abridge-security-basics

# Abridge Security Basics ## Overview HIPAA-compliant security configuration for Abridge clinical AI integrations. Abridge handles PHI (Protected Health Information) — security is not optional. This skill covers encryption, access control, audit logging, and BAA requirements. ## HIPAA Security Checklist | Requirement | Implementation | Status | |-------------|---------------|--------| | Encryption in transit | TLS 1.3 enforced | Required | | Encryption at rest | AES-256 for stored PHI | Required | | Access control | Role-based with MFA | Required | | Audit logging | All PHI access logged | Required | | BAA signed | Business Associate Agreement | Required | | Minimum necessary | Only access needed PHI | Required | | Breach notification | 60-day notification plan | Required | ## Instructions ### Step 1: Enforce TLS and Certificate Pinning ```typescript // src/security/tls-config.ts import https from 'https'; import axios from 'axios'; const abridgeHttpsAgent = new https.Agent({ minVersion: 'TLSv1.3', // Enforce TLS 1.3 minimum rejectUnauthorized: true, // Never disable cert validation // Optional: certificate pinning for Abridge API // ca: fs.readFileSync('./certs/abridge-ca.pem'), }); const secureClient = axios.create({ baseURL: process.env.ABRIDGE_BASE_URL, httpsAgent: abridgeHttpsAgent, headers: { 'Authorization': `Bearer ${process.env.ABRIDGE_CLIENT_SECRET}`, 'X-Org-Id': process.env.ABRIDGE_ORG_ID!, 'Strict-Transport-Secu...