| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
The Healthcare Research MCP Server takes security seriously, especially given its use in healthcare research contexts.
Please DO NOT file a public issue for security vulnerabilities. Instead:
- Email: security@[your-domain].com
- Use the subject line: "SECURITY: Healthcare Research MCP"
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 1 week
- Resolution Timeline: Depends on severity
- Critical: 1-2 weeks
- High: 2-4 weeks
- Medium: 4-8 weeks
- Low: Next release
- This server is designed to work with de-identified data only
- Never input PHI (Protected Health Information) directly
- Use appropriate data governance for your institution
- Store API keys securely in environment variables
- Never commit API keys to version control
- Rotate keys regularly
- Use separate keys for development and production
- Databases should be encrypted at rest
- Use appropriate file permissions
- Regular backups recommended
- Consider using external databases for production
- Run behind a firewall in production
- Use HTTPS for any web interfaces
- Limit access to trusted networks
- Monitor for unusual activity
While this software includes HIPAA-compliant features (audit logging, access controls), achieving full HIPAA compliance requires:
- Proper deployment configuration
- Administrative safeguards
- Physical safeguards
- Signed BAAs with any cloud providers
This software alone does not guarantee HIPAA compliance.
We regularly update dependencies to patch known vulnerabilities. To check for vulnerabilities in your installation:
npm auditTo automatically fix vulnerabilities:
npm audit fix- Least Privilege: Grant minimum necessary permissions
- Audit Logs: Enable and monitor audit logs
- Updates: Keep the server and dependencies updated
- Encryption: Use encryption for sensitive data
- Access Control: Implement proper authentication
- Monitoring: Set up alerts for suspicious activity
We appreciate responsible disclosure of security issues. Security researchers who report valid issues will be acknowledged (with permission) in our releases.