From openevidence-pack
Security Basics for OpenEvidence. Trigger: "openevidence security basics".
npx claudepluginhub flight505/skill-forge --plugin openevidence-packThis skill is limited to using the following tools:
OpenEvidence provides AI-powered clinical evidence synthesis that processes protected health information (PHI), patient queries, and medical literature references. Integrations must comply with HIPAA requirements for PHI handling, audit logging, and access controls. A breach exposes patient health questions, clinical recommendations, and potentially identifiable medical conditions. Every API in...
Provides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.
Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.
Analyzes multiple pages for keyword overlap, SEO cannibalization risks, and content duplication. Suggests differentiation, consolidation, and resolution strategies when reviewing similar content.
Share bugs, ideas, or general feedback.
OpenEvidence provides AI-powered clinical evidence synthesis that processes protected health information (PHI), patient queries, and medical literature references. Integrations must comply with HIPAA requirements for PHI handling, audit logging, and access controls. A breach exposes patient health questions, clinical recommendations, and potentially identifiable medical conditions. Every API interaction must be treated as a HIPAA-regulated transaction.
function createOpenEvidenceClient(): { apiKey: string; baseUrl: string } {
const apiKey = process.env.OPENEVIDENCE_API_KEY;
if (!apiKey) {
throw new Error("Missing OPENEVIDENCE_API_KEY — store in HIPAA-compliant secrets manager");
}
// PHI-adjacent access — enforce audit logging on every request
console.log("OpenEvidence client initialized (key suffix:", apiKey.slice(-4), ")");
return { apiKey, baseUrl: "https://api.openevidence.com/v1" };
}
import crypto from "crypto";
import { Request, Response, NextFunction } from "express";
function verifyOpenEvidenceWebhook(req: Request, res: Response, next: NextFunction): void {
const signature = req.headers["x-openevidence-signature"] as string;
const secret = process.env.OPENEVIDENCE_WEBHOOK_SECRET!;
const expected = crypto.createHmac("sha256", secret).update(req.body).digest("hex");
if (!signature || !crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
res.status(401).send("Invalid signature");
return;
}
next();
}
import { z } from "zod";
const ClinicalQuerySchema = z.object({
query_id: z.string().uuid(),
clinical_question: z.string().min(10).max(2000),
specialty: z.enum(["oncology", "cardiology", "neurology", "general", "pediatrics", "emergency"]).optional(),
evidence_level: z.enum(["systematic_review", "rct", "cohort", "case_report", "expert_opinion"]).optional(),
include_guidelines: z.boolean().default(true),
});
function validateClinicalQuery(data: unknown) {
return ClinicalQuerySchema.parse(data);
}
const OPENEVIDENCE_PHI_FIELDS = ["patient_name", "date_of_birth", "mrn", "clinical_question", "diagnosis", "medication_list"];
function redactOpenEvidenceLog(record: Record<string, unknown>): Record<string, unknown> {
const redacted = { ...record };
for (const field of OPENEVIDENCE_PHI_FIELDS) {
if (field in redacted) redacted[field] = "[REDACTED_PHI]";
}
return redacted;
}
| Vulnerability | Risk | Mitigation |
|---|---|---|
| Leaked API key | Unauthorized access to clinical evidence queries | HIPAA-compliant secrets manager + rotation |
| PHI in application logs | HIPAA violation and patient data exposure | Mandatory PHI field redaction |
| Missing BAA | Regulatory non-compliance penalty | BAA signed before integration goes live |
| Unencrypted clinical data | PHI breach during transit or storage | TLS 1.2+ in transit, AES-256 at rest |
| Missing audit trail | HIPAA audit failure | Immutable audit logs for all API interactions |
See openevidence-prod-checklist.