openevidence-security-basics

# OpenEvidence Security Basics ## Overview OpenEvidence provides AI-powered clinical evidence synthesis that processes protected health information (PHI), patient queries, and medical literature references. Integrations must comply with HIPAA requirements for PHI handling, audit logging, and access controls. A breach exposes patient health questions, clinical recommendations, and potentially identifiable medical conditions. Every API interaction must be treated as a HIPAA-regulated transaction. ## API Key Management ```typescript function createOpenEvidenceClient(): { apiKey: string; baseUrl: string } { const apiKey = process.env.OPENEVIDENCE_API_KEY; if (!apiKey) { throw new Error("Missing OPENEVIDENCE_API_KEY — store in HIPAA-compliant secrets manager"); } // PHI-adjacent access — enforce audit logging on every request console.log("OpenEvidence client initialized (key suffix:", apiKey.slice(-4), ")"); return { apiKey, baseUrl: "https://api.openevidence.com/v1" }; } ``` ## Webhook Signature Verification ```typescript import crypto from "crypto"; import { Request, Response, NextFunction } from "express"; function verifyOpenEvidenceWebhook(req: Request, res: Response, next: NextFunction): void { const signature = req.headers["x-openevidence-signature"] as string; const secret = process.env.OPENEVIDENCE_WEBHOOK_SECRET!; const expected = crypto.createHmac("sha256", secret).update(req.body).digest("hex"); if (!signature || !crypto.timingSafeEqual(Buffe...