Skip to content

Security and Data Boundary — Medplum AWS Dev

Non-negotiable initial boundary

This dev environment must not contain PHI, patient identifiers, production credentials, or live clinical workflow data.

Permitted in dev

  • Synthetic patients and synthetic observations.
  • Public test data.
  • Non-sensitive integration prototypes.
  • Internal evaluation notes.

Not permitted without approval

  • PHI or patient-specific data.
  • Production EHR data.
  • Production credentials.
  • External user/customer access.
  • Clinical decision support usage.

Required before real data

  • Security review.
  • Compliance/legal review as needed.
  • Clinical review.
  • Access control and audit logging review.
  • Data retention/backup policy.
  • Incident response owner.