Security & Compliance
Enterprise-grade security features, HIPAA compliance, and audit capabilities
End-to-End Encryption
TLS 1.2+ for all communications
โ
HTTPS Only
HIPAA Compliance
Built-in PHI protection and safeguards
โ
Healthcare Ready
Audit Logging
Comprehensive activity tracking
โ
Enterprise Tier
Security Checklist
JWT Authentication with RS384
X.509 Certificate Generation
TLS 1.2+ Encryption
PHI Data Protection
Secure Token Storage
Rate Limiting & Throttling
Audit Trail Logging
SOC 2 Compliant Infrastructure
Security Overview
Epic CLI is built with enterprise-grade security from the ground up, ensuring your healthcare data remains protected throughout the integration process.
- ๐ JWT Authentication with RS384 algorithm and 2048-bit RSA keys
- ๐ X.509 Certificates RFC 5280 compliant for Epic integration
- ๐ HTTPS Only - All communication encrypted in transit
- ๐ก๏ธ PHI Protection - Automatic sanitization of sensitive healthcare data
- ๐ Audit Logging - Comprehensive activity tracking (Enterprise tier)
Data Security
- All API communication uses TLS 1.2+ encryption
- Epic FHIR API calls secured with HTTPS
- Backend license validation encrypted end-to-end
- License keys encrypted in database
- Usage logs stored with AES-256 encryption
- Audit trails protected with enterprise-grade security
- RSA-2048 private keys generated locally
- X.509 certificates created with proper Epic compatibility
- Secure token storage with automatic refresh
PHI Protection:
# PHI protection enabled by default
epic patients search --family Smith
# Automatically sanitizes sensitive data in logs
# Disable PHI protection for debugging (not recommended in production)
epic patients search --family Smith --no-phi-protectionHIPAA Compliance
Epic CLI is designed to support HIPAA compliance for healthcare organizations:
- Role-based access control (Team+ tiers)
- User authentication and authorization
- Audit logging and monitoring (Enterprise tier)
- Security incident procedures
- Secure data centers with SOC 2 compliance
- Encrypted storage systems
- Controlled access to infrastructure
- Access control mechanisms
- Audit controls and logging
- Integrity controls for data
- Transmission security with TLS encryption
Important: While Epic CLI provides HIPAA-compliant infrastructure, organizations must implement proper policies and procedures to achieve full HIPAA compliance.
Authentication & Authorization
- RS384 algorithm with 2048-bit RSA keys
- 24-hour token expiration with automatic refresh
- Secure token storage and transmission
Epic Integration Security:
# The CLI automatically handles:
# โ
JWT token creation and refresh
# โ
X.509 certificate generation and validation
# โ
Secure API communication with Epic
# โ
License validation with backend
# Check security status
epic status
epic auth status- Real-time validation with secure backend
- Encrypted license key storage
- Tamper-resistant license verification
Audit Logging (Enterprise)
Enterprise customers get comprehensive audit logging for compliance:
- All API calls logged with timestamps
- User activity tracking
- License usage monitoring
- Security event logging
- Data access audit trails
Audit Log Access:
# View audit logs (Enterprise tier only)
epic audit-logs --since 2024-01-01
epic audit-logs --user john@company.com
epic audit-logs --export csv
# Real-time audit monitoring
epic audit-logs --follow- Automated compliance reports
- Custom audit queries
- Export capabilities for external systems
- Integration with SIEM platforms
Team Security (Team+)
- Role-based access control
- Team member invitation system
- Permission management
- Activity monitoring
Configuration Security:
# Secure team configuration sharing
epic config share --team-id TEAM_ID
# View team member activity
epic team activity
# Manage team permissions
epic team permissions --user john@company.com --role developer- Multi-factor authentication support
- Session management
- IP allowlisting (Enterprise)
- SSO integration (Enterprise)
Compliance Features by Tier
| Feature | Trial | Starter | Professional | Team | Enterprise |
|---|---|---|---|---|---|
| HTTPS Encryption | โ | โ | โ | โ | โ |
| PHI Protection | โ | โ | โ | โ | โ |
| JWT Authentication | โ | โ | โ | โ | โ |
| Basic Audit Logs | โ | โ | โ | โ | โ |
| Team Access Control | โ | โ | โ | โ | โ |
| Advanced Audit Logs | โ | โ | โ | โ | โ |
| Compliance Reporting | โ | โ | โ | โ | โ |
| SSO Integration | โ | โ | โ | โ | โ |
| Custom Security Policies | โ | โ | โ | โ | โ |
Security Best Practices
Recommended Security Practices:
- Use trial or starter licenses for development environments
- Never commit private keys or certificates to version control
- Use environment variables for sensitive configuration
- Enable PHI protection in all environments
- Use Professional+ licenses for production systems
- Implement proper access controls and user management
- Enable audit logging for compliance requirements
- Regular security reviews and updates
- Use Team+ licenses for collaborative development
- Implement role-based access control
- Regular security training for team members
- Incident response procedures
- Dedicated security review and penetration testing
- Custom security policies and procedures
- Integration with existing security infrastructure
- 24/7 security monitoring and support
HIPAA Compliance Features by Tier
| Security Feature | Trial | Starter | Professional | Team | Enterprise |
|---|---|---|---|---|---|
| HTTPS Encryption | โ | โ | โ | โ | โ |
| PHI Protection | โ | โ | โ | โ | โ |
| Basic Audit Logs | โ | โ | โ | โ | โ |
| User Access Control | โ | โ | โ | โ | โ |
| Advanced Audit Logs | โ | โ | โ | โ | โ |
| SSO Integration | โ | โ | โ | โ | โ |
| Compliance Reporting | โ | โ | โ | โ | โ |
Security Best Practices
For Development
- โขUse trial or starter licenses for development environments
- โขNever commit private keys or certificates to version control
- โขUse environment variables for sensitive configuration
- โขEnable PHI protection in all environments
For Production
- โขUse Professional+ licenses for production systems
- โขImplement proper access controls and user management
- โขEnable audit logging for compliance requirements
- โขRegular security reviews and updates
Enterprise Security & Compliance
Need advanced security features, custom compliance requirements, or dedicated support? Our Enterprise tier provides white-glove security with dedicated account management.