Legal

Security Risk Assessment Framework

Effective Date: February 2026

Document Version: 1.0

1. Purpose

This Security Risk Assessment Framework ("Framework") establishes the methodology by which Rymeda, Inc. ("Rymeda," "we," "us") identifies, assesses, mitigates, and monitors security risks to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) and all information systems under Rymeda's control. This Framework satisfies the requirements of HIPAA §164.308(a)(1)(ii)(A) (Risk Analysis) and is aligned with NIST SP 800-30 Rev 1.

2. Scope

This Framework applies to all systems, applications, data stores, and network components that create, receive, maintain, or transmit ePHI, including: cloud infrastructure (AWS VPC, S3, Cognito, KMS, CloudWatch, Shield), databases (MongoDB Atlas), the application layer (FastAPI, Next.js), AI/ML pipeline (OpenAI with ZDR, Google Gemini via LiteLLM, ORIS clinical AI), authentication (Cognito, RBAC, MFA), communication systems (telehealth, secure messaging), and all third-party subprocessors.

3. Framework Alignment

Framework	Version	Functions / Areas
NIST CSF	2.0	Govern, Identify, Protect, Detect, Respond, Recover
HIPAA Security Rule	45 CFR Part 164	Administrative, Physical, Technical Safeguards; Risk Analysis (§164.308(a)(1)(ii)(A))
NIST SP 800-53	Rev 5	Security and Privacy Controls (RA, CA, PM control families)

4. Risk Assessment Methodology

Rymeda uses a qualitative 5×5 risk matrix evaluating likelihood against impact. Scores range from 1 to 25.

4.1 Risk Matrix (Likelihood × Impact)

Likelihood / Impact	1 Negligible	2 Minor	3 Moderate	4 Major	5 Catastrophic
5 Almost Certain	5	10	15	20	25
4 Likely	4	8	12	16	20
3 Possible	3	6	9	12	15
2 Unlikely	2	4	6	8	10
1 Rare	1	2	3	4	5

4.2 Risk Levels

Level	Score	Required Action
Critical	20–25	Immediate remediation; CISO notification within 24 hours; executive escalation
High	15–19	Remediation plan within 7 days; CISO review required; tracked in risk register
Medium	8–14	Remediation within 30 days; risk owner assigned; monitored quarterly
Low	1–7	Accept or remediate within 90 days; documented; reviewed annually

5. Asset Inventory Categories

Category	Rymeda Systems	Classification
Clinical Data Systems	Charts, SOAP notes, voice transcription, vitals, labs, diagnoses, ORIS AI outputs	Restricted (PHI)
Authentication Infrastructure	AWS Cognito (3 app clients, PKCE, RS256 JWT), bcrypt passwords, MFA	Restricted
AI/ML Pipeline	OpenAI (Whisper, GPT — ZDR), Google Gemini (via LiteLLM), ORIS with guardrails	Restricted (PHI)
Communication Systems	Telehealth video (100ms), secure messaging, patient portal, care team channels	Confidential
Storage	MongoDB Atlas, Amazon S3 (voice, documents), AWS KMS (per-tenant keys)	Restricted (PHI)
Network / API	AWS VPC, WAF, Shield, TLS 1.3, CORS, rate limiting (slowapi)	Internal

6. Threat Identification

Rymeda uses the STRIDE threat model mapped to healthcare-specific threat scenarios:

STRIDE Category	Healthcare Threats	Countermeasures
Spoofing	Credential theft, session hijacking, provider impersonation, forged NPI	Cognito PKCE + RS256 JWT, MFA, NPI validation, provider verification
Tampering	Clinical record modification, AI note alteration, unauthorized chart amendments	Immutable audit logs, HMAC-SHA256, append-only records, 6-year retention
Repudiation	Denied clinical data access, disputed records, unattributed changes	Centralized audit service, auto-capture middleware, user/role/IP/timestamp
Information Disclosure	ePHI breach, unauthorized access, AI data leakage, cross-tenant exposure	AES-256 + per-tenant KMS, TLS 1.3, CLINICAL_PERMISSIONS RBAC, org_id isolation, ZDR
Denial of Service	Platform unavailability, API exhaustion, brute-force auth attacks	Shield, WAF, slowapi (200/min global, 5/min auth, 3/min sensitive), multi-AZ
Elevation of Privilege	Role escalation, admin bypass, cross-org access, AI guardrail bypass	7 admin + 9 clinical sub-roles, least privilege, ORIS guardrails, trust scoring

7. Current Security Controls

Control Area	Implementation	Risk Addressed
Access Control	Cognito PKCE + RS256 JWT (3 app clients), RBAC (7 admin + 9 clinical roles), MFA, bcrypt, NPI verification	Spoofing, Elevation of Privilege
Encryption	AES-256 at rest (KMS, per-tenant CMKs), TLS 1.3 in transit, HMAC-SHA256, RS256 tokens	Information Disclosure, Tampering
Monitoring	Centralized audit service, auto-capture middleware, CloudWatch, 6-year immutable retention	Repudiation, Information Disclosure
Rate Limiting	slowapi: 200/min global, 5/min auth, 10/min general, 3/min sensitive	Denial of Service, Spoofing
Network	VPC isolation, WAF, Shield, security groups, CORS, CSP headers	Denial of Service, Tampering

See the Information Security Policy for the complete controls inventory.

8. Risk Treatment Options

Treatment	Description	Decision Criteria
Mitigate	Implement controls to reduce likelihood or impact	Cost proportionate to reduction; preferred for Critical/High risks
Transfer	Share risk via insurance, BAAs, or contracts	Cannot fully mitigate internally; cyber insurance or vendor controls
Accept	Acknowledge and document residual risk	Within risk appetite; Low scores where mitigation cost exceeds impact; CISO approval required
Avoid	Eliminate by removing the activity or system	Cannot reduce to acceptable level; alternative with lower risk available

HIPAA Requirement: ePHI risks cannot be accepted without documented justification per 45 CFR §164.306(b). All ePHI risk acceptance requires written CISO approval.

9. Assessment Schedule

Type	Frequency	Scope	Owner
Comprehensive	Annual	All systems, assets, threats, controls; full HIPAA §164.308(a)(1)(ii)(A) analysis	CISO
Targeted	Quarterly	High-risk areas, open register items, control effectiveness	Security
Triggered — New System	As needed	New application, vendor, infrastructure, or AI model integration	Engineering
Triggered — Incident	Post-incident	Systems and controls involved in a breach or security incident	CISO
Triggered — Regulatory	As needed	New HIPAA guidance, state privacy laws, or industry standards	Compliance

10. Risk Register Summary

The risk register is maintained by Compliance and reviewed quarterly by the CISO. Representative entries:

Risk ID	Description	L	I	Score	Treatment	Owner	Status
RSK-001	Credential stuffing against auth endpoints	3	4	12	Mitigate	Security	Controlled
RSK-002	AI hallucinated clinical data in outputs	3	5	15	Mitigate	AI Team	Controlled
RSK-003	Cross-tenant data leakage via API	2	5	10	Mitigate	Engineering	Controlled
RSK-004	AI vendor data retention violation	2	4	8	Transfer	Legal	Controlled
RSK-005	Ransomware targeting database backups	2	5	10	Mitigate	Infra	Controlled
RSK-006	Insider unauthorized clinical data access	2	4	8	Mitigate	CISO	Controlled

L = Likelihood, I = Impact. Full register maintained internally and available for audit.

11. Residual Risk Acceptance

After controls are implemented, Rymeda follows a formal process for residual risk:

11.1 Risk Owner Documentation

The risk owner documents the original score, implemented controls, residual score, and justification referencing specific control effectiveness.

11.2 CISO Approval

All residual risk acceptance requires written CISO approval. Critical and High residual risks additionally require executive leadership approval.

11.3 Ongoing Review

Accepted risks are reviewed quarterly and tracked with "Accepted" status and a review date no later than twelve (12) months from acceptance.

12. Continuous Monitoring

12.1 Real-Time Monitoring

CloudWatch for infrastructure alerting. Centralized audit service with auto-capture middleware. Trust scoring for anomaly detection. Brute-force detection after 5+ failures in 15 minutes.

12.2 Vulnerability Scanning

SAST on every commit. DAST weekly. Dependency scanning daily. Remediation SLAs: Critical 24h, High 7d, Medium 30d, Low 90d.

12.3 Penetration Testing

Annual external penetration testing by qualified third-party firm covering application, infrastructure, and API surfaces. Findings scored via risk matrix and tracked in the register.

13. Reporting

CISO Risk Report (Monthly): Open risks, register changes, control metrics, emerging threats.
Executive Summary (Quarterly): Risk posture, Critical/High status, treatment progress, resource needs.
Board Report (Annual): Comprehensive results, year-over-year trends, compliance status, strategic recommendations.
Regulatory Submissions: Documentation for OCR audits, SOC 2 Type II, state inquiries. Audit logs retained 6 years per HIPAA §164.530(j).

Contact

Security Team

Risk assessments, vulnerability reports, penetration testing

security@rymeda.com

Compliance Team

Regulatory compliance, audit requests, risk register

legal@rymeda.com

Related Policies

Information Security Policy →Incident Response Plan →Vendor Risk Management Policy →Breach Notification Policy →Data Retention & Destruction Policy →