CipherStash - Journalia Customer Story

"Implementing robust encryption with CipherStash gave us peace of mind, knowing no one but the original data owners can access their data." — Journalia

About Journalia

Askeladden & Co.is a Norwegian venture studio specializing in developing companies that simplify customer and employee experiences through technology. One of their recent ventures (in collaboration with Dr. Dropin) is Journalia, an AI-driven application designed to help health care workers by transcribing patient consultations and automatically generating structured medical notes, allowing physicians to focus fully on their patients.

Operating within Europe, Askeladden & Co. ensures that their health-tech solutions, like Journalia, comply with stringent data security and privacy regulations.

Journalia

Journalia's requirements

Encryption

Patient notes may include Personally Identifiable Information (PII) and health data (a special category of data under the GDPR). Due to their sensitive nature, it is essential to encrypt this information.

Traditional Application Level Encryption (ALE) approaches use either a single key for the whole database, or a small number of keys, perhaps one per table. With CipherStash’s Protect.js,Journalia is able to generate a unique key for every value (in every column, in every row, in every table) in the database.

This maximises protection by limiting the blast radius of a potential attack, because an attacker would have to obtain many keys to decrypt all the data, and because a log is generated every time a key is used. With these log insights, Journalia knows exactly which data was accessed, when, and by whom without having any access to the encrypted data.

Patient confidentiality

Only the individual doctor who made the note should be able to decrypt and read it.

CipherStash does this by enabling permissions to be scoped down to individual pieces of data - provable with cryptography. An integration with Journalia’s IDP of choice ensures the data owner’s identity is used to prove ownership. With CipherStash’s context lock encryption, data can be locked to the context in which it was captured — in this case, the doctor who created the patient note. Locked data can only be accessed in the same context as it was captured; decryption needs both a valid key and the data owner’s JWT — issued by the IDP — making unauthorized access virtually impossible.

Performance

ZeroKMS, CipherStash’s key management service built on top of AWS KMS, is both fast and scalable, thanks to its bulk operations and key binding (see the white paper on our Trust Centerfor details). ZeroKMS has been designed for database encryption use cases. Benchmarks show ZeroKMS is 10x faster than AWS KMS when using a data-key per record, particularly as the number of records increases. No data-key caching or reuse is needed for decryption and performance is consistent even for large volumes of data.

Choosing CipherStash

"CipherStash enabled us to achieve the same stringent level of encryption without needing to implement custom envelope encryption using AWS KMS or similar technologies." — Journalia

While investigating encryption requirements and potential solutions, Journalia discovered CipherStash, which appeared perfectly suited for their use case. With CipherStash’s Protect.js, they found a solution that’s ideal for their needs (their app will do 10 to 20 different encryptions and decryptions at INSERT time and SELECT time) and tech stack.

// Example of Protect.js usage
// and it's simplicity.

import { protectClient, noteTable } from '@/protect';
import { getLockContext } from '@/auth';

const lockContext = await getLockContext();

const encryptedData = await protectClient
  .encrypt('Sensitivate data from consultation', noteTable)
  .withLockContext(lockContext);

Additionally, they were reassured by the fact that CipherStash and Protect.js are built on well-understood, industry-standard primitives like AES and SHA2, and that we have compliance coverage for how we operate.

Implementing CipherStash

Journalia was confident enough in our solution to move straight to implementation without running a proof of concept. Implementation, including some customization for their IDP, took around three weeks from kickoff to production.

Journalia has been able to solve their complex security challenge in a way that enables their solution to be used easily by their customers, and released their app to their original timeline.

Start protecting your data

Get started by creating a free account and choosing your integration path, or get in touch to learn more.