Security & Compliance Use Cases (SEC)¶
UC-SEC-001: Enforce Data Retention Policies¶
Purpose: Automatically purge aging artifacts per regulatory retention windows.
| Property | Value |
|---|---|
| Actor | Compliance Job Runner |
| Trigger | Daily at 01:00 IST |
| Priority | P0 |
Main Success Scenario:
1. Runner loads retention policy config (per artifact type + jurisdiction)
2. Query storage indices (S3, database tables, search) for objects past retention date
3. For each object, verify legal hold status before deletion
4. Delete data securely (S3 multi-part delete, DB hard delete) and record checksum
5. Write immutable audit log (objectId, policyId, deletedBy=system) to WORM storage
6. Emit summary report to compliance channel with counts + exceptions
Acceptance Criteria: 1. [ ] Supports dry-run mode producing deletion manifest only 2. [ ] Legal holds respected (skip + alert) 3. [ ] Audit trail exportable for regulators within 24h
UC-SEC-002: Audit Access Trails¶
Purpose: Provide investigators with complete user access logs for any patient artifact.
| Property | Value |
|---|---|
| Actor | Security Analyst |
| Trigger | On-demand investigation request |
| Priority | P0 |
Main Success Scenario:
1. Analyst submits request via `/api/audit/access` with patientId, date range
2. Service validates analyst scope and generates signed job token
3. Job scans centralized audit lake (CloudTrail, application logs) using Athena/BigQuery
4. Results normalized into schema (timestamp, actor, action, resource, clientIP)
5. Produce encrypted CSV/PDF bundle and notify analyst with temporary download link
6. Record that audit data was accessed (who/when) for meta auditing
Acceptance Criteria: 1. [ ] Queries complete within 5 minutes for 90-day window 2. [ ] Sensitive columns (IP, device) masked unless elevated approval 3. [ ] Supports tamper-evident hashing of delivered reports
UC-SEC-003: Process Consent Revocation¶
Purpose: Ensure data sharing stops immediately when patient revokes consent.
| Property | Value |
|---|---|
| Actor | Consent Service |
| Trigger | POST /api/consent/{patientId}/revoke |
| Priority | P0 |
Main Success Scenario:
1. API validates patient identity + authorization (care navigator, patient portal)
2. Update consent registry status to `revoked` with timestamp + actor
3. Broadcast event `consent.revoked` to downstream systems (API Gateway, analytics, integrations)
4. Revoke existing API tokens / presigned URLs tied to patient scope
5. Quarantine patient bundle from outbound interfaces (FHIR export, webhooks)
6. Generate compliance task to confirm manual downstream systems (if any) updated
Acceptance Criteria: 1. [ ] Effective across entire platform within 60 seconds 2. [ ] Attempts to access revoked data return HTTP 451 with error code 3. [ ] Consent state history immutable and queryable for audits
UC-SEC-004: Detect Anomalous Login Patterns¶
Purpose: Identify potentially compromised accounts via behavioral analytics.
| Property | Value |
|---|---|
| Actor | Security Monitoring Service |
| Trigger | Authentication event stream |
| Priority | P1 |
Main Success Scenario:
1. Ingest login events (userId, device fingerprint, IP, geo) into streaming analytics engine
2. Apply rules + ML model (isolation forest) to detect deviations (impossible travel, new device at 3AM)
3. If risk score > threshold, create security incident and require step-up MFA
4. Notify SOC via PagerDuty + Slack with contextual data
5. Tag user session as `restricted` until MFA challenge passed or account locked
Acceptance Criteria: 1. [ ] Detection latency < 30 seconds from event 2. [ ] False positive rate < 2% with monthly tuning review 3. [ ] Incidents linked to ticketing system with bi-directional status sync
UC-SEC-401a: Verify Doctor Authorization¶
Purpose: Ensure the user has privileges to use the Scribe feature.
| Property | Value |
|---|---|
| Actor | Auth Service |
| Trigger | App Launch / Start Encounter |
| Priority | P0 |
Main Success Scenario:
1. Validate JWT token signature and expiry
2. Check `roles` claim for `scribe_user`
3. Verify subscription status (Active/Trial)
4. Return 200 OK with feature flags
Acceptance Criteria: 1. [ ] Blocks access for expired subscriptions 2. [ ] Logs unauthorized attempts
UC-SEC-401b: Verify Patient Consent¶
Purpose: Ensure legal consent exists for recording this specific patient.
| Property | Value |
|---|---|
| Actor | Consent Manager |
| Trigger | Start Recording |
| Priority | P0 |
Main Success Scenario:
1. Query Consent Registry for `patientId`
2. Check for valid `AUDIO_RECORDING` consent artifact
3. If missing, prompt Doctor to capture digital consent (OTP/Signature)
4. Link consent artifact ID to the new encounter session
Acceptance Criteria: 1. [ ] Blocks recording start if consent missing 2. [ ] Supports "Emergency Override" with mandatory justification logging
UC-SEC-402: Data Encryption & Masking¶
Purpose: Protect sensitive patient data at rest and in transit.
| Property | Value |
|---|---|
| Actor | Security Middleware |
| Trigger | Data Persistence |
| Priority | P0 |
Main Success Scenario:
1. Encrypt audio files (AES-256) before S3 upload
2. Mask PII in transcripts (Names, Phone #s) for non-clinical viewers
3. Manage keys via KMS with rotation
4. Enforce TLS 1.3 for all API traffic
Acceptance Criteria: 1. [ ] FIPS 140-2 compliant encryption 2. [ ] PII masking reversible only by authorized roles 3. [ ] Zero cleartext PII in logs