# HIPAA Security Risk Assessment ## Kinometric Balance Assessment Platform **Assessment Date:** February 2026 **Conducted By:** Kinometric Development Team **Review Frequency:** Annual (or after significant system changes) --- ## 1. System Description Kinometric is a balance assessment application used by healthcare providers to conduct, score, and report patient balance tests. The system consists of: - **Mobile Application** (Flutter/Android) — Conducts balance tests via device accelerometer, scores locally, generates PDF reports - **Web Server** (Ubuntu 22.04, Apache, PHP, PostgreSQL) — Stores patient data, test results, questionnaires; provides web dashboard and API - **Web Dashboard** (HTML/JS SPA) — Administrative interface for reviewing results, managing users/patients, athenaOne integration - **athenaOne Integration** — Uploads clinical documents to patient charts via OAuth2 API ### PHI Inventory | Data Type | Storage Location | Format | |-----------|-----------------|--------| | Patient demographics | PostgreSQL `patients` table | Structured (name, DOB, sex, patient ID) | | Balance test scores | PostgreSQL `test_results` table | JSON (scores, risk levels, fatigue patterns) | | Questionnaire answers | PostgreSQL `questions` table | Structured (fall history, pain, dizziness) | | Accelerometer sensor data | CSV files on server disk | Time-series (100Hz accelerometer readings) | | AI clinical analysis | PostgreSQL `ai_analysis` column | JSON (ICD-10 codes, interventions) | | PDF reports | Generated in-memory, not persisted | Binary (transmitted via email or athenaOne) | --- ## 2. Risk Analysis ### 2.1 Administrative Risks | Risk | Likelihood | Impact | Current Controls | Residual Risk | |------|-----------|--------|-----------------|---------------| | Unauthorized access by workforce | Low | High | Password policy (8+ chars, complexity), role-based access, practice-level isolation | Low | | Lack of security training | Medium | Medium | Security documentation maintained; formal training program not yet established | Medium | | No designated Security Officer | Medium | Medium | Development team manages security; formal designation pending | Medium | | Inadequate access review | Low | Medium | 3 active user accounts, admin reviews access as needed | Low | ### 2.2 Technical Risks | Risk | Likelihood | Impact | Current Controls | Residual Risk | |------|-----------|--------|-----------------|---------------| | Brute force login attack | Low | High | bcrypt password hashing, HTTPS-only, no public API enumeration | Low | | Session hijacking | Low | High | HttpOnly/Secure/SameSite cookies, 15-minute idle timeout, HTTPS | Low | | SQL injection | Low | Critical | Parameterized queries on all endpoints, input validation | Low | | Unauthorized API access | Low | High | Per-request encryption key auth, 64-char random tokens | Low | | Data in transit interception | Low | Critical | TLS 1.2/1.3 on all connections (server, athenaOne, email); Perfect Forward Secrecy enforced via ECDHE-only cipher suites; TLS session tickets disabled; TLS 1.1 and older rejected | Low | | Data at rest exposure | Medium | High | File permissions (640/600), localhost-only database; Linode disk encryption pending confirmation; athena client_secret encrypted at rest via sodium_crypto_secretbox (key at /etc/kinometric/) | Medium | | API key/secret exposure | Low | High | Keys stored in /etc/ with restricted permissions, excluded from git | Low | | Cross-practice data leakage | Low | Critical | provider_filter.php enforces practice isolation on 15+ endpoints | Low | | Backup data exposure | Low | High | Migrating to restic (AES-256 client-side encryption) over WireGuard VPN to off-site NAS (append-only mode). Legacy: GPG AES-256 over SSH. B2 Object Lock offsite for PHI. See BACKUP_PLAN.md. | Low | | Insufficient logging | Low | Medium | HIPAA audit log for athenaOne, auth logging, error logging | Low | ### 2.3 Physical Risks | Risk | Likelihood | Impact | Current Controls | Residual Risk | |------|-----------|--------|-----------------|---------------| | Server physical compromise | Low | Critical | Hosted in Linode data center (SOC 2 certified), no on-premises servers | Low | | Mobile device theft | Medium | Medium | No PHI cached on device, in-memory-only session tokens, no local database | Low | | Workstation unauthorized access | Low | Medium | SSH key authentication, UFW firewall (SSH/HTTP/HTTPS only) | Low | --- ## 3. Implemented Safeguards ### Administrative Safeguards (164.308) | Requirement | Status | Implementation | |-------------|--------|---------------| | Security management process | Active | Risk assessment (this document), security policies | | Assigned security responsibility | Pending | Formal Security Officer designation needed | | Workforce security | Active | Role-based access, practice isolation, password policy | | Information access management | Active | 3 user accounts, admin/standard roles, provider_id filtering | | Security awareness training | Pending | Documentation exists; formal training program needed | | Security incident procedures | Active | Breach response plan documented | | Contingency plan | Active | Automated encrypted backups (daily via restic to off-site NAS over WireGuard VPN + B2 for PHI). Legacy GPG backups coexist during 6-year transition. | | Evaluation | Active | Annual risk assessment, automated security audit scripts | ### Technical Safeguards (164.312) | Requirement | Status | Implementation | |-------------|--------|---------------| | Access control | Active | Unique user IDs, 64-char session tokens, role-based access | | Audit controls | Active | HIPAA audit log (JSON), auth logs, error logs | | Integrity controls | Active | Input validation, parameterized SQL, base64 validation | | Person/entity authentication | Active | bcrypt passwords, encryption key per session | | Transmission security | Active | TLS 1.2/1.3 with Perfect Forward Secrecy (ECDHE/DHE cipher suites only, X25519 key exchange), HTTPS enforced, HSTS, OAuth2 for athenaOne. Verified via `openssl s_client`: TLS 1.2 negotiates ECDHE-RSA-AES256-GCM-SHA384, TLS 1.3 negotiates TLS_AES_256_GCM_SHA384. Cipher list managed by `/etc/letsencrypt/options-ssl-apache.conf` (Mozilla Intermediate). | | Automatic logoff | Active | 15-minute idle timeout (PHP server-side + JavaScript client-side) | | Encryption at rest | Partial | Encrypted backups (restic AES-256), encrypted emailed PDFs, athena client_secret encrypted (sodium); Linode disk encryption pending confirmation in Cloud Manager | | Emergency access | Active | Superadmin account, database direct access available | ### Physical Safeguards (164.310) | Requirement | Status | Implementation | |-------------|--------|---------------| | Facility access controls | Active | Linode data center (SOC 2, access controls) | | Workstation use | Active | SSH key auth, no shared accounts | | Workstation security | Active | UFW firewall, restricted ports | | Device and media controls | Active | No PHI on mobile devices, CSV files server-side only | --- ## 4. Gap Analysis and Remediation Plan | Gap | Risk Level | Remediation | Target Date | |-----|-----------|-------------|-------------| | No formal Security Officer designation | Medium | Designate Security Officer in writing | Q1 2026 | | No formal workforce training program | Medium | Create security training materials and track completion | Q2 2026 | | Disk encryption not enabled | Medium | Enable encrypted block storage via Linode HIPAA plan | Q1 2026 | | BAAs not all signed | High | Sign BAAs with Linode, Anthropic, Microsoft | Q1 2026 | | 2FA not enabled for admin accounts | Medium | Enable and enforce 2FA for all admin users | Q2 2026 | | No formal data retention policy | Low | Formal retention policy defined in BACKUP_PLAN.md §7: daily 14d, weekly 8w, monthly 24m, yearly 7yr. Audit logs 6yr per HIPAA. | Closed (May 2026) | --- ## 5. Approval | Role | Name | Signature | Date | |------|------|-----------|------| | Security Officer | _________________ | _________________ | ________ | | Practice Administrator | _________________ | _________________ | ________ | --- *This risk assessment satisfies the requirements of 45 CFR 164.308(a)(1)(ii)(A). It should be reviewed annually or whenever significant changes are made to the system.*