Defense in depth.
Six layers of encryption protect patient data at rest, in transit, and in storage. No cloud dependency for privacy.
Database at Rest
SQLCipher| Algorithm | AES-256 (SQLCipher native) |
| Key | Device-unique UUID, generated on first launch |
| Key Storage | EncryptedSharedPreferences (hardware-backed MasterKey) |
| Backup | android:allowBackup="false" |
SMS in Transit
AES-256-GCM| Algorithm | AES/GCM/NoPadding |
| Key Size | 256 bits |
| Key Derivation | PBKDF2-HMAC-SHA256 (100K iterations) |
| Nonce | 12 bytes (SecureRandom per encryption) |
| Auth Tag | 128 bits |
| Output | Base64(nonce + ciphertext + tag) — fits 1 SMS |
PIN Storage
PBKDF2| Algorithm | PBKDF2-HMAC-SHA256 |
| Iterations | 100,000 |
| Salt | 16 bytes (SecureRandom, unique per user) |
| Output | 256-bit hash (Base64 stored) |
| Verification | Constant-time XOR comparison |
Config at Rest
EncryptedSharedPreferences| Master Key | AES-256-GCM (Android Keystore backed) |
| Key Encryption | AES-256-SIV |
| Value Encryption | AES-256-GCM |
| Protected | DHIS2 creds, Twilio tokens, session data, DB passphrase |
Patient ID
Privacy-Preserving| Format | 8-char base28 (e.g., KFMT-4WRN) |
| Entropy | 40 bits SecureRandom |
| Alphabet | ABCDEFGHJKMNPQRTUVWXYZ234567 (no confusable chars) |
| Design | NOT derived from patient demographics |
P2P Sync Authentication
Nearby Connections| Auth | 6-digit code displayed on both devices |
| Verification | User must visually verify before accepting |
| Transport | Bluetooth link-layer encryption |
| Strategy | P2P_CLUSTER via Android Nearby Connections |
Cryptographic summary
| Layer | Algorithm | Key Size | Purpose |
|---|---|---|---|
| Database at Rest | AES-256 (SQLCipher) |
256-bit | Full-database encryption of all patient records |
| SMS in Transit | AES/GCM/NoPadding |
256-bit | End-to-end encrypted portable health records |
| PIN Storage | PBKDF2-HMAC-SHA256 |
256-bit hash | Secure user authentication credential storage |
| Config at Rest | AES-256-SIV + AES-256-GCM |
256-bit | Encrypted API tokens, credentials, session data |
| Patient ID | SecureRandom |
40-bit entropy | Privacy-preserving patient identification |
| P2P Sync | BT link-layer + visual auth | N/A | Authenticated device-to-device data exchange |
Role-based access control
Six clinical roles with granular permissions. Shared devices stay secure.
| Role | Register Patients | Triage | Consult | Dispense Meds | Manage Users | View Dashboard | Sync Devices | Edit Settings |
|---|---|---|---|---|---|---|---|---|
| ADMIN | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| DOCTOR | ✓ | ✓ | ✓ | ✓ | — | ✓ | ✓ | — |
| NURSE | ✓ | ✓ | — | — | — | ✓ | ✓ | — |
| PHARMACIST | — | — | — | ✓ | — | ✓ | — | — |
| CHW | ✓ | ✓ | — | — | — | — | ✓ | — |
| REGISTRATION_CLERK | ✓ | — | — | — | — | — | — | — |
4-6
PIN Length (digits)
5 min
Auto-Lock
5
Max Failed Attempts
2 min
Lockout Duration
Complete audit trail
Every clinical and security action is logged with millisecond precision.
Authentication
LOGIN— successful session start with roleLOGOUT— explicit session endFAILED_AUTH— incorrect PIN attemptUNLOCK— screen unlock after auto-lockLOCKOUT— 5 consecutive failures, 2-min lock
Clinical
CREATE_PATIENT— new patient registrationCREATE_ENCOUNTER— encounter finalized with dataDISPENSE— medication dispensed to patient
Administrative
SETTINGS_CHANGE— configuration modification- Old and new values stored in details JSON
Sync
SYNC— device-to-device sync event- Conflict count and records exchanged logged
Each record contains
Every audit entry captures a complete forensic context for compliance and incident response.
Who
userId
What action + details JSON
When ms timestamp
On what targetType + targetId
5 database indices