OpenEvidence Security Basics
Overview
OpenEvidence provides AI-powered clinical evidence synthesis that processes protected health information (PHI), patient queries, and medical literature references. Integrations must comply with HIPAA requirements for PHI handling, audit logging, and access controls. A breach exposes patient health questions, clinical recommendations, and potentially identifiable medical conditions. Every API interaction must be treated as a HIPAA-regulated transaction.
API Key Management
function createOpenEvidenceClient(): { apiKey: string; baseUrl: string } {
const apiKey = process.env.OPENEVIDENCE_API_KEY;
if (!apiKey) {
throw new Error("Missing OPENEVIDENCE_API_KEY — store in HIPAA-compliant secrets manager");
}
// PHI-adjacent access — enforce audit logging on every request
console.log("OpenEvidence client initialized (key suffix:", apiKey.slice(-4), ")");
return { apiKey, baseUrl: "https://api.openevidence.com/v1" };
}
Webhook Signature Verification
import crypto from "crypto";
import { Request, Response, NextFunction } from "express";
function verifyOpenEvidenceWebhook(req: Request, res: Response, next: NextFunction): void {
const signature = req.headers["x-openevidence-signature"] as string;
const secret = process.env.OPENEVIDENCE_WEBHOOK_SECRET!;
const expected = crypto.createHmac("sha256", secret).update(req.body).digest("hex");
if (!signature || !crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
res.status(401).send("Invalid signature");
return;
}
next();
}