Security & Compliance

Epic CLI is built with enterprise-grade security from the ground up, ensuring your healthcare data remains protected throughout the integration process.

• 🔐 JWT Authentication with RS384 algorithm and 2048-bit RSA keys
• 📜 X.509 Certificates RFC 5280 compliant for Epic integration
• 🔒 HTTPS Only - All communication encrypted in transit
• 🛡️ PHI Protection - Automatic sanitization of sensitive healthcare data
• 📊 Audit Logging - Comprehensive activity tracking (Enterprise tier)

• All API communication uses TLS 1.2+ encryption
• Epic FHIR API calls secured with HTTPS
• Backend license validation encrypted end-to-end

• License keys encrypted in database
• Usage logs stored with AES-256 encryption
• Audit trails protected with enterprise-grade security

• RSA-2048 private keys generated locally
• X.509 certificates created with proper Epic compatibility
• Secure token storage with automatic refresh

PHI Protection:

# PHI protection enabled by default
epic patients search --family Smith
# Automatically sanitizes sensitive data in logs

# Disable PHI protection for debugging (not recommended in production)
epic patients search --family Smith --no-phi-protection

Epic CLI is designed to support HIPAA compliance for healthcare organizations:

• Role-based access control (Team+ tiers)
• User authentication and authorization
• Audit logging and monitoring (Enterprise tier)
• Security incident procedures

• Secure data centers with SOC 2 compliance
• Encrypted storage systems
• Controlled access to infrastructure

• Access control mechanisms
• Audit controls and logging
• Integrity controls for data
• Transmission security with TLS encryption

Important: While Epic CLI provides HIPAA-compliant infrastructure, organizations must implement proper policies and procedures to achieve full HIPAA compliance.

• RS384 algorithm with 2048-bit RSA keys
• 24-hour token expiration with automatic refresh
• Secure token storage and transmission

Epic Integration Security:

# The CLI automatically handles:
# ✅ JWT token creation and refresh
# ✅ X.509 certificate generation and validation  
# ✅ Secure API communication with Epic
# ✅ License validation with backend

# Check security status
epic status
epic auth status

• Real-time validation with secure backend
• Encrypted license key storage
• Tamper-resistant license verification

Enterprise customers get comprehensive audit logging for compliance:

• All API calls logged with timestamps
• User activity tracking
• License usage monitoring
• Security event logging
• Data access audit trails

Audit Log Access:

# View audit logs (Enterprise tier only)
epic audit-logs --since 2024-01-01
epic audit-logs --user john@company.com
epic audit-logs --export csv

# Real-time audit monitoring
epic audit-logs --follow

• Automated compliance reports
• Custom audit queries
• Export capabilities for external systems
• Integration with SIEM platforms

• Role-based access control
• Team member invitation system
• Permission management
• Activity monitoring

Configuration Security:

# Secure team configuration sharing
epic config share --team-id TEAM_ID

# View team member activity
epic team activity

# Manage team permissions
epic team permissions --user john@company.com --role developer

• Multi-factor authentication support
• Session management
• IP allowlisting (Enterprise)
• SSO integration (Enterprise)

Recommended Security Practices:

• Use trial or starter licenses for development environments
• Never commit private keys or certificates to version control
• Use environment variables for sensitive configuration
• Enable PHI protection in all environments

• Use Professional+ licenses for production systems
• Implement proper access controls and user management
• Enable audit logging for compliance requirements
• Regular security reviews and updates

• Use Team+ licenses for collaborative development
• Implement role-based access control
• Regular security training for team members
• Incident response procedures

• Dedicated security review and penetration testing
• Custom security policies and procedures
• Integration with existing security infrastructure
• 24/7 security monitoring and support