Overview
This article outlines the technical security architecture of Dermi Atlas Professional. It is intended to help IT administrators and practice managers understand how the software protects data and identifies where the organization must implement its own controls.
Core Principle: Local Data Sovereignty
Dermi Atlas Professional operates on a Local Data Sovereignty model. This differs fundamentally from cloud-based SaaS products.
- Local Storage: All patient health information (PHI), images, and database records are stored on the hard drive of your host computer.
- No Cloud Sync: Patient data is not synced to Dermi's servers.
- No External Access: Dermi support staff cannot access your local instance or your data remotely.
Data Flow
- Patient Images & Notes: Stored in Local Host Database. Transmitted to Dermi? No
- User Passwords (Hashed): Stored in Local Host Database. Transmitted to Dermi? No
- Audit Logs: Stored in Local Host Database. Transmitted to Dermi? No
- Verification Actions: Stored in Local Host Database & Dermi Cloud (Temporarily). Transmitted to Dermi? Yes (Metadata only).
- License Verification: Stored in Dermi Cloud. Transmitted to Dermi? Yes.
Network Security & Encryption
Transport Layer Security (TLS)
Dermi Atlas Professional supports TLS encryption for local network communications.
- HTTP (Port 15015): Available for testing, but not recommended for production.
- HTTPS (Port 15045): Recommended for all clinical use. Encrypts data in transit between the host computer and client devices (iPads, laptops).
Self-Signed Certificates
Because Dermi Atlas Professional runs on a local IP address (e.g., 192.168.x.x) rather than a public domain, it cannot use standard public SSL certificates.
- Generation: Dermi Atlas Manager automatically generates a self-signed certificate specific to your host machine.
- Trust: You must install this certificate on client devices to avoid browser security warnings.
- See: SSL Certificate Setup for HTTPS Access for installation guides.
Firewall Requirements
Dermi Atlas Manager attempts to configure the host computer's firewall automatically.
- Inbound Rules: Must allow TCP traffic on ports 15015, 15045, 15815, and 15845 (or custom ports if defaults are in use).
- Isolation: We recommend running the host computer on a private network, not a guest network.
Access Control & Authentication
User Isolation
Dermi Atlas Professional is designed for multi-user environments but enforces strict data isolation.
- User A cannot access User B’s patients or images.
- Separate database associations ensure logical separation of data.
Authentication Standards
- Password Hashing: Passwords are salted and hashed using industry-standard algorithms (e.g., bcrypt) before storage. Plaintext passwords are never stored.
- Complexity: Enforced requirements (12+ chars, mixed case, numbers, symbols).
- Two-Factor Authentication (2FA): Optional but recommended. Uses Time-based One-Time Passwords (TOTP) compatible with apps like Google Authenticator.
Backup & Integrity
Dermi Atlas Manager includes a built-in backup utility.
- Scope: Backups include the full database, all images, and configuration settings.
- Integrity: Checksums are generated during backup and verified during restoration to ensure data has not been corrupted.
- Format: Proprietary archive format to ensure consistency.
Security Note: Backups are stored on the host computer by default. It is the practice's responsibility to move these backups to a secure, encrypted, off-site location (e.g., an encrypted USB drive or a compliant cloud storage bucket).
Host System Hardening
Because Dermi Atlas Professional relies on the host computer's security, your organization should implement the following "Defense in Depth" measures:
- Disk Encryption: Enable BitLocker (Windows) or FileVault (macOS) on the host computer to protect data at rest in case of physical theft.
- OS Updates: Keep the operating system patched to prevent exploit-based attacks.
- Physical Security: Restrict physical access to the host computer to authorized personnel only.