id);
Never construct raw SQL queries with user input. Always use Supabase’s query builder or parameterized queries.

Cross-Site Scripting (XSS) Prevention

React escapes output by default, but additional measures:
  1. Content Security Policy (CSP):
app.use((req, res, next) => {
  res.setHeader(
    'Content-Security-Policy',
    "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;"
  );
  next();
});
  1. Sanitize AI-generated content: AI responses may contain HTML, sanitize before rendering

CORS Configuration

Currently allows all origins: 
app.use(cors());
Production configuration: 
app.use(cors({
  origin: process.env.FRONTEND_URL || 'https://your-frontend-domain.com',
  credentials: true,
  methods: ['GET', 'POST', 'PATCH'],
  allowedHeaders: ['Content-Type', 'Authorization']
}));

Audit Logging

Required Logs

For HIPAA compliance, log:
  1. PHI Access: Every time patient data is viewed
  2. Data Modifications: Updates to patient records
  3. Authentication Events: Logins, logouts, failed attempts
  4. Administrative Actions: Account creation, permission changes
  5. System Access: API calls, especially AI analysis requests

Implementing Audit Logs

The application has a logs table (server/index.js:862-891). Enhance it: 
const auditLog = async (action, details) => {
  await supabase.from('audit_logs').insert({
    timestamp: new Date().toISOString(),
    user_id: req.user?.id,
    user_email: req.user?.email,
    action: action,
    resource_type: details.resourceType,
    resource_id: details.resourceId,
    ip_address: req.ip,
    user_agent: req.get('user-agent'),
    details: details
  });
};
Log retention:
  • Minimum 6 years for HIPAA compliance
  • Store logs in tamper-proof storage
  • Implement log backup and archival

Network Security

Firewall Configuration

Restrict network access:
  • Only expose necessary ports (443 for HTTPS, 80 for HTTP redirect)
  • Whitelist IP addresses for admin endpoints
  • Use VPN for administrative access

DDoS Protection

Implement rate limiting: 
import rateLimit from 'express-rate-limit';

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // Limit each IP to 100 requests per window
  message: 'Too many requests from this IP'
});

app.use('/api/', limiter);

API Authentication

Consider implementing API key authentication for server-to-server calls: 
const apiKeyAuth = (req, res, next) => {
  const apiKey = req.header('X-API-Key');
  if (!apiKey || apiKey !== process.env.INTERNAL_API_KEY) {
    return res.status(401).json({ error: 'Unauthorized' });
  }
  next();
};

// Protect sensitive endpoints
app.post('/api/nurses/create-accounts', apiKeyAuth, async (req, res) => {
  // ...
});

Incident Response

Security Incident Procedures

If a security breach is suspected:
  1. Immediate Actions:
    • Isolate affected systems
    • Preserve evidence (logs, database snapshots)
    • Notify security team and management
    • Document incident timeline
  2. Assessment:
    • Identify scope of breach
    • Determine what data was accessed
    • Identify affected patients
    • Document attack vector
  3. Containment:
    • Rotate all API keys and credentials
    • Patch vulnerabilities
    • Update security rules
    • Monitor for continued attack
  4. Recovery:
    • Restore from clean backups if necessary
    • Verify system integrity
    • Test all functionality
    • Resume normal operations
  5. Post-Incident:
    • Notify affected patients (HIPAA breach notification)
    • Report to HHS if required (500+ patients)
    • Conduct post-mortem analysis
    • Update security measures
    • Document lessons learned

Breach Notification Requirements

HIPAA Breach Notification Rule:
  • Under 500 patients: Notify HHS annually
  • 500+ patients: Notify HHS within 60 days
  • All breaches: Notify affected individuals without unreasonable delay

Security Checklist

  • BAAs signed with all service providers
  • SSL/TLS certificate installed and configured
  • All API keys stored securely (not in code)
  • CORS configured for production domain only
  • Rate limiting implemented
  • Supabase RLS policies enabled
  • Database encryption at rest verified
  • Password complexity requirements configured
  • MFA enabled for all users
  • Session timeout configured
  • Audit logging implemented
  • Log retention policy established
  • Input validation on all endpoints
  • File upload restrictions enforced
  • Security headers configured (HSTS, CSP)
  • Admin endpoints protected
  • Incident response plan documented
  • Security monitoring and alerts configured
  • Regular backup schedule established
  • Penetration testing completed
  • Security training for staff completed

Regular Security Maintenance

Weekly Tasks

  • Review access logs for anomalies
  • Monitor failed login attempts
  • Check system health and performance

Monthly Tasks

  • Review and update security policies
  • Audit user access permissions
  • Test backup restoration
  • Review and analyze security logs

Quarterly Tasks

  • Rotate API keys and credentials
  • Conduct security awareness training
  • Review and update incident response plan
  • Perform vulnerability assessment

Annual Tasks

  • Comprehensive security audit
  • Penetration testing
  • HIPAA compliance review
  • Disaster recovery testing
  • Update BAAs with service providers

Additional Resources

Next Steps

Build docs developers (and LLMs) love

Get started for freeTalk to us