![Collective Minds_logo.png]](https://help.collectiveminds.health/hs-fs/hubfs/Collective%20Minds_logo.png?height=22&name=Collective%20Minds_logo.png){kind=logo}
CM-Connect Technical Security: Encryption and Key Management
A technical overview of CM-Connect security: automated encryption, institutional hash secrets, and stateless recovery for secure clinical collaboration.
Data Encryption (In-Transit & At-Rest)
CM-Connect ensures that data is unreadable to unauthorized parties using industry-standard cryptographic protocols. This process is fully automated and does not require manual key management by hospital staff.
-
In-Transit Encryption: Data moving from the local CM-Connect gateway to the CM Platform is encrypted using TLS 1.2+ (Transport Layer Security). This is the same security standard used by global financial institutions.
-
At-Rest Encryption: Once data reaches the CM Platform, it is stored using AES-256 bit encryption, ensuring high-level security for all stored files.
Note: Encryption keys for data transport are handled automatically by the system. No specific person or administrator needs to hold or manage these keys.
Pseudonymization & The "Hash Secret"
To comply with global privacy regulations (such as GDPR and HIPAA), CM-Connect uses a Keyed Hashing process. This allows the institution to trace its own data without sending identifying patient information to the cloud.
What is the Hash Secret?
The "Hash Secret" is a unique cryptographic string generated for your institution. It is used to convert sensitive Patient IDs into anonymous "Hashed IDs" before they leave your firewall.
-
Ownership: The secret is tied to the Institution, not a specific individual.
-
Access Control: Authorized members of the institution can access the Patient Hash Calculator tool within the CM Platform. By entering a Patient ID, the tool uses the secret to identify the corresponding record in the cloud.
-
Security via "Split Knowledge": Because the original Patient IDs remain strictly within your PACS/Server and the Hash Secret is managed by the platform, neither party can de-anonymize data alone.
Resilience & Disaster Recovery
CM-Connect is designed as a "stateless" gateway to minimize the IT burden on your institution. This removes the need for complex local backups of the CM-Connect software.
| Scenario | Resolution |
| Local Server Failure | The institution simply performs a fresh re-installation. No local configuration backup is required. |
| Configuration Recovery | The CM Platform securely retains your institutional Hash Secret. Upon re-installation, your gateway is re-linked automatically. |
Technical FAQ: Security & Key Management
Q: If we lose our server, how do we "recover" our encryption?
A: You don't need to. Because the CM-Connect is a stateless gateway, a simple re-installation is all that's required. The CM Platform securely stores your institutional Hash Secret and will re-apply it to your new instance.
Q: Who is the "holder" of the encryption key at the hospital?
A: Access is governed by Role-Based Access Control (RBAC). Your designated System Administrators manage who has permission to use the Patient Hash Calculator.
Q: Does Collective Minds have access to our Patient IDs?
A: No. Your Patient IDs never leave your institution's firewall. CM-Connect performs the hashing locally. While the CM Platform stores the Hash Secret to facilitate your use of the Patient Hash Calculator, we have no way of knowing which Patient ID corresponds to which hash unless you manually provide that ID into the calculator tool.
Q: What happens if the Hash Secret is compromised?
A: The Hash Secret is encrypted at rest on our platform using AES-256. Furthermore, because the secret alone cannot de-anonymize data (it requires the original Patient ID stored in your PACS), it provides a "Two-Factor" style of data protection. Identification is only possible when the secret and the local patient data are brought together by an authorized user.
Last Updated: March 2026 | For further technical questions regarding CM-Connect security, please contact our support team.