Security · December 8, 2025
By Sarah Kim, Head of Security
After deploying our medical imaging API across 340+ healthcare facilities, we've developed strong opinions about what HIPAA-compliant API design actually looks like in practice.
Our servers never have access to decrypted PHI. All imaging data is encrypted client-side using AES-256-GCM with keys derived from the customer's master key.
Every API call generates an immutable audit log entry streamed to a separate, append-only store.
Our API key system supports granular scopes down to individual DICOM attributes. A viewer might only have study:read, while a PACS integration needs imaging:stream.