Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
  • Records
  • Legit.Health Plus Version 1.1.0.0
    • Index of Technical Documentation or Product File
    • Summary of Technical Documentation (STED)
    • Description and specifications
    • R-TF-001-007 Declaration of conformity
    • GSPR
    • Artificial Intelligence
    • Clinical
    • Cybersecurity
      • R-TF-024-001 Software Bills Of Materials
      • R-TF-024-002 Cyber Security Risk Management Plan
      • R-TF-024-003 Cyber Security Risk Matrix
      • R-TF-024-004 Security Risk Assessment Report
      • R-TF-025-005 Security Risk Testing Report
      • T-024-006 Threat Model Document
      • T-024-007 Cybersecurity Post-Market Surveillance Plan
      • T-024-009 Security Architecture Document
    • Design and development
    • Design History File
    • IFU and label
    • Post-Market Surveillance
    • Quality control
    • Risk Management
    • Usability and Human Factors Engineering
  • Legit.Health Plus Version 1.1.0.1
  • Licenses and accreditations
  • Applicable Standards and Regulations
  • Public tenders
  • Legit.Health Plus Version 1.1.0.0
  • Cybersecurity
  • T-024-009 Security Architecture Document

T-024-009 Security Architecture Document

Executive Summary​

Purpose and Scope​

This Security Architecture Document defines the comprehensive security design, controls, and implementation strategies for the Legit.Health Plus medical device software system. It establishes the security framework that protects patient data, ensures system integrity, maintains availability of critical functions, and preserves the authenticity of medical diagnoses and clinical outputs. This document serves as the authoritative reference for security implementation, regulatory compliance verification, and security assessment activities.

The scope encompasses all components of the Legit.Health Plus system including:

  • Cloud-based infrastructure and services
  • API endpoints and integration interfaces
  • AI/ML diagnostic algorithms and models
  • Data storage and transmission mechanisms
  • Authentication and authorization systems
  • Third-party integrations and SOUP components
  • Security monitoring and incident response capabilities

Security Design Principles​

The security architecture is built upon the following fundamental principles:

  1. Defense in Depth: Multiple layers of security controls to protect against various threat vectors
  2. Least Privilege: Minimal access rights necessary for users and systems to perform authorized functions
  3. Zero Trust Architecture: Verification required for all access requests regardless of source
  4. Security by Design: Security controls integrated throughout the development lifecycle
  5. Data Minimization: Collection and retention of only essential patient data
  6. Fail Secure: System defaults to secure state upon failure or error conditions
  7. Continuous Monitoring: Real-time detection and response to security events
  8. Privacy by Design: GDPR compliance embedded in system architecture

Alignment with Security Standards​

This architecture aligns with and implements controls from:

  • ISO/IEC 27001:2022 - Information security management system requirements
  • IEC 62443 - Industrial communication networks security standards
  • NIST Cybersecurity Framework v1.1 - Identify, Protect, Detect, Respond, Recover
  • FDA Premarket Cybersecurity Guidance (2023) - Medical device cybersecurity requirements
  • EU NIS2 Directive (2022/2555) - Network and information systems security
  • MDCG 2019-16 - Cybersecurity guidance for medical devices
  • OWASP Top 10 - Web application security risks mitigation
  • IMDRF/CYBER WG/N60FINAL:2020 - Medical device cybersecurity principles

System Architecture Overview​

High-Level System Components​

Deployment Architecture​

The Legit.Health Plus system is deployed as a cloud-native solution on Amazon Web Services (AWS) infrastructure:

Infrastructure Components​

ComponentTechnologyPurposeSecurity Features
ComputeAWS EC2/ECSApplication hostingSecurity groups, IAM roles
StorageAWS S3Medical image storageServer-side encryption, versioning
DatabaseAWS DocumentDBPatient recordsEncryption at rest, TLS connections
CacheAWS ElastiCacheSession managementRedis AUTH, encryption in transit
CDNAWS CloudFrontContent deliveryHTTPS only, geo-restriction
DNSAWS Route 53Domain managementDNSSEC, health checks
MonitoringAWS CloudWatchSystem monitoringLog encryption, metric alarms

Technology Stack​

Backend Services​

  • Runtime: Python 3.11 (CPython)
  • Framework: FastAPI 0.104.1
  • Authentication: Authlib 1.2.1
  • Database Driver: PyMongo 4.5.0
  • Cloud SDK: Boto3 1.28.85
  • Validation: Pydantic 2.5.0

AI/ML Components​

  • Deep Learning: PyTorch 2.1.0
  • Computer Vision: OpenCV 4.8.1, Ultralytics 8.0.221
  • Data Processing: NumPy 1.24.4, Pandas 2.0.3
  • Image Augmentation: Albumentations 1.3.1

Security Libraries​

  • Password Hashing: Bcrypt 4.1.1
  • HTTP Client: Requests 2.31.0
  • Server: Uvicorn 0.24.0

Infrastructure Providers​

Primary cloud provider: Amazon Web Services (AWS)

  • Region: EU-WEST-1 (Ireland) - Primary
  • Region: EU-CENTRAL-1 (Frankfurt) - Disaster Recovery
  • Compliance: AWS HIPAA, ISO 27001, SOC 2 Type II certified
  • Data Residency: All patient data remains within EU boundaries

Security Zones and Trust Boundaries​

Zone Architecture​

Trust Boundary Definitions​

ZoneTrust LevelDescriptionAccess Control
Public Zone0Untrusted external networksNo direct access
DMZ1Edge services and filteringRate limiting, WAF rules
Application Zone2Business logic and APIsAuthenticated users only
Processing Zone3ML inference and data processingService-to-service auth
Data Zone4Persistent storage and secretsEncrypted, role-based access
Management Zone5Administrative functionsMulti-factor authentication required

Zone Transition Security Controls​

  1. Public → DMZ: WAF filtering, DDoS protection, TLS termination
  2. DMZ → Application: API authentication, rate limiting, input validation
  3. Application → Processing: Service mesh authentication, encrypted channels
  4. Processing → Data: Database authentication, field-level encryption
  5. All Zones → Management: Privileged access management, audit logging

Data Flow Diagrams​

Patient Data Flow​

Authentication Flow​

API Communication Flow​

Integration Flow with Healthcare Systems​

Security Controls by Layer​

Network Security​

Perimeter Defense​

  • AWS Shield Standard: Automatic DDoS protection for all resources
  • AWS Shield Advanced: Enhanced DDoS protection with 24/7 support
  • AWS WAF: Web application firewall with custom rules
    • SQL injection prevention
    • Cross-site scripting (XSS) protection
    • Known malicious IP blocking
    • Geographic restrictions

Network Segmentation​

VPC Configuration:
  CIDR: 10.0.0.0/16
  Subnets:
    Public:
      - 10.0.1.0/24 (DMZ - Load Balancers)
      - 10.0.2.0/24 (DMZ - NAT Gateways)
    Private:
      - 10.0.10.0/24 (Application Tier)
      - 10.0.11.0/24 (Processing Tier)
      - 10.0.20.0/24 (Data Tier - Primary)
      - 10.0.21.0/24 (Data Tier - Replica)
    Management:
      - 10.0.100.0/24 (Admin Access)

Security Groups​

Security GroupInbound RulesOutbound Rules
SG-WebTier443/tcp from 0.0.0.0/0443/tcp to SG-AppTier
SG-AppTier443/tcp from SG-WebTier27017/tcp to SG-DataTier
SG-DataTier27017/tcp from SG-AppTierNone (Deny All)
SG-Management22/tcp from BastionAll to Internal

Application Security​

Secure Coding Practices​

  1. Input Validation

    • Pydantic models for all API inputs
    • Strict type checking and bounds validation
    • Rejection of unexpected fields
    • File type and size restrictions for uploads

  2. Output Encoding

    • JSON serialization with proper escaping
    • Content-Type headers enforcement
    • CORS policy configuration

  3. Error Handling

    • Generic error messages to users
    • Detailed logging for internal debugging
    • No stack traces in production responses
    • Graceful degradation on component failure

  4. Security Headers

    security_headers = {
        "X-Content-Type-Options": "nosniff",
        "X-Frame-Options": "DENY",
        "X-XSS-Protection": "1; mode=block",
        "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
        "Content-Security-Policy": "default-src 'self'",
        "Referrer-Policy": "strict-origin-when-cross-origin"
    }

OWASP Top 10 Mitigations​

RiskMitigation Strategy
A01: Broken Access ControlRBAC, JWT validation, API authorization
A02: Cryptographic FailuresTLS 1.3, AES-256, secure key management
A03: InjectionParameterized queries, input validation
A04: Insecure DesignThreat modeling, security reviews
A05: Security MisconfigurationInfrastructure as Code, security baselines
A06: Vulnerable ComponentsSOUP management, dependency scanning
A07: Authentication FailuresMFA, account lockout, session management
A08: Data Integrity FailuresCode signing, integrity verification
A09: Logging FailuresCentralized logging, security monitoring
A10: SSRFURL validation, network segmentation

Data Security​

Encryption Standards​

  • Data at Rest: AES-256-GCM
  • Data in Transit: TLS 1.3 minimum
  • Key Management: AWS KMS with automatic rotation
  • Database Encryption: Transparent Data Encryption (TDE)

Data Classification​

ClassificationDescriptionSecurity Controls
CriticalPatient health data, diagnosesFull encryption, audit logging, access control
SensitivePersonal identifiers, credentialsEncryption, restricted access
InternalSystem configurations, logsAccess control, integrity monitoring
PublicMarketing materials, documentationIntegrity verification

Data Loss Prevention​

  • Egress filtering on all network boundaries
  • API response filtering for sensitive data
  • Audit logging of all data access
  • Regular data inventory and classification reviews

Identity and Access Management​

Authentication Architecture​

Role Definitions​

RolePermissionsMFA Required
System AdministratorFull system accessYes
Clinical AdministratorPatient data, configurationYes
Healthcare ProfessionalPatient data, diagnosticsYes
IT ProfessionalAPI access, integrationYes
AuditorRead-only access to logsYes
Service AccountAPI-to-API communicationCertificate

Infrastructure Security​

Container Security​

  • Base images from approved registries only
  • Vulnerability scanning in CI/CD pipeline
  • Runtime protection with AWS GuardDuty
  • Immutable infrastructure deployment
  • Pod security policies enforcement

Secrets Management​

AWS Secrets Manager Configuration:
  automatic_rotation: enabled
  rotation_interval: 30 days
  encryption_key: aws/secretsmanager
  access_control: IAM roles only
  audit_logging: CloudTrail enabled

Authentication and Authorization​

OAuth 2.0 / OIDC Implementation​

Authorization Server Configuration​

oauth_config = {
    "issuer": "https://auth.legit.health",
    "authorization_endpoint": "/oauth/authorize",
    "token_endpoint": "/oauth/token",
    "jwks_uri": "/oauth/jwks",
    "response_types_supported": ["code", "token"],
    "grant_types_supported": ["authorization_code", "refresh_token"],
    "token_endpoint_auth_methods": ["client_secret_post", "private_key_jwt"],
    "id_token_signing_alg_values": ["RS256"],
    "scopes_supported": ["openid", "profile", "email", "api.read", "api.write"]
}

Token Structure​

{
  "iss": "https://auth.legit.health",
  "sub": "user:12345",
  "aud": "api.legit.health",
  "exp": 1234567890,
  "iat": 1234567880,
  "jti": "unique-token-id",
  "scope": "api.read api.write",
  "roles": ["healthcare_professional"],
  "organization": "hospital-xyz",
  "permissions": ["patient.read", "diagnosis.create"]
}

Role-Based Access Control (RBAC)​

Permission Matrix​

ResourceAdminClinical AdminHCPITPAuditor
Patient DataRWDRWR-R
DiagnosesRWDRWRW-R
System ConfigRWDR-RWR
API KeysRWDR-RW-
Audit LogsRR-RR
User ManagementRWDRW---

R=Read, W=Write, D=Delete

Multi-Factor Authentication​

MFA Requirements​

  1. Mandatory for all human users

  2. Supported methods:

    • TOTP (Time-based One-Time Password)
    • SMS backup (with rate limiting)
    • WebAuthn/FIDO2
    • Push notifications via authenticator app

  3. Implementation:

mfa_policy = {
    "required": True,
    "grace_period": 0,
    "remember_device": False,
    "allowed_methods": ["totp", "webauthn", "push"],
    "backup_codes": 10,
    "session_lifetime": 3600  # 1 hour
}

Session Management​

Session Security Controls​

  • Secure session token generation (128-bit entropy)
  • Session timeout: 30 minutes idle, 8 hours absolute
  • Session invalidation on password change
  • Concurrent session limiting
  • Session binding to IP and user agent

API Key Management​

API Key Lifecycle​

Encryption and Key Management​

Data at Rest Encryption​

Storage Encryption​

Storage TypeEncryption MethodKey Management
S3 BucketsAES-256-GCM (SSE-S3)AWS managed
DocumentDBTDE with AES-256AWS KMS CMK
ElastiCacheRedis AUTH + TLSAWS managed
EBS VolumesAES-256-XTSAWS KMS CMK
Backup StorageAES-256-GCMCustomer managed

Data in Transit Encryption​

TLS Configuration​

TLS_Configuration:
  minimum_version: TLSv1.3
  cipher_suites:
    - TLS_AES_256_GCM_SHA384
    - TLS_AES_128_GCM_SHA256
    - TLS_CHACHA20_POLY1305_SHA256
  certificate_requirements:
    type: EV SSL Certificate
    key_size: RSA 4096 or ECC P-384
    validity: 1 year maximum
    renewal: 30 days before expiry

Key Generation and Storage​

AWS KMS Configuration​

kms_config = {
    "key_spec": "SYMMETRIC_DEFAULT",
    "key_usage": "ENCRYPT_DECRYPT",
    "origin": "AWS_KMS",
    "multi_region": True,
    "automatic_rotation": True,
    "rotation_period_days": 365,
    "deletion_window_days": 30,
    "key_policy": {
        "Version": "2012-10-17",
        "Statement": [{
            "Sid": "Enable IAM policies",
            "Effect": "Allow",
            "Principal": {"AWS": "arn:aws:iam::ACCOUNT:root"},
            "Action": "kms:*",
            "Resource": "*"
        }]
    }
}

Key Rotation Procedures​

  1. Automatic Rotation

    • Database encryption keys: Quarterly
    • API signing keys: Monthly
    • Session keys: Daily
    • TLS certificates: Annual

  2. Manual Rotation Triggers

    • Security incident detection
    • Employee termination
    • Compliance requirement changes
    • Key compromise suspicion

Certificate Management​

Certificate Lifecycle Management​

Network Architecture​

Network Segmentation​

VPC Design​

Firewall Rules​

Network ACLs​

RuleTypeProtocolPortSourceAction
100InboundTCP4430.0.0.0/0Allow
110InboundTCP2210.0.100.0/24Allow
200OutboundTCP4430.0.0.0/0Allow
210OutboundTCP2701710.0.20.0/23Allow
*InboundAllAll0.0.0.0/0Deny
*OutboundAllAll0.0.0.0/0Deny

VPN Access​

Site-to-Site VPN Configuration​

VPN_Configuration:
  type: AWS Site-to-Site VPN
  encryption: AES-256
  integrity: SHA-256
  dh_group: 14
  pfs: enabled
  ike_version: 2
  tunnel_options:
    dpd_timeout: 30
    dpd_action: restart
    replay_window: 1024

Load Balancing​

Application Load Balancer Configuration​

  • Type: AWS ALB (Application Load Balancer)
  • Health Checks: Every 30 seconds
  • Routing: Path-based and host-based
  • SSL/TLS: Termination at ALB
  • Stickiness: Session affinity enabled
  • Security: AWS WAF integration

DDoS Protection​

AWS Shield Implementation​

shield_config = {
    "protection_level": "Advanced",
    "emergency_contacts": ["security@legit.health"],
    "proactive_engagement": True,
    "ddos_response_team": "24/7",
    "cost_protection": True,
    "attack_diagnostics": True,
    "real_time_notifications": True,
    "mitigation_strategies": [
        "Rate limiting",
        "Connection limiting",
        "SYN flood protection",
        "UDP reflection mitigation",
        "Application layer filtering"
    ]
}

Application Security Architecture​

Secure Coding Practices​

Code Security Standards​

  1. Static Analysis Integration

    SAST_Tools:
      - Bandit (Python security)
      - Safety (dependency checking)
      - Semgrep (pattern matching)
      - SonarQube (code quality)

  2. Security Testing Pipeline

Input Validation​

Validation Framework​

class PatientDataValidator(BaseModel):
    patient_id: constr(regex=r'^[A-Z0-9]{8,12}$')
    image_data: constr(max_length=10485760)  # 10MB max
    image_type: Literal['jpeg', 'png', 'dicom']
    metadata: Dict[str, Any]

    @validator('image_data')
    def validate_image(cls, v):
        # Magic number validation
        # File size limits
        # Malware scanning
        return v

    @validator('metadata')
    def sanitize_metadata(cls, v):
        # Remove potentially dangerous fields
        # Validate data types
        # Check for injection attempts
        return v

Output Encoding​

Response Sanitization​

def sanitize_response(data: Dict) -> Dict:
    """Sanitize API responses to prevent data leakage"""
    sensitive_fields = ['ssn', 'dob', 'address']

    for field in sensitive_fields:
        if field in data:
            data[field] = mask_sensitive_data(data[field])

    # HTML entity encoding
    for key, value in data.items():
        if isinstance(value, str):
            data[key] = html.escape(value)

    return data

Error Handling​

Error Response Structure​

{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Invalid request parameters",
    "request_id": "req-123456",
    "timestamp": "2025-08-29T10:00:00Z"
  }
}

Note: Detailed error information logged internally, not exposed to clients

Security Headers​

Header Configuration​

@app.middleware("http")
async def add_security_headers(request: Request, call_next):
    response = await call_next(request)
    response.headers["X-Content-Type-Options"] = "nosniff"
    response.headers["X-Frame-Options"] = "DENY"
    response.headers["X-XSS-Protection"] = "1; mode=block"
    response.headers["Strict-Transport-Security"] = "max-age=63072000; includeSubDomains; preload"
    response.headers["Content-Security-Policy"] = "default-src 'self'; script-src 'self' 'unsafe-inline'"
    response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
    response.headers["Permissions-Policy"] = "geolocation=(), microphone=(), camera=()"
    return response

Data Protection Architecture​

Data Classification Framework​

Classification LevelDescriptionExamplesProtection Requirements
SECRETHighly sensitive patient dataMedical images, diagnosesFull encryption, audit trail, MFA
CONFIDENTIALPersonal health informationPatient records, test resultsEncryption, access control
INTERNALBusiness sensitive dataSystem configs, API keysAccess control, monitoring
PUBLICNon-sensitive informationDocumentation, marketingIntegrity verification

Data Lifecycle Management​

Backup and Recovery​

Backup Strategy​

Data TypeFrequencyRetentionEncryptionStorage Location
DatabaseContinuous35 daysAES-256S3 Cross-Region
File StorageDaily90 daysAES-256S3 Glacier
ConfigurationOn change1 yearAES-256S3 Versioning
Audit LogsReal-time7 yearsAES-256S3 Compliance

Recovery Objectives​

  • RPO (Recovery Point Objective): 1 hour
  • RTO (Recovery Time Objective): 4 hours
  • Backup Testing: Monthly
  • DR Drills: Quarterly

Data Loss Prevention​

DLP Controls​

dlp_rules = {
    "patterns": [
        {"name": "SSN", "regex": r"\d{3}-\d{2}-\d{4}"},
        {"name": "Credit Card", "regex": r"\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}"},
        {"name": "Email", "regex": r"[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}"}
    ],
    "actions": {
        "detect": "log",
        "block": True,
        "alert": "security-team@legit.health",
        "quarantine": True
    }
}

Privacy by Design (GDPR)​

GDPR Compliance Measures​

  1. Data Minimization

    • Collect only necessary data
    • Automatic data expiration
    • Regular data audits

  2. Purpose Limitation

    • Defined data usage policies
    • Consent management system
    • Processing restrictions

  3. Data Subject Rights

    gdpr_rights = {
        "access": "Patient data export API",
        "rectification": "Data correction interface",
        "erasure": "Right to be forgotten workflow",
        "portability": "FHIR/JSON export",
        "objection": "Opt-out mechanisms",
        "restriction": "Processing limitation controls"
    }

Logging and Monitoring Architecture​

Security Event Logging​

Log Categories and Retention​

Log TypeDescriptionRetentionStorage
AuthenticationLogin/logout events90 daysCloudWatch
AuthorizationAccess decisions90 daysCloudWatch
API CallsAll API requests30 daysS3
System EventsApplication errors60 daysCloudWatch
Security EventsThreats/attacks1 yearS3 + SIEM
Audit TrailData modifications7 yearsS3 Compliance

Log Format Standard​

{
  "timestamp": "2025-08-29T10:00:00.000Z",
  "level": "INFO",
  "event_type": "authentication",
  "user_id": "user-12345",
  "session_id": "sess-67890",
  "ip_address": "192.168.1.1",
  "user_agent": "Mozilla/5.0...",
  "action": "login_success",
  "resource": "/api/v1/auth/login",
  "response_code": 200,
  "duration_ms": 150,
  "metadata": {
    "mfa_used": true,
    "auth_method": "oauth2"
  }
}

Log Aggregation (CloudWatch)​

CloudWatch Configuration​

CloudWatch_Logs:
  log_groups:
    - name: /aws/application/api
      retention_days: 30
      encryption: enabled
    - name: /aws/application/security
      retention_days: 365
      encryption: enabled

  log_streams:
    - authentication
    - authorization
    - api_access
    - errors
    - security_events

  metric_filters:
    - name: failed_logins
      pattern: "[time, request_id, event_type=authentication, action=login_failed]"
      metric:
        name: FailedLogins
        namespace: Security
        value: 1

SIEM Integration​

SIEM Architecture​

Alert Thresholds​

Alert TypeThresholdSeverityResponse Time
Failed Login Attempts5 in 5 minutesMedium15 minutes
API Rate Limit Exceeded100 req/minLow1 hour
Unauthorized Access1 attemptHighImmediate
Data Exfiltration>100MB transferCriticalImmediate
Service Unavailable3 consecutive failuresHigh5 minutes
Certificate Expiry30 days remainingLow1 week

Audit Trails​

Audit Requirements​

audit_config = {
    "enabled": True,
    "events": [
        "user_login",
        "user_logout",
        "data_access",
        "data_modification",
        "configuration_change",
        "permission_change",
        "api_key_creation",
        "api_key_revocation"
    ],
    "fields": [
        "timestamp",
        "user_id",
        "action",
        "resource",
        "before_value",
        "after_value",
        "ip_address",
        "result"
    ],
    "integrity": {
        "hashing": "SHA-256",
        "chaining": True,
        "tamper_evident": True
    }
}

Third-Party Security​

SOUP Components Security​

SOUP Security Assessment​

ComponentVersionSecurity ReviewLast UpdatedRisk Level
FastAPI0.104.1Passed2024-01-15Low
PyTorch2.1.0Passed2024-01-20Medium
Boto31.28.85Passed2024-01-10Low
PyMongo4.5.0Passed2024-01-05Low
OpenCV4.8.1Review Required2023-12-01Medium

Reference: SOUP Records - See design history file documentation

Supply Chain Security​

Dependency Management​

dependency_security:
  scanning_tools:
    - Safety (Python packages)
    - Snyk (vulnerability database)
    - Dependabot (automated updates)

  policies:
    - No packages with known critical vulnerabilities
    - Updates within 30 days for security patches
    - Approval required for new dependencies
    - Regular license compliance checks

  sbom_generation:
    format: SPDX
    frequency: Per release
    storage: S3 compliance bucket

Vendor Management​

Vendor Security Requirements​

  1. Security Certifications Required

    • ISO 27001
    • SOC 2 Type II
    • HIPAA compliance (where applicable)

  2. Security Assessment Process

API Security Requirements​

Third-Party API Integration Security​

api_security_requirements = {
    "authentication": {
        "method": "OAuth 2.0 or API Key",
        "token_expiry": 3600,
        "refresh_mechanism": True
    },
    "encryption": {
        "transport": "TLS 1.2 minimum",
        "payload": "Optional AES-256"
    },
    "rate_limiting": {
        "requests_per_minute": 100,
        "burst_limit": 20
    },
    "monitoring": {
        "log_all_requests": True,
        "alert_on_errors": True,
        "track_latency": True
    }
}

AI/ML Security Architecture​

Model Protection​

Model Security Controls​

  1. Model Encryption

    • Models encrypted at rest (AES-256)
    • Secure model loading process
    • Runtime memory protection

  2. Model Integrity

    model_integrity = {
        "hashing_algorithm": "SHA-256",
        "signature_verification": True,
        "version_control": "Git LFS",
        "access_control": "IAM roles",
        "audit_logging": True
    }

Training Data Security​

Data Protection Measures​

MeasureImplementationPurpose
Data AnonymizationPII removal, pseudonymizationPrivacy protection
Access ControlRole-based, need-to-knowPrevent unauthorized access
EncryptionAES-256 for storageData confidentiality
Audit LoggingAll access trackedAccountability
Data VersioningImmutable snapshotsReproducibility

Adversarial Attack Prevention​

Defense Strategies​

adversarial_defenses = {
    "input_validation": {
        "range_checks": True,
        "format_validation": True,
        "anomaly_detection": True
    },
    "model_robustness": {
        "adversarial_training": True,
        "ensemble_methods": True,
        "confidence_thresholds": 0.85
    },
    "runtime_monitoring": {
        "prediction_distribution": True,
        "input_similarity": True,
        "output_consistency": True
    }
}

Model Explainability​

Explainability Framework​

  1. Audit Trail

    • Input data captured
    • Model version tracked
    • Prediction reasoning logged

  2. Interpretability Methods

    • Feature importance scores
    • Attention visualizations
    • Confidence intervals
    • Decision boundaries

Bias Detection​

Bias Monitoring System​

Compliance Mappings​

MDR Requirements​

MDR Annex I - General Safety and Performance Requirements​

RequirementImplementationEvidence
17.1 Software designSecure SDLC, threat modelingR-TF-012-006
17.2 IT security measuresMulti-layered security controlsThis document
17.3 Minimum IT requirementsDocumented in IFUR-TF-001-006
17.4 Unauthorized access protectionAuthentication, authorizationSection 6
18.8 CybersecurityComprehensive security programT-024-006, T-024-007

FDA Cybersecurity Guidance​

Premarket Cybersecurity Requirements​

CategoryRequirementImplementation
Threat ModelingSTRIDE methodologyT-024-006
Security ControlsNIST Framework alignmentThroughout architecture
SBOMSoftware bill of materialsSOUP records
Vulnerability ManagementMonitoring and patchingT-024-007
Security TestingPenetration testingTEST_018

NIS2 Directive​

NIS2 Compliance Measures​

NIS2_Compliance:
  risk_management:
    - Threat modeling (T-024-006)
    - Risk assessment (R-TF-013-002)
    - Security architecture (this document)

  incident_handling:
    - Incident response plan (T-024-008)
    - 24-hour notification requirement
    - Post-incident analysis

  business_continuity:
    - Disaster recovery plan
    - Backup procedures
    - Crisis management

  supply_chain_security:
    - Vendor assessments
    - SOUP management
    - Third-party monitoring

  security_measures:
    - Encryption (Section 7)
    - Access control (Section 6)
    - Network security (Section 8)

GDPR Requirements​

GDPR Article Mapping​

ArticleRequirementImplementation
Art. 25Privacy by designBuilt into architecture
Art. 32Security of processingEncryption, access control
Art. 33Breach notificationIncident response plan
Art. 35DPIAR-052-001
Art. 37Data Protection OfficerDesignated DPO

ISO 27001 Controls​

ISO 27001:2022 Annex A Controls​

ControlDescriptionImplementation
A.5Information security policiesSecurity policies documented
A.6Organization of information securityRoles defined
A.7Human resource securityTraining, background checks
A.8Asset managementAsset inventory, classification
A.9Access controlRBAC, authentication
A.10CryptographyEncryption standards
A.11Physical securityAWS data center controls
A.12Operations securityChange management, monitoring
A.13Communications securityNetwork security, encryption
A.14System developmentSecure SDLC
A.15Supplier relationshipsVendor management
A.16Incident managementT-024-008
A.17Business continuityDR plan, backups
A.18ComplianceRegular audits

Integration with Related Documents​

Threat Model Integration​

  • Document: T-024-006 Threat Model
  • Integration Points:
    • Threat scenarios drive security control selection
    • STRIDE analysis informs architecture design
    • Attack vectors determine defense layers

Post-Market Surveillance Integration​

  • Document: T-024-007 Post-Market Surveillance Plan
  • Integration Points:
    • Vulnerability monitoring feeds security updates
    • Incident data improves security controls
    • Patch management aligned with architecture

Incident Response Integration​

  • Document: T-024-008 Incident Response Plan
  • Integration Points:
    • Security events trigger response procedures
    • Architecture supports incident investigation
    • Recovery procedures utilize backup systems

Risk Management Integration​

  • Document: R-TF-013-002 Risk Management Record
  • Integration Points:
    • Cybersecurity risks mapped to controls
    • Risk mitigation through architecture design
    • Residual risk acceptance documented

Security Architecture Governance​

Architecture Review Board​

  • Frequency: Quarterly
  • Participants: CISO, CTO, Security Architect, Compliance Officer
  • Responsibilities:
    • Review architecture changes
    • Approve security exceptions
    • Update security standards

Security Metrics and KPIs​

MetricTargetMeasurement Frequency
Patch compliance>95% within 30 daysMonthly
Vulnerability scan coverage100%Weekly
Security incident MTTR<4 hoursPer incident
Authentication success rate>99.9%Daily
Encryption coverage100%Quarterly
Security training completion100%Annual

Continuous Improvement Process​

Appendices​

Appendix A: Security Tools and Technologies​

CategoryTool/TechnologyPurposeVersion
WAFAWS WAFWeb application firewallLatest
DDoSAWS Shield AdvancedDDoS protectionLatest
SIEMAWS Security HubSecurity monitoringLatest
SecretsAWS Secrets ManagerSecret managementLatest
EncryptionAWS KMSKey managementLatest
MonitoringCloudWatchLog aggregationLatest
ScanningSonarQubeCode analysis9.9 LTS
ContainerTrivyContainer scanning0.45

Appendix B: Security Contacts​

RoleContactEscalation
Security Teamsecurity@legit.healthPrimary
CISOciso@legit.healthExecutive
DPOdpo@legit.healthPrivacy
SOCsoc@legit.health24/7
AWS SupportAWS ConsoleInfrastructure

Appendix C: Compliance Checklist​

  • MDR Annex I requirements met
  • FDA cybersecurity guidance followed
  • NIS2 directive compliance achieved
  • GDPR requirements implemented
  • ISO 27001 controls in place
  • OWASP Top 10 mitigated
  • NIST Framework aligned
  • IEC 62443 standards applied

Document Control​

VersionDateAuthorChanges
1.02025-08-29Security Architecture TeamInitial security architecture document

Approval​

This Security Architecture Document has been reviewed and approved by:

RoleNameDateSignature
Chief Information Security Officer[Name][Date][Signature]
Chief Technology Officer[Name][Date][Signature]
Quality Manager[Name][Date][Signature]
Regulatory Affairs Manager[Name][Date][Signature]

This document is part of the Legit.Health Plus Quality Management System and is subject to change control procedures as defined in GP-001.

Previous
T-024-007 Cybersecurity Post-Market Surveillance Plan
Next
Design and development
  • Executive Summary
    • Purpose and Scope
    • Security Design Principles
    • Alignment with Security Standards
  • System Architecture Overview
    • High-Level System Components
    • Deployment Architecture
      • Infrastructure Components
    • Technology Stack
      • Backend Services
      • AI/ML Components
      • Security Libraries
    • Infrastructure Providers
  • Security Zones and Trust Boundaries
    • Zone Architecture
    • Trust Boundary Definitions
    • Zone Transition Security Controls
  • Data Flow Diagrams
    • Patient Data Flow
    • Authentication Flow
    • API Communication Flow
    • Integration Flow with Healthcare Systems
  • Security Controls by Layer
    • Network Security
      • Perimeter Defense
      • Network Segmentation
      • Security Groups
    • Application Security
      • Secure Coding Practices
      • OWASP Top 10 Mitigations
    • Data Security
      • Encryption Standards
      • Data Classification
      • Data Loss Prevention
    • Identity and Access Management
      • Authentication Architecture
      • Role Definitions
    • Infrastructure Security
      • Container Security
      • Secrets Management
  • Authentication and Authorization
    • OAuth 2.0 / OIDC Implementation
      • Authorization Server Configuration
      • Token Structure
    • Role-Based Access Control (RBAC)
      • Permission Matrix
    • Multi-Factor Authentication
      • MFA Requirements
    • Session Management
      • Session Security Controls
    • API Key Management
      • API Key Lifecycle
  • Encryption and Key Management
    • Data at Rest Encryption
      • Storage Encryption
    • Data in Transit Encryption
      • TLS Configuration
    • Key Generation and Storage
      • AWS KMS Configuration
    • Key Rotation Procedures
    • Certificate Management
      • Certificate Lifecycle Management
  • Network Architecture
    • Network Segmentation
      • VPC Design
    • Firewall Rules
      • Network ACLs
    • VPN Access
      • Site-to-Site VPN Configuration
    • Load Balancing
      • Application Load Balancer Configuration
    • DDoS Protection
      • AWS Shield Implementation
  • Application Security Architecture
    • Secure Coding Practices
      • Code Security Standards
    • Input Validation
      • Validation Framework
    • Output Encoding
      • Response Sanitization
    • Error Handling
      • Error Response Structure
    • Security Headers
      • Header Configuration
  • Data Protection Architecture
    • Data Classification Framework
    • Data Lifecycle Management
    • Backup and Recovery
      • Backup Strategy
      • Recovery Objectives
    • Data Loss Prevention
      • DLP Controls
    • Privacy by Design (GDPR)
      • GDPR Compliance Measures
  • Logging and Monitoring Architecture
    • Security Event Logging
      • Log Categories and Retention
      • Log Format Standard
    • Log Aggregation (CloudWatch)
      • CloudWatch Configuration
    • SIEM Integration
      • SIEM Architecture
    • Alert Thresholds
    • Audit Trails
      • Audit Requirements
  • Third-Party Security
    • SOUP Components Security
      • SOUP Security Assessment
    • Supply Chain Security
      • Dependency Management
    • Vendor Management
      • Vendor Security Requirements
    • API Security Requirements
      • Third-Party API Integration Security
  • AI/ML Security Architecture
    • Model Protection
      • Model Security Controls
    • Training Data Security
      • Data Protection Measures
    • Adversarial Attack Prevention
      • Defense Strategies
    • Model Explainability
      • Explainability Framework
    • Bias Detection
      • Bias Monitoring System
  • Compliance Mappings
    • MDR Requirements
      • MDR Annex I - General Safety and Performance Requirements
    • FDA Cybersecurity Guidance
      • Premarket Cybersecurity Requirements
    • NIS2 Directive
      • NIS2 Compliance Measures
    • GDPR Requirements
      • GDPR Article Mapping
    • ISO 27001 Controls
      • ISO 27001:2022 Annex A Controls
  • Integration with Related Documents
    • Threat Model Integration
    • Post-Market Surveillance Integration
    • Incident Response Integration
    • Risk Management Integration
  • Security Architecture Governance
    • Architecture Review Board
    • Security Metrics and KPIs
    • Continuous Improvement Process
  • Appendices
    • Appendix A: Security Tools and Technologies
    • Appendix B: Security Contacts
    • Appendix C: Compliance Checklist
  • Document Control
  • Approval
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI LABS GROUP S.L.)