🔒 Security & Compliance

RadCloudAI is a secure, cloud-native clinical decision-support platform designed to assist qualified radiologists. Security, privacy, and clinical responsibility are foundational to the system’s architecture.

1. Intended Use and HIPAA-Aligned Design

RadCloudAI is intended for clinical decision support in radiology. It provides assistive analysis, structured impressions, quality assurance, and literature guidance. The platform does not replace physician judgment or operate autonomously.

RadCloudAI is designed to support HIPAA-aligned workflows under a shared-responsibility model.

2. Administrative, Technical, and Physical Safeguards

Administrative

  • Role-based access control

  • Group-scoped model configuration and credential isolation

  • Multi-factor authentication (MFA)

Technical

  • Encrypted data transmission and storage

  • Server-side authentication and authorization enforcement

  • No large language model (LLM) receives unmasked patient identifiers

Physical / Infrastructure

  • Fully managed deployment on Google Cloud Run

  • No local installations or unmanaged endpoints

3. PHI Handling and De-Identification Controls

User Responsibility

Users are instructed to de-identify reports and images prior to submission unless an institutional agreement is in place.

Automated Detection

  • OCR-based PHI scanning on uploaded images

  • Structured parsing for common identifiers (MRN, name, DOB)

  • Requests containing detected PHI are blocked with structured feedback

Scrubbing Safeguards

  • Secondary masking replaces identifiers with placeholders

  • Regex-based pattern detection

  • No unmasked PHI is transmitted to OpenAI, Gemini, or other LLM providers

4. Data Transmission and Hosting Security

  • HTTPS enforced end-to-end

  • TLS 1.3 via Cloudflare and Google Cloud Run

  • HSTS, CSP, X-Frame-Options, and Referrer-Policy enforced

Cloud Infrastructure

  • Google Cloud Run (isolated containers)

  • Cloud SQL (encrypted, restricted access)

  • Cloud Storage (private, signed URLs)

  • Cloudflare edge protection (WAF, bot mitigation, rate limiting)

5. Encryption and Credential Protection

  • Credentials and API keys encrypted at rest (Fernet)

  • Secrets decrypted only at runtime

  • No secrets returned to the frontend

  • JWT-based sessions with defined lifetimes

6. Authentication and MFA

  • Username + password authentication

  • Argon2id password hashing

  • JWT access and refresh tokens

  • Optional TOTP-based MFA enforced at login when enabled

7. Multi-Tenant Isolation

  • Users belong to one or more Groups

  • Each Group has:

    • Independent LLM credentials

    • Independent routing and model restrictions

  • Strict isolation across institutions and teams

8. AI Model Access Controls

LLM access is configured per group and scoped to individual requests.
No model retains data beyond a single execution.

9. Logging, Monitoring, and Auditability

  • All AI executions logged with user and group context

  • PHI detection events logged

  • Logs stored in Google Cloud Logging with RBAC

  • Health endpoints and operational monitoring enabled

10. Compliance Roadmap

  • Internal compliance review in progress

  • HITRUST-aligned workflows implemented

  • SOC 2 / ISO 27001 documentation underway

  • BAAs available for institutional partners upon request

11. Disclosure

RadCloudAI is an assistive platform. Clinical responsibility remains with the interpreting physician. PHI submission requires appropriate safeguards or agreements.

Contact US