Security at MedHook

All adapter credentials (EHR connection strings, API keys, SFTP passwords) are encrypted using AES-256-GCM before being stored in PostgreSQL.

Key derivation uses PBKDF2 with 100,000 iterations. Each credential is encrypted with a unique salt and IV. The master encryption key is supplied via environment variable and never stored in the database.

The MedHook Engine uses JWT Bearer tokens with a 2-hour expiry. Tokens are signed with a secret key supplied at deployment time.

medhook.dev uses NextAuth.js with GitHub, Google, and email (magic link) providers. Sessions use secure, HTTP-only cookies. License keys are stored only as SHA-256 hashes — the plaintext is never retained.

Every CRUD operation on workflows, adapter profiles, mappings, and license keys is written to an immutable audit log in PostgreSQL with actor identity, timestamp, and change details.

Audit records are retained for 90 days by default. Enterprise customers can configure extended retention and export to their SIEM.

The MedHook Engine runs entirely within your infrastructure. Healthcare data, PHI, and integration payloads never leave your environment and are never transmitted to MedHook servers.

The engine is deployed via Docker Compose or Terraform on AWS, Azure, or GCP. You control network boundaries, VPC configuration, and storage policies.

Role-Based Access Control (RBAC) is enforced at both the API and middleware layers. Admin-only endpoints require verified role claims in both the JWT and the database.

Custom JavaScript transforms run in isolated-vm sandboxes with 128 MB memory limits and 5-second execution timeouts, preventing runaway or malicious code.

The Generic REST adapter includes SSRF protection that blocks requests to private IP ranges (RFC 1918), loopback addresses, and link-local addresses.

Rate limiting is applied to authentication, license validation, and AI mapping endpoints. Content Security Policy headers are enforced on all medhook.dev responses.