Security & Architecture Posture

Security here is threat-model-driven, not a checklist. It is designed for hostile environments, human error, and institutional skepticism. Privacy is enforced by architecture, not promises.

• Users make mistakes; browsers can be compromised; malicious actors exist.
• Trust is enforced by design: minimize sensitive data, collect only what can be protected, prefer not to store at all.
• The safest data is data we never see.

• Identified Domain: may contain PHI; controlled by the physician; not transmitted by default.
• De-Identified Domain: contains scrubbed/synthetic data; may be stored and processed; cannot be re-identified by PDI-Med.

This separation is foundational and non-optional.

• Vaults are physician-controlled; keys are not known to PDI-Med.
• PDI-Med cannot decrypt vault contents or reconstruct patients.
• Recovery relies on identity verification and remapping, not access to prior secrets.

• Insider misuse, credential theft, data exfiltration attempts.
• Aggregation abuse and “curious” reverse engineering.
• Institutional pressure to expand scope beyond physician-first and privacy absolutes.

Features that expand attack surface without proportional benefit are rejected.

• Minimum cohort sizes enforced.
• Rare combinations suppressed.
• Drill-down depth limited; no single-user extraction.
• No comparative physician ranking.

Outputs are intentionally blunt at the edges to preserve safety.

• PDI-Med logs system health, security events, and abuse signals.
• PDI-Med does not log PHI, raw clinical text, or patient identifiers.
• Logs exist to defend the platform, not to surveil users.

• Access may be temporarily restricted to contain suspected incidents.
• Investigation prioritizes containment; vault remapping may be required.
• Aggregate integrity is preserved; transparency preferred over concealment.

• Hospital machines and policies vary; environments may be hostile.
• Platform remains lightweight, non-persistent by default, resilient to session termination.
• No privileged software install required.

• Store PHI “temporarily.”
• Ask users to email data.
• Troubleshoot using patient data.
• Backdoor encryption.
• Trade privacy for convenience.

PDI-Med minimizes risk by not collecting what it cannot protect, strictly separating domains, designing for failure, and treating privacy as an invariant. This is architectural restraint, not compliance theater.