Secure Deployment Guide

This guide outlines best practices for deploying models securely using the PaiTIENT Secure Model Service. Following these guidelines ensures your deployments maintain HIPAA/SOC2 compliance.

Security Architecture

PaiTIENT deployments follow a multi-layered security approach:

Deployment Security Checklist

Before deploying a model in a production environment, ensure you've addressed these security considerations:

Authentication and Access Control

• [ ] Configure strong API keys with appropriate permissions
• [ ] Enable Multi-Factor Authentication for administrative access
• [ ] Implement IP-based restrictions for API access where appropriate
• [ ] Use different credentials for development and production environments

Network Security

• [ ] Enable private endpoints for sensitive deployments
• [ ] Configure VPC settings for network isolation
• [ ] Implement proper security groups or network policies
• [ ] Set up secure connections between your application and the PaiTIENT API

Data Security

• [ ] Verify encryption is enabled for model storage (enabled by default)
• [ ] Implement additional encryption for highly sensitive prompts or outputs
• [ ] Practice data minimization in prompts and requests
• [ ] Set up appropriate data retention policies

Compliance

• [ ] Enable comprehensive audit logging
• [ ] Implement appropriate tagging for cost allocation and compliance tracking
• [ ] Configure monitoring and alerting for security events
• [ ] Set up regular security assessment procedures

Secure Deployment Examples

Python SDK

from paitient_secure_model import Client
from paitient_secure_model.security import SecuritySettings

# Initialize client with enhanced security settings
client = Client()

# Create deployment with security-first configuration
deployment = client.create_deployment(
    model_name="ZimaBlueAI/HuatuoGPT-o1-8B",
    deployment_name="hipaa-compliant-model",
    compute_type="gpu",
    instance_type="g4dn.xlarge",
    security_settings=SecuritySettings(
        network_isolation=True,         # Enable network isolation
        private_endpoints=True,         # Use private endpoints
        encryption_level="maximum",     # Use maximum encryption level
        audit_logging=True,             # Enable comprehensive audit logging
        compliance_mode="hipaa",        # Enable HIPAA compliance mode
    ),
    vpc_config={
        "subnet_ids": ["subnet-abc123", "subnet-def456"],
        "security_group_ids": ["sg-123456"]
    },
    tags={
        "environment": "production",
        "compliance": "hipaa",
        "data-sensitivity": "phi",
        "department": "clinical-research"
    }
)

print(f"Secure deployment created: {deployment.id}")

Node.js SDK

const { PaiTIENTClient } = require('paitient-secure-model');
const { SecuritySettings } = require('paitient-secure-model/security');

// Initialize client
const client = new PaiTIENTClient();

async function createSecureDeployment() {
  try {
    const deployment = await client.createDeployment({
      modelName: "ZimaBlueAI/HuatuoGPT-o1-8B",
      deploymentName: "hipaa-compliant-model",
      computeType: "gpu",
      instanceType: "g4dn.xlarge",
      securitySettings: new SecuritySettings({
        networkIsolation: true,         // Enable network isolation
        privateEndpoints: true,         // Use private endpoints
        encryptionLevel: "maximum",     // Use maximum encryption level
        auditLogging: true,             // Enable comprehensive audit logging
        complianceMode: "hipaa",        // Enable HIPAA compliance mode
      }),
      vpcConfig: {
        subnetIds: ["subnet-abc123", "subnet-def456"],
        securityGroupIds: ["sg-123456"]
      },
      tags: {
        environment: "production",
        compliance: "hipaa",
        "data-sensitivity": "phi",
        department: "clinical-research"
      }
    });

    console.log(`Secure deployment created: ${deployment.id}`);
  } catch (error) {
    console.error("Deployment failed:", error);
  }
}

createSecureDeployment();

Network Isolation

Network isolation is critical for HIPAA/SOC2 compliance. There are several levels of isolation available:

1. Standard Isolation

Default security with TLS encryption and authentication.

2. Enhanced Isolation

Adds IP-based restrictions and additional network security.

# Python example for enhanced isolation
deployment = client.create_deployment(
    model_name="ZimaBlueAI/HuatuoGPT-o1-8B",
    deployment_name="enhanced-isolation-model",
    security_settings=SecuritySettings(
        network_isolation=True,
        allowed_ip_ranges=["192.168.1.0/24", "10.0.0.0/8"]
    )
)

3. Maximum Isolation

Provides complete network isolation with private endpoints and VPC integration.

# Python example for maximum isolation
deployment = client.create_deployment(
    model_name="ZimaBlueAI/HuatuoGPT-o1-8B",
    deployment_name="maximum-isolation-model",
    security_settings=SecuritySettings(
        network_isolation=True,
        private_endpoints=True,
        internal_traffic_only=True
    ),
    vpc_config={
        "subnet_ids": ["subnet-abc123", "subnet-def456"],
        "security_group_ids": ["sg-123456"]
    }
)

Data Handling

Proper data handling is essential for secure deployments:

Input Handling

• Sanitize and validate all inputs before sending to the model
• Implement content filtering for user-provided prompts
• Use data minimization techniques to reduce PHI/PII exposure

# Python example for secure input handling
from paitient_secure_model.security import DataFiltering

response = client.generate_text(
    deployment_id="dep_12345abcde",
    prompt="Patient medical history: ...",
    security_settings=SecuritySettings(
        data_filtering=DataFiltering(
            detect_pii=True,          # Detect personally identifiable information
            redact_phi=True,          # Redact protected health information
            content_filtering="strict" # Apply strict content filtering
        )
    )
)

Output Handling

• Implement output scanning for sensitive information
• Apply appropriate redaction for PHI/PII when needed
• Keep audit trails of all outputs for compliance purposes

# Python example for secure output handling
response = client.generate_text(
    deployment_id="dep_12345abcde",
    prompt="Summarize treatment options for diabetes.",
    security_settings=SecuritySettings(
        data_filtering=DataFiltering(
            scan_output=True,         # Scan output for sensitive information
            redact_output_phi=True,   # Redact PHI in output
            save_output_audit=True    # Save output for audit
        )
    )
)

Monitoring and Audit

Implement comprehensive monitoring for secure deployments:

Audit Logging

Enable detailed audit logging to track all interactions:

# Python example for enabling audit logging
client = Client(
    security_settings=SecuritySettings(
        audit_logging=True,
        audit_log_retention_days=365  # Retain logs for 1 year
    )
)

Real-time Monitoring

Set up real-time monitoring for security events:

# Python example for monitoring configuration
from paitient_secure_model.monitoring import SecurityMonitoring

client = Client(
    security_settings=SecuritySettings(
        monitoring=SecurityMonitoring(
            alert_on_suspicious_activity=True,
            alert_destinations=["email:security@example.com", "webhook:https://example.com/security-webhook"]
        )
    )
)

Multi-tenant Deployments

For applications serving multiple customers:

# Python example for multi-tenant deployment
deployment = client.create_deployment(
    model_name="ZimaBlueAI/HuatuoGPT-o1-8B",
    deployment_name="multi-tenant-clinical-assistant",
    multi_tenant=True,
    tenant_isolation="strong",  # Options: "basic", "strong", "maximum"
    security_settings=SecuritySettings(
        tenant_encryption_keys=True  # Use separate encryption keys per tenant
    )
)

# Generate text for a specific tenant
response = client.generate_text(
    deployment_id=deployment.id,
    prompt="What are the side effects of metformin?",
    tenant_id="tenant_12345"  # Specify the tenant
)

Compliance Documentation

Maintain proper documentation for compliance:

• System security plan (SSP)
• Risk assessment documentation
• Incident response procedures
• Regular security assessment reports

PaiTIENT provides a compliance dashboard to help track and document your compliance status.

Security Best Practices

1. Regular Rotation: Rotate API keys and credentials regularly
2. Least Privilege: Use the minimum permissions necessary
3. Defense in Depth: Implement multiple layers of security
4. Regular Audits: Conduct security audits and penetration testing
5. Incident Response: Prepare incident response procedures
6. Staff Training: Train staff on security best practices
7. Vendor Assessment: Regularly assess vendor security practices

Next Steps

• Learn about Fine-tuning
• Explore Custom Deployments
• Understand HIPAA Compliance
• Review SOC2 Compliance