# CipherStash - Journalia Customer Story

> Implementing robust encryption with CipherStash gave us peace of mind, knowing no one but the original data owners can access their data.
> - Journalia

## About Journalia

[Journalia][3] is an AI-driven application designed to help health care workers by transcribing patient consultations and automatically generating structured medical notes, allowing physicians to focus fully on their patients.

Operating within Europe, Journalia must comply with stringent data security and privacy regulations, including the GDPR special categories for health data.

![Journalia](/images/case-studies/journalia.webp)

## Journalia's requirements

### Encryption

Patient notes may include Personally Identifiable Information (PII) and health data (a special category of data under the GDPR).
Due to their sensitive nature, it is essential to encrypt this information.

Traditional Application Level Encryption (ALE) approaches use either a single key for the whole database, or a small number of keys, perhaps one per table.
With CipherStash [Encryption][4], Journalia is able to generate a unique key for every value (in every column, in every row, in every table) in the database.

This maximises protection by limiting the blast radius of a potential attack, because an attacker would have to obtain many keys to decrypt all the data, and because a log is generated every time a key is used.
With these log insights, Journalia knows exactly which data was accessed, when, and by whom without having any access to the encrypted data.

## Patient confidentiality

Only the individual doctor who made the note should be able to decrypt and read it.

CipherStash does this by enabling permissions to be scoped down to individual pieces of data - provable with cryptography.
An integration with Journalia’s IDP of choice ensures the data owner’s identity is used to prove ownership.
With CipherStash’s context lock encryption, data can be locked to the context in which it was captured, in this case the doctor who created the patient note.
Locked data can only be accessed in the same context as it was captured; decryption needs both a valid key and the data owner’s JWT (issued by the IDP), making unauthorized access virtually impossible.

## Performance

ZeroKMS, CipherStash’s key management service built on top of AWS KMS, is both fast and scalable, thanks to its bulk operations and key binding (see the white paper on our [Trust Center][5] for details).
ZeroKMS has been designed for database encryption use cases.
Benchmarks show ZeroKMS is up to 14x faster than AWS KMS when using a data-key per record, particularly as the number of records increases.
No data-key caching or reuse is needed for decryption and performance is consistent even for large volumes of data.

## Choosing CipherStash

> CipherStash enabled us to achieve the same stringent level of encryption without needing to implement custom envelope encryption using AWS KMS or similar technologies.
> -- Journalia

While investigating encryption requirements and potential solutions, Journalia discovered CipherStash, which appeared perfectly suited for their use case.
With CipherStash’s Encryption, they found a solution that’s ideal for their needs (their app will do 10 to 20 different encryptions and decryptions at `INSERT` time and `SELECT` time) and tech stack.

```typescript
// Example of CipherStash Encryption usage
// and its simplicity.

import { encryptionClient, noteTable } from ‘@/encryption’;
import { getLockContext } from '@/auth';

const lockContext = await getLockContext();

const encryptedData = await encryptionClient
  .encrypt('Sensitivate data from consultation', noteTable)
  .withLockContext(lockContext);
```

Additionally, they were reassured by the fact that CipherStash and [Encryption][4] are built on well-understood, industry-standard primitives like AES and SHA2, and that we have compliance coverage for how we operate.

## Implementing CipherStash

Journalia was confident enough in our solution to move straight to implementation without running a proof of concept.
Implementation, including some customization for their IDP, took around three weeks from kickoff to production.

Journalia has been able to solve their complex security challenge in a way that enables their solution to be used easily by their customers, and released their app to their original timeline.

[3]: https://www.journalia.no/
[4]: https://github.com/cipherstash/stack
[5]: https://trust.cipherstash.com/resources/