Kinometric Kinometric Data Analyzer Test / Debug Tool
Intro Search Rankings Explorer Tuning Athena Users Patients Video Security Validate Scenarios
How Scoring Works
Metric What It Measures How It's Calculated
Score (0-10) Movement quality min() of 3s and 5s window scores. Each window: slide through data, find best q-diff range, map to 0–10 via knot curve. Capped at 7 unless 7s data exists (see 7s Bonus below).
Q-Diff Raw quaternion rotation range The q_diff_range from each window (max−min of q-diff values in best window). Explorer shows QD 3s, QD 5s, and QD 7s columns.
Risk Clinical risk level From worst score across all 4 test types: Critical <4, High 4–6, Moderate 6–8, Low ≥8
Stability % How still overall % of all data samples where q-diff < 0.005 threshold. Uses the entire test, not just a window.
Max Duration Longest stable stretch Longest continuous run of samples below threshold (in seconds).
Why Score and Stability Can Differ

Score and stability measure different things:

  • Score = best window's q-diff range (peak-to-valley), mapped through a curve. It asks: "In your best stretch, how much did you move?"
  • Stability % = fraction of all samples below threshold. It asks: "Across the whole test, how often were you still?"

A patient can be stable 95% of the time (high stability) but have one brief spike in their best window (lower score). Or they can have a very calm 7s window (high score) but be shaky for the rest of the test (low stability).

Note: The base score uses min() of 3s and 5s window scores. The 7s window is used separately for the bonus cap (see below).

Test Types
lbeoLeft Balance Eyes Open
rbeoRight Balance Eyes Open
lbecLeft Balance Eyes Closed
rbecRight Balance Eyes Closed
Balance/Difference

Absolute difference between average left scores and average right scores. Highlights asymmetry between sides.

Color: <1 green, 1–3 yellow, >3 red

Duration Penalty

Short tests are penalized:

  • Only 3s window exists (no 5s) → subtract 3 points
7-Second Bonus

Maximum score is capped at 7 unless the test has 7-second q-diff data. If 7s data exists, the cap is raised based on the q-diff range:

7s Q-Diff RangeMax Score
≤ 0.001510
0.0015 – 0.0029
0.002 – 0.0038
> 0.003 or no 7s data7
Fatigue Patterns
fatiguesGood short-term (≥7) but drops >3 by 7s
consistentGood short-term (≥7) and stays within 3
unstablePoor short-term (<7) with small drop
decliningPoor short-term (<7) and drops >2
Multi-Practice Architecture

Kinometric uses practice-level PHI isolation. Each practice (clinic/organization) is a separate data boundary with its own patients, test results, and questionnaire data.

Data Model
TablePurpose
practicesPractice/clinic records. Each can have its own athenaOne API credentials.
user_practicesMany-to-many: users belong to 1+ practices with a role (admin, clinician, readonly).
patients.practice_idEvery patient belongs to exactly one practice.
test_results.practice_idEvery test result scoped to one practice.
questions.practice_idEvery questionnaire scoped to one practice.
Roles
adminFull access: manage users, providers, patients, view all data within practice
clinicianStandard access: manage patients, run tests, view results
readonlyView-only: can see patients and results but cannot modify
superadminCross-practice access (is_admin=true). Bypasses all filters.
super testerRapid-fire testing: auto-bypasses duplicate test check, batch test storage (is_super_tester=true)
Patient Types
Athena PatientLinked to athenaOne EMR via athena_patient_id. PDF upload to EMR available.
Non-Athena PatientStandalone in Kinometric. Same test/score/PDF workflow. No EMR upload. Used for test/demo or practices without EMR.
How Isolation Works
  • Every API request resolves an active practice: explicit active_practice_id param → session → user's default → first membership
  • addPracticeFilter() appends AND practice_id = :id to all PHI queries
  • New patients, tests, and questions are stamped with the active practice_id
  • 31 PHP endpoints enforce practice scoping via practice_filter.php
  • Superadmins bypass all filters for administrative oversight
Patient Search
ID First Name Last Name DOB Patient ID Sex
Patient Rankings 0 patients

Loading rankings...

Name ▲ DOB ▲ Last Test ▲ Best ▲ Worst ▲ Bal/Diff ▲ Max Dur ▲ Q-Diff ▲ Risk ▲ AI
Risk Explorer 0 patients

Loading data...

Name ▲ DOB ▲ Last Test ▲ Best ▲ Worst ▲ Bal/Diff ▲ Max Dur ▲ QD 3s ▲ QD 5s ▲ QD 7s ▲ Stability ▲ Risk ▲ AI
Parameter Tuning Guide click to expand

This tool lets you experiment with how balance scores are calculated without affecting production data. Adjust parameters, re-analyze all ~800 CSV files, and see how score distributions change.

The scoring curve maps q-diff range (sensor movement variability) to a raw score (0-10). Lower q-diff = more stable = higher score.

  • Drag points on the chart to adjust the curve visually
  • Edit exact values in the knot table below the chart
  • Add/remove points to change curve complexity
  • Between points, scores are linearly interpolated
  • Values outside the curve range are clamped to the nearest endpoint

Production uses 6 knot points. Fewer points = smoother curve, more points = finer control.

After the curve produces a raw score, the rescale function maps it to the final 0-10 range. This controls score distribution shape.

  • Linear (default) — even spread between low and high bounds
  • Power — power >1 compresses high scores, <1 compresses low scores
  • Sigmoid — S-curve that clusters scores near the midpoint
  • Exponential — emphasizes differences at the high end
  • None — use raw score directly (no rescaling)

Low/High Bounds define the raw score range that maps to 0-10. Scores outside bounds are clamped.

  • Start Row — skip initial sensor samples (warmup period). Default 200 (~2 seconds at 100Hz)
  • Stable Threshold — q-diff below this is considered perfectly stable. Lower = stricter
  • Outlier Percentile — use this percentile of q-diff to ignore spikes. 98 = ignore top 2%
  • Aggregation — how to combine multiple time windows into one score: Min (worst window, strictest), Max (best window, most lenient), Mean, or Median
  • Target Windows — time windows in seconds to analyze. Each window is scored independently, then aggregated

Production defaults: start=200, threshold=0.02, percentile=98, aggregation=min, windows=3,5,7

  • Save/Load presets to keep parameter configurations you want to compare
  • Import/Export as JSON files to share configurations
  • Run Analysis processes all ~800 cached CSV files (~40 seconds)
  • Score Calculator lets you test a single q-diff value against current settings instantly
  • Rebuild Cache re-extracts data from CSV files (only needed if new test files are added)

Typical workflow: load production preset, adjust one parameter, run analysis, compare distributions. Nothing writes to the database.

Scoring Curve (drag points to adjust)
Point Q-diff Range (X) Raw Score (Y) Final Score Tests in Range Target
Score Calculator
Raw: -
Rescaled: -
Scoring Mode
Score from q-diff range across windows

Score from longest stable stretch. Map seconds to 0-10 score.

Duration Penalty

Penalty subtracted from score when test recording is too short for all analysis windows. Set to 0 to disable.

0 penalized
Rescale Function
Analysis Parameters
Patient Summary
Patient Overall Left Q-diff Right Q-diff LBEO RBEO LBEC RBEC
Score Distribution 0 files
Individual Results
File ▲ Patient ▲ Type ▲ Date ▲ Score ▼ Risk ▲ 3s ▲ 5s ▲ 7s ▲ Worst Q-diff ▲ Worst Bal ▲ Stable% ▲ Penalty ▲

Running analysis...

Patients in Range
0
Name Type Date Score Risk Worst Q-diff 3s 5s 7s Stable% Penalty
Sandbox Explorer SANDBOX
click to collapse
Browse the athenaOne sandbox environment directly. Developer Portal | API Docs
Data Model: athenaOne vs Kinometric click to expand
athenaOne Hierarchy

Practice — The top-level entity (our sandbox is practice 195900). A practice is a medical business (e.g., "Kinometric Physical Therapy"). Everything lives under a practice.

Departments — Physical locations or logical divisions within a practice. Think "Main Office", "Downtown Clinic", "Satellite Office". Our sandbox has 32 departments. Each has its own address, phone, and scheduling.

Providers — Doctors, PTs, clinicians who see patients. A provider can work at multiple departments (e.g., Dr. Smith sees patients at both Main Office and Downtown). Providers have IDs and schedules tied to departments.

Patients — People receiving care. A patient belongs to the practice (not a single department), which is why a patient ID works across all departments. However, athenaOne tracks a primarydepartmentid and many API calls require a departmentid for billing/scheduling context.

Practice (195900)
├── Department 1 (Main Office)
│   ├── Provider 71 (sees patients here)
│   └── Provider 22 (sees patients here)
├── Department 21 (Satellite)
│   └── Provider 71 (also works here)
└── Patients (practice-wide, not dept-locked)
    └── Patient 2201 — primary dept 1, provider 71
Kinometric Database Mapping
athenaOneKinometric DBStatus
Practice practices table Mapped — multi-practice system with per-practice Athena config, patient/test/question isolation
Department departments table Partial — 4 departments exist (PASS-TEST, PASS-MD, PASS-FL, PASS-PA) but no link to practices table; no athena department ID mapping
Provider providers table Partial — 9 providers linked to departments; used for patient isolation via provider_id. No athena provider ID mapping
Patient patients table Mapped — realpatientid stores athena patient ID; practice_id + provider_id for isolation
Location locations table Internal — 5 physical locations under departments; no athena equivalent
Gaps
  • No department ↔ practice link: departments has no practice_id FK. In athenaOne, departments are per-practice.
  • No athena ID on providers/departments: We can't match our Dr. Rao to athena provider 71, or our PASS-MD to athena department 1.
  • Provider belongs to one department: Our providers.department_id is a single FK. In athenaOne, providers work across multiple departments.
  • Patient → provider is optional: Only 4 of 389 patients have a provider_id. The practice_id system handles isolation instead.
Access Token
Not loaded
Env: — | Practice: — | Expires: —
Practice Info
Click Load to fetch practice details
Patient Browser
IDNameDOBSexStatus
0 patients
Patient
  • Problems
  • Meds
  • Allergies
  • Vitals
  • Encounters
  • Labs
Click a tab to load clinical data
Upload Log
click to expand 
No log loaded yet.
Patient Verification
NameDOBReal ID
Kinometric
-
athenaOne
-
Upload Test
Documents in Chart
IDNoteDateStatus
Verify a patient to see documents
To view/download uploaded PDFs, open the patient chart in the athenaOne portal.
Department Browser click to expand
IDNameAddressPhoneState
Loading...
Connection Health click to expand
API Ping: ...
Token: ...
Environment: ...
Practice: ...
User Accounts
ID Username Display Name Email Admin Practices Actions
Loading...
Add User
Practice Memberships
Reset Password —
Patients
ID First Name Last Name DOB Patient ID Sex Actions
Loading...
Add Patient
Kinometric Video
Your browser does not support the video tag.
Security & HIPAA Compliance

Server-side security controls protecting credentials, config files, and infrastructure.


Loading audit...

Authentication mechanisms and access control for API and web interfaces.

athenaOne integration security — OAuth, data flow, input validation, and access controls.

HIPAA Security Rule compliance checklist with specific CFR references. Last audited: February 2026.

Administrative Safeguards (45 CFR 164.308)
RequirementCFRImplementationStatusEvidence
Risk Analysis§308(a)(1)(ii)(A)Annual risk assessment covering all PHI, threats, and safeguardsDone
Risk Management§308(a)(1)(ii)(B)Controls implemented per risk assessment findings; gap remediation trackedDone
Sanction Policy§308(a)(1)(ii)(C)Confidentiality agreement includes consequences for violation (termination, penalties)Done
Information System Activity Review§308(a)(1)(ii)(D)HIPAA audit log reviewed; automated security audit scripts run monthlyDone
Security Officer§308(a)(2)Formal designation pending — development team manages securityPending
Workforce Security§308(a)(3)Multi-practice isolation via practice_filter.php. Roles: admin, clinician, readonly per practice. Superadmin bypasses for oversight. 31 endpoints enforced.Done
Access Management§308(a)(4)3 active users, unique accounts, no shared credentials, admin-managedDone
Security Awareness Training§308(a)(5)Staff confidentiality agreement signed before access; formal program pendingPartial
Security Incident Procedures§308(a)(6)Breach response plan with 5-step procedure, 5 scenarios, notification timelinesDone
Contingency Plan§308(a)(7)Automated nightly encrypted backups to off-site server; restore testedDone
Evaluation§308(a)(8)Annual risk assessment; automated security audits; 225 automated API tests + 75 Python unit testsDone
Business Associate Agreements§308(b)Linode BAA: in progress. Anthropic, Microsoft: pending.In Progress
Physical Safeguards (45 CFR 164.310)
RequirementCFRImplementationStatusEvidence
Facility Access Controls§310(a)(1)Hosted in Linode/Akamai data center (SOC 2 certified, physical access controls)Done
Workstation Use§310(b)SSH key authentication only; no shared accounts; UFW firewallDone
Workstation Security§310(c)Server: SSH/HTTP/HTTPS only (UFW). No physical access except via Linode.Done
Device & Media Controls§310(d)No PHI cached on mobile devices (in-memory only); CSV files server-side; patient delete cascades to filesDone
Technical Safeguards (45 CFR 164.312)
RequirementCFRImplementationStatusEvidence
Unique User Identification§312(a)(2)(i)Each user has unique username + user_id; no shared accountsDone
Emergency Access§312(a)(2)(ii)Superadmin account + direct database access availableDone
Automatic Logoff§312(a)(2)(iii)15-minute idle timeout: PHP server-side + JS client-sideDone
Encryption at Rest§312(a)(2)(iv)Backups: AES-256 GPG. Emailed PDFs: AES-256. Server disk: Linode encryption pending.Partial
Audit Controls§312(b)HIPAA audit log (JSON, who/what/when/IP); auth logs; error logs; auto-prunedDone
Integrity Controls§312(c)(1)Parameterized SQL, input validation, base64 validation, path traversal preventionDone
Authentication§312(d)bcrypt password hashing; 64-char random session tokens; per-request verificationDone
Transmission Security§312(e)(1)TLS 1.2/1.3 on all connections; HTTPS enforced; OAuth2 for athenaOneDone
Organizational & Policy Requirements
RequirementCFRImplementationStatusEvidence
Risk Assessment Document§308(a)(1)PHI inventory, 14 threats rated, safeguard checklist, gap analysisDone
Breach Response Plan§308(a)(6)5-step procedure, 5 scenarios, notification timelines, documentation requirementsDone
Staff Confidentiality Agreement§308(a)(3)PHI handling, device security, reporting obligations, consequences; signed before accessDone
Password Policy§312(d)8+ chars, uppercase + lowercase + number, cannot match username; enforced on all entry pointsDone
Backup & Recovery§308(a)(7)Nightly: pg_dump + CSV + configs + code → GPG AES-256 → rsync to off-site server. 30-day retention. Restore tested.Done
Data Disposal§310(d)(2)Patient delete cascades to test_results, questions (FK), and CSV files on diskDone
Email PHI Protection§312(e)(1)No patient names in email subject or filename; PDF encrypted with AES-256 passwordDone
API Key Management§312(a)(1)Keys in /etc/ with 640 permissions; excluded from git; rotated Feb 2026Done
Open Items
ItemDescriptionStatusTarget
BAA — Linode/AkamaiBAA requested, business info submitted. Awaiting agreement from Linode.In ProgressQ1 2026
BAA — AnthropicRequired for AI analysis feature (sends scores + questionnaire, no names)PendingQ1 2026
BAA — MicrosoftRequired for Graph API email (sends encrypted PDF reports)PendingQ1 2026
Server Disk EncryptionEnable Linode local disk encryption (AES-256). Requires instance migration.PendingQ1 2026
2FA for Admin AccountsInfrastructure exists (is_2fa_on column); not yet enabled for active usersPendingQ2 2026
Security Officer DesignationFormal written designation of HIPAA Security OfficerPendingQ1 2026
Formal Training ProgramSecurity awareness training beyond confidentiality agreementPendingQ2 2026
Run tmp_secure.shServer hardening script (8 sections): requires sudo bash tmp_secure.shPendingQ1 2026
Compliance Documents
#DocumentDescriptionDatePath
HIPAA Policy Documents
1Risk AssessmentPHI inventory, 14 threats analyzed, safeguard checklist, gap analysis with remediation targetsFeb 2026
2Breach Response Plan5-step incident response (Contain→Investigate→Assess→Notify→Remediate), 5 scenarios, HHS notification timelinesFeb 2026
3Staff Confidentiality AgreementWorkforce agreement: PHI rules, device security, reporting obligations, consequences. Sign before access.Feb 2026
athenaOne Integration
4API Technical SpecificationFull athenahealth submission document: security questions, 5 use cases, workflow, API summary, complianceFeb 2026
5Validation Plan5-phase go-live plan: sandbox testing (11 cases), tech spec submission, production credentials, validation, go-liveFeb 2026
6Workflow Graphic PromptMermaid diagram + ChatGPT prompt for generating polished architecture diagram for tech specFeb 2026
7App Upload Button SpecImplementation spec for Flutter Athena upload: endpoint, request/response, guard rails, error handlingFeb 2026
8App Upload Field MappingField-by-field mapping: FFAppState → JSON request body, pattern to follow (same as Email PDF)Feb 2026
Infrastructure
9Backup Scripts3 scripts: nightly encrypted backup (DB+CSV+configs+code), setup wizard, restore tool. AES-256 GPG → off-site.Feb 2026backup/*.sh
10Password PolicyShared PHP validation: 8+ chars, upper+lower+number, no username match. Enforced on all 3 entry points.Feb 2026password_policy.php
11Session Timeout15-min idle timeout (PHP server-side + JS client-side). Shared include for 12 legacy pages + SPA.Feb 2026session_timeout.php
12Patient Data CleanupCascade delete: FK on questions, CSV file deletion on patient remove. All 3 delete handlers updated.Feb 2026patient_cleanup.php
13Server Hardening Script8-section hardening: tmp permissions, log rotation, file permissions, firewall verification. Requires sudo.Feb 2026tmp_secure.sh
Multi-Practice System
14Practice Filter ModuleCore multi-practice PHI isolation: getUserPractices, getActivePracticeId, addPracticeFilter, canAccessPatient, canAccessTest, isSuperAdmin. 31 endpoints enforced.Feb 2026practice_filter.php
15Migration ScriptCreates practices + user_practices tables, adds practice_id to patients/test_results/questions, migrates all data, enforces NOT NULL.Feb 2026
16athenaOne Tech Spec (Updated)Updated with multi-practice data model, per-practice Athena credentials, non-Athena patient support.Feb 2026
Audit Trail: This checklist is maintained in source control. Policy documents are in /var/www/kinometric/docs/. Automated tests: 225/225 API + 75/75 Python passing. Multi-practice isolation: 31 endpoints enforced. Last audit: February 19, 2026.
Document

Android/iOS app security — HIPAA-compliant data handling, authentication, and device protection.

1. Data Protection
Encryption in Transit
ProtocolDetailsStatus
TLS VersionTLS 1.2 and TLS 1.3 supportedActive
Cipher SuitesAES-256-GCM, ChaCha20-Poly1305Active
Key ExchangeECDHE (Elliptic Curve Diffie-Hellman Ephemeral)Active
Certificate2048-bit RSA with SHA-256 signatureActive
Encryption at Rest (Device)
Storage TypeEncryption MethodStatus
Login CredentialsAES-256 via iOS Keychain / Android EncryptedSharedPreferencesActive
Session TokensHardware-backed secure storage (Secure Enclave / Keystore)Active
Test Data FilesDevice-level encryption (FileVault / Android FBE)Active
Cached DataEncrypted application sandboxActive
Data Minimization
Data TypeWhat We CollectWhat We DON'T Collect
Patient IdentityInternal ID number onlyFull SSN, insurance numbers
Test ResultsBalance measurements, timestampsGPS location, device identifiers
File NamesAnonymized ID {id}-{type}-{d}-{m}-{y}.csvPatient name, DOB in filename
Error LogsTechnical errors onlyPatient data, test results
2. Authentication & Access Control
Password Authentication
FeatureImplementationStatus
TransmissionPasswords sent over TLS, never in plain textActive
Server Storagebcrypt hashed with unique salt per userActive
Password PolicyMinimum 8 characters, requires uppercase + lowercase + number, cannot match usernameActive
Session Tokens64-char hex key regenerated on each login, invalidates previousActive
Practice Isolationpractice_filter.php multi-practice PHI isolation (31 endpoints). Roles: admin, clinician, readonly per practice.Active
Biometric Authentication
PlatformTechnologySecurity LevelStatus
iOSTouch ID / Face IDHardware-secured, Secure EnclavePlanned
AndroidFingerprint / Face UnlockTEE (Trusted Execution Environment)Planned
How biometric login works: On first login, authenticate with username/password. If biometric is enabled, encrypted credentials are stored in the device's secure hardware. Subsequent logins use fingerprint/face to unlock the secure storage. Your biometric data never leaves your device.
Session Security
FeatureSettingPurposeStatus
Inactivity Timeout15 minutesLocks session after no user activityPlanned
Activity DetectionTouch, scroll, navigationResets timeout on any interactionPlanned
Session LockRequires re-authenticationBiometric or password to resumePlanned
Token ExpirationServer-enforcedNew key on each login invalidates previousActive
Role-Based Access (Multi-Practice)
RoleScopeCapabilities
readonlySingle practiceView patients and results within practice (no modifications)
clinicianSingle practiceManage patients, run tests, view results within practice
adminPractice managementUser management, audit logs, all patients in practice
superadminCross-practiceAll patients across all practices. Security dashboard, infrastructure.
Multi-practice: Users can belong to multiple practices with different roles in each. A user might be admin in one practice and clinician in another. The active practice determines which data is visible.
3. Application Security
Tamper Protection
CheckWhat It DetectsAction TakenStatus
Debug Mode DetectionApp running in development modeWarning logged, restricted in productionPlanned
Jailbreak/Root DetectionCompromised device OSUser warned, may restrict PHI accessPlanned
App Signature VerificationModified/repackaged APKBlocks execution if signature invalidPlanned
Debugger DetectionAttached debugging toolsPrevents runtime inspectionPlanned
No Hardcoded CredentialsSecrets in source codeDev backdoor removed, REST API replaces SFTPActive
Code Protection
TechniqueToolPurposeStatus
Code ShrinkingR8/ProGuardRemoves unused code, reduces attack surfacePlanned
ObfuscationR8/ProGuardRenames classes/methods to meaningless namesPlanned
Dart ObfuscationFlutter --obfuscateObfuscates Dart/Flutter codePlanned
Debug Symbol Removal--split-debug-infoSeparates debug symbols from releasePlanned
OWASP Mobile Top 10 Coverage
RiskMitigation
M1: Improper Platform UsageProper use of iOS Keychain, Android Keystore
M2: Insecure Data StorageEncrypted storage, no sensitive data in logs
M3: Insecure CommunicationTLS 1.2+, certificate validation
M4: Insecure AuthenticationBiometrics, session timeout, strong passwords
M5: Insufficient CryptographyAES-256, industry-standard algorithms
M6: Insecure AuthorizationServer-side access control, role-based access
M7: Client Code QualityCode review, static analysis, testing
M8: Code TamperingIntegrity checks, obfuscation, signature verification
M9: Reverse EngineeringObfuscation, no hardcoded secrets
M10: Extraneous FunctionalityNo debug endpoints in production
4. Privacy by Design
Anonymization
Data ElementPrivacy Approach
File NamesInternal ID instead of patient name (e.g., 437-lb-eo-16-2-2026.csv)
Internal IDsSystem-generated numbers, not SSN or MRN
Test ResultsAssociated with internal ID only, no PII in data files
Error LogsScrubbed of all patient identifiers before collection
Crash ReportsTechnical data only, no PHI included
Data Retention
Data TypeRetention PeriodDeletion Method
Test ResultsPer practice policy (typically 7 years)Secure overwrite
Audit Logs6 years minimum (HIPAA requirement)Archived, then destroyed
Session DataUntil logout or timeoutMemory cleared
Local Test FilesDeleted after successful uploadSecure file deletion
Third-Party Data Sharing
VendorData SharedBAA Required
Anthropic (AI Analysis)Scores + questionnaire only (no names)Yes
athenaOne (EHR)PDF reports via authenticated APIYes
Microsoft Graph (Email)PDF reports via emailYes
Hosting ProviderServer infrastructureYes
5. Technical Summary (IT/Compliance)
Mobile Application Security Features
FeatureiOSAndroid
Biometric AuthTouch ID / Face ID via LocalAuthenticationBiometricPrompt API
Secure StorageKeychain Services (kSecAttrAccessibleWhenUnlocked)EncryptedSharedPreferences (AES-256-GCM)
Session Timeout15-min NSTimer with activity tracking15-min Handler with touch event monitoring
Code ObfuscationDart obfuscation (--obfuscate)ProGuard/R8 + Dart obfuscation
Certificate ValidationNSURLSession server trust evaluationOkHttp with certificate transparency
Integrity CheckJailbreak detection (Cydia, sandbox escape)Root detection (su, Magisk), signature verification
Network SecurityApp Transport Security (ATS) enforcedNetwork Security Config (cleartext blocked)
Data at RestFileProtection Complete Until First AuthFile-Based Encryption (FBE)
Cryptographic Standards
PurposeAlgorithmKey SizeStandard
Data EncryptionAES-GCM256-bitNIST SP 800-38D
Password HashingbcryptCost factor 12OWASP recommendation
TLSTLS 1.2/1.3ECDHE-256RFC 8446
Random GenerationSecureRandomN/APlatform CSPRNG
Compliance Standards
StandardCoverageNotes
HIPAA Security RuleFull45 CFR Part 164, all safeguards
HIPAA Privacy RuleFull45 CFR Part 160 and 164
HITECH ActFullBreach notification, penalties
NIST CSFAlignedIdentify, Protect, Detect, Respond, Recover
OWASP MASVSLevel 2Mobile Application Security Verification
OWASP ASVSLevel 2Application Security Verification (API)
Overall Security Status
Security FeatureTechnologyComplianceStatus
Encryption in transitTLS 1.2/1.3 (HTTPS)164.312(e)(1)Active
Encryption at rest (device)Keystore / Keychain164.312(a)(2)(iv)Active
Encryption at rest (server)Disk encryption (LUKS)164.312(a)(2)(iv)Not Yet
Authenticationbcrypt + 64-char tokens164.312(d)Active
Access controlpractice_filter.php (15 endpoints)164.312(a)(1)Active
Audit loggingJSON Lines (who/what/when/IP)164.312(b)Active
Secure uploadREST API (back_upload_csv.php)164.312(e)(1)Active
Input validationParameterized SQL, ID checksOWASP Top 10Active
Biometric authFingerprint / Face ID164.312(d)Planned
Session timeout15-min idle timeout (PHP + JS)164.312(a)(2)(iii)Active
Tamper detectionIntegrity + root/jailbreak164.312(c)(1)Planned
Code obfuscationR8 + Flutter --obfuscateBest PracticePlanned
Firewallufw (22/80/443 only)164.312(e)(1)Ready
DB localhost bindingPostgreSQL localhost only164.312(e)(1)Ready
Security questions: security@kinometric.com | Vulnerability reports: security@kinometric.com | BAA requests: legal@kinometric.com
Last updated: February 2026

HIPAA-required access audit log — every patient data access is recorded.

HIPAA Incident Response Plan — 45 CFR 164.308(a)(6) & 164.408

New Incident Report
Incident Log

No incidents reported. Use the button above to report a security incident.

Incident Response Process

HIPAA requires covered entities to identify, respond to, and mitigate security incidents. 45 CFR 164.308(a)(6)(ii)

Phase 1: Detection & Reporting 0-1 hours
  1. Identify the incident — unauthorized access, data breach, system compromise, credential leak
  2. Document immediately — what, when, who discovered, what systems/data affected
  3. Report — notify the Security Officer (Charlie Rogers) and management (Anant Johnson)
  4. Preserve evidence — do NOT delete logs, do NOT reboot servers. Screenshot/export the HIPAA audit log
  5. Check audit log — review athena_hipaa_audit.log for unauthorized patient access patterns
Phase 2: Containment 1-4 hours
  1. Isolate affected systems — disable compromised user accounts, revoke encryption keys
  2. Rotate credentials — Athena OAuth keys, DB password, API keys, user passwords
  3. Block access — update firewall, change SSH keys, disable unnecessary accounts
  4. Preserve the HIPAA audit log — copy test/logs/athena_hipaa_audit.log to secure backup
  5. Check Athena — review what patient data was accessed via the audit log
Phase 3: Investigation 1-7 days
  1. Determine scope — which patients' data was accessed? How many records?
  2. Run audit scripts:
    php monthlyAuditScripts/security_audit.php
    php monthlyAuditScripts/athena_access_audit.php
  3. Review server logs — Apache access logs, auth logs, syslog
  4. Determine root cause — how did the breach occur?
  5. Assess if PHI was actually viewed/exfiltrated — breach vs. security incident
Phase 4: Notification Within 60 days

HIPAA Breach Notification Rule — 45 CFR 164.400-414

  1. Determine if breach notification is required — was unsecured PHI accessed by unauthorized person?
  2. Notify affected individuals within 60 days of discovery (164.404)
  3. Notify HHS — if <500 individuals: annual report. If 500+: within 60 days (164.408)
  4. Notify media — if 500+ individuals in a single state (164.406)
  5. Notify Athena Health — as business associate, per BAA terms
Phase 5: Remediation & Documentation Ongoing
Remediation:
  1. Fix the vulnerability that caused the incident
  2. Run full security audit to check for related issues
  3. Update security controls (firewall rules, access policies)
  4. Re-run credential rotation check
  5. Implement additional monitoring if needed
Documentation (retain 6 years — 164.530(j)):
  1. Incident report (date, description, scope)
  2. Investigation findings and root cause
  3. List of affected individuals
  4. Notifications sent (copies)
  5. Remediation actions taken
  6. HIPAA audit log exports for the incident period
Key Contacts
Security Officer:
Charlie Rogers
charlie.rogers@flightsystems.net
Management:
Anant Johnson
anant@johnsonconsultingllc.com
Athena Contact:
Jake Millhausen
jake@johnsonconsultingllc.com
Practice Contact:
Laura Cossick
lcossick@painandspinespecialists.com
HHS Breach Portal: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf

Security awareness training program for all workforce members handling PHI. Required by 45 CFR 164.308(a)(5).

Current Status
Partial Staff confidentiality agreement is signed before access is granted. Formal recurring training program is proposed below.

Reference: docs/hipaa_staff_confidentiality.md —

Proposed Security Training Program

The following training modules address HIPAA Security Rule requirements. Each module should be completed by all workforce members upon hire and annually thereafter. Completion must be documented and retained for 6 years per 45 CFR 164.530(j).

# Module Topics Covered Duration Frequency CFR Reference
1 HIPAA Fundamentals
  • What is PHI and ePHI
  • Privacy Rule vs Security Rule overview
  • Covered entities and business associates
  • Patient rights (access, amendment, accounting)
  • Penalties for non-compliance (civil & criminal)
 30 min Annual §164.530(b)
2 Password & Authentication Security
  • Password policy requirements (8+ chars, upper/lower/number)
  • Never share credentials or encryption keys
  • Recognizing phishing and social engineering
  • Multi-factor authentication (when implemented)
  • Session timeout behavior and why it matters
 20 min Annual §164.308(a)(5)(ii)(D)
3 PHI Handling & Data Security
  • Proper handling of patient balance data and reports
  • No PHI in email, Slack, or unencrypted channels
  • Secure CSV file storage and transfer procedures
  • Minimum necessary standard (access only what you need)
  • Proper disposal of printed or temporary PHI
 20 min Annual §164.312(a)(1)
4 Mobile Device & App Security
  • Kinometric tablet/phone app security features
  • Device lock screen and auto-lock requirements
  • What to do if a device is lost or stolen
  • Approved networks for data transmission
  • Never store PHI on personal devices
 15 min Annual §164.310(d)(1)
5 Incident Reporting & Breach Response
  • Recognizing a security incident (unauthorized access, data loss)
  • Immediate reporting procedure and who to contact
  • Breach notification timeline (60-day rule)
  • Documentation requirements for incidents
  • Non-retaliation policy for reporting
 15 min Annual §164.308(a)(6)
6 Practice Isolation & Access Controls
  • Provider-based patient isolation (how it works in Kinometric)
  • Role-based access: admin vs standard user vs superadmin
  • Audit logging — all actions are recorded
  • Requesting/revoking access for new/departing staff
  • Reviewing your own audit trail
 15 min Annual §164.312(a)(1)
Total Training Time ~2 hours
Implementation Plan
PhaseTargetActionsStatus
Phase 1: Foundation Completed Staff confidentiality agreement created and signed by all current users before access Done
Phase 2: Program Design Q2 2026 Develop training materials for all 6 modules; create knowledge assessment questions; set up completion tracking In Progress
Phase 3: Initial Rollout Q2 2026 All current workforce members complete training; document completion dates; address any knowledge gaps Planned
Phase 4: Ongoing Annual Annual refresher training; update materials for new threats; train new hires within 30 days of access Planned
Workforce Training Status
Name Role Confidentiality Agreement Training Completed Next Due Status
steve Admin Signed — Q2 2026 Agreement Only
Dan User Signed — Q2 2026 Agreement Only
efsi Superadmin Signed — Q2 2026 Agreement Only

Policy: New workforce members must complete all 6 modules within 30 days of being granted PHI access. Annual refresher training is due on the anniversary of initial completion. Records retained for 6 years per 45 CFR 164.530(j).

Required Training Records

Per HIPAA, the following must be documented and retained for each training event:

  • Date of training and modules completed
  • Names of attendees and their roles
  • Training materials used (version and content summary)
  • Assessment results (if knowledge check is administered)
  • Signature or electronic acknowledgment of completion
  • Trainer name and qualifications

Generate a comprehensive HIPAA compliance report for auditors. Includes every safeguard requirement, implementation details, status, and evidence.

HIPAA Compliance Report

This report compiles all compliance details from the HIPAA checklist into a single downloadable document. It covers Administrative, Physical, and Technical Safeguards plus Organizational Policies — 32 line items total with specific implementation evidence for each.

Report Contents
  1. Cover Page — Title, date, prepared for/by, organization
  2. Executive Summary — Overall compliance posture, counts by status
  3. System Description — Architecture, PHI inventory, data flow
  4. Administrative Safeguards (45 CFR 164.308) — 12 requirements
  5. Physical Safeguards (45 CFR 164.310) — 4 requirements
  6. Technical Safeguards (45 CFR 164.312) — 8 requirements
  7. Organizational & Policy Requirements — 8 requirements
  8. Gap Analysis & Remediation Plan — Open items with target dates
  9. Document Inventory — All policy documents with descriptions
Daily Upload Validation 0 files
0
Files Found
0
Scored
0
Insufficient
0
At Risk (<6)

Scoring files...

No CSV files found for this date.

Patient ▲ Type ▲ Score ▲ Risk ▲ Max Dur ▲ QD 3s ▲ QD 5s ▲ QD 7s ▲ Stability ▲ Fatigue ▲ Penalty ▲ 7s Bonus ▲
Accelerometer Data (accMag)

Executive Summary
Worst Score
Accelerometer Data (accMag)
Questionnaire Responses
Changes from Previous Test
AI Analysis
This analysis is AI-generated and intended to support clinical interpretation. It is not a standalone diagnosis and should not replace professional medical judgment.
Login Required
PDF Report
Scoring Curve Help
What does this chart show?

The chart displays the composed scoring function — the knot-point curve combined with the rescale transform. The Y-axis shows the Final Score (0–10) that a patient will actually receive for a given Q-diff value.

Risk Bands

The colored background bands map final scores to risk categories:

ScoreRisk LevelColor
8 – 10LowGreen
6 – 8ModerateOrange
4 – 6HighRed
0 – 4CriticalDark Red
How to read it
  • X-axis (Q-diff Range) — the magnitude of quality deviation detected in the data. Larger values mean bigger anomalies.
  • Y-axis (Final Score) — the score after both the knot curve and the rescale transform are applied. This is the number that appears in reports.
  • Blue dots — knot points that define the curve shape. Drag them to adjust.
How to adjust the curve
  1. Drag a knot point up or down to change the final score at that Q-diff. The underlying raw value is computed automatically.
  2. Drag left/right to shift where a knot sits on the Q-diff axis.
  3. Add Point to insert a new knot for finer control.
  4. Edit the table below the chart for precise numeric entry (Raw Score column). The Final Score column updates automatically.
Common fixes
ProblemFix
Too many patients flagged CriticalPull the left-side knot points up so low Q-diffs produce higher scores
Not enough sensitivity to large deviationsPull the right-side knot points down into the High/Critical bands
Curve is too flat in the middleAdd a knot point in the flat region and drag it to create more separation
Rescale compresses scores too muchWiden the Rescale Low/High range, or switch to linear rescale type
Want sharper cutoffs between risk levelsUse sigmoid rescale type with a higher power value
Rescale settings

The rescale transform (in the right panel) maps raw knot-curve output to final scores. Changing rescale type, low, high, or power will update the chart and Final Score column immediately. The Score Calculator below the chart lets you test individual Q-diff values.