Skip to main content
Follow these security best practices to protect your medical data and maintain privacy when using Salud.

For Patients

Private Key Management

Your private key is the master key to all your medical records. Protect it carefully.
Critical: If you lose your private key, you permanently lose access to your medical records. There is no password recovery option.

Storing Your Private Key

1

Use a password manager

Store your private key in a reputable password manager:
  • Recommended: 1Password, Bitwarden, LastPass
  • Enable two-factor authentication on your password manager
  • Use a strong master password (20+ characters)
2

Create an encrypted backup

Keep an offline backup in case of emergency:
  • Write it down on paper and store in a safe
  • Use an encrypted USB drive (BitLocker, VeraCrypt)
  • Store in a bank safety deposit box for maximum security
3

Never store in plaintext

Avoid these dangerous practices:
  • ❌ Text files on your computer
  • ❌ Notes app on your phone
  • ❌ Email to yourself
  • ❌ Cloud storage (Dropbox, Google Drive) without encryption
  • ❌ Screenshots or photos

Private Key Security Rules

Your private key is like your medical records’ master password:
  • ❌ Don’t share with doctors (they get access tokens instead)
  • ❌ Don’t share with Salud support (we never ask for it)
  • ❌ Don’t enter it on untrusted websites
  • ❌ Don’t send via email, text, or messaging apps
If someone has your private key, they have full access to all your medical records.
Consider using separate Aleo accounts:
  • One account for medical records (your primary Salud key)
  • One account for financial transactions
  • One account for testing/development
This limits damage if one key is compromised.
For maximum security, consider rotating keys annually:
  1. Generate a new Aleo private key
  2. Create new medical records under the new key
  3. Grant yourself access from old records to new account
  4. Gradually migrate to the new key
Key rotation is advanced. Only do this if you fully understand the implications.

QR Code Security

QR codes contain access tokens - treat them with the same care as passwords.

QR Code Best Practices

Generate Fresh

Create a new QR code for each doctor visit - don’t reuse old ones.

Time-Limit

Use the minimum necessary access duration:
  • 1 hour for quick consultations
  • 24 hours for ongoing appointments
  • 7 days only for extended care

Delete After Use

Delete QR code screenshots after the doctor has scanned them.

Never Post Publicly

Don’t share QR codes in public channels (social media, forums, etc.).

What NOT to Do with QR Codes

  • Don’t text screenshots - use in-person scanning only
  • Don’t email QR codes - email is not secure
  • Don’t post on social media - even in “private” groups
  • Don’t save to photo gallery - delete after scanning
  • Don’t print and leave unattended - someone could photograph it
Best practice: Display the QR code on your phone screen and let the doctor scan it directly. This minimizes the risk of interception.

Device & Browser Security

Salud runs in your browser, so browser security is critical.

Secure Your Devices

1

Use trusted devices only

Only access Salud from devices you control:
  • ✅ Your personal computer
  • ✅ Your personal smartphone
  • ❌ Public computers (library, internet cafe)
  • ❌ Shared work computers
  • ❌ Friend’s or family’s devices (unless trusted)
2

Keep software updated

Ensure your system is fully patched:
  • Enable automatic updates for OS
  • Keep browser updated (Chrome, Firefox, Safari)
  • Update browser extensions regularly
3

Use antivirus/antimalware

Protect against malware that could steal keys:
  • Install reputable antivirus (Windows Defender, Malwarebytes)
  • Run regular scans
  • Avoid pirated software
4

Secure your network

Use secure network connections:
  • ✅ Home WiFi with WPA2/WPA3 encryption
  • ✅ Mobile data (cellular network)
  • ⚠️ Public WiFi only with VPN
  • ❌ Open/unencrypted WiFi networks

Browser Security

Browser extensions can access page content and potentially steal private keys:
  • Only install essential extensions
  • Review permissions before installing
  • Remove unused extensions
  • Be especially careful with wallet extensions
Note: Leo Wallet and Shield Wallet are safe - they’re designed for Aleo.
While Salud doesn’t persist keys, clear browser data periodically:
  1. Go to browser settings
  2. Clear browsing data
  3. Select “Cached images and files”
  4. Clear last 24 hours
For extra privacy, use incognito mode:
  • Session data is automatically cleared on close
  • Extensions are disabled by default
  • No browsing history saved
Incognito mode doesn’t protect you if your device is compromised. It only prevents local storage of browsing history.

Access Management

Manage who has access to your records and for how long.

Grant Access Wisely

1

Verify doctor address

Double-check the Aleo address before granting access:
  • Ask doctor to show their address on their device
  • Compare character-by-character (even one wrong character = wrong person)
  • Consider using QR code scanning for addresses to avoid typos
2

Use minimum necessary duration

Follow the principle of least privilege:
ScenarioRecommended Duration
Quick consultation1 hour (240 blocks)
Same-day appointment4 hours (960 blocks)
Follow-up within 24h24 hours (5,760 blocks)
Ongoing treatment (week)7 days (40,320 blocks)
You can always grant access again later. Start with shorter durations.
3

Review access regularly

Check your access grants periodically:
  • View all active grants in the Salud dashboard
  • Revoke any you no longer need
  • Check for unfamiliar addresses (potential compromise)
4

Revoke after appointment

Manually revoke access after the doctor has finished:
  • Don’t wait for automatic expiration
  • Reduces window of potential misuse
  • Good security hygiene

Red Flags to Watch For

Revoke access immediately if you notice:
  • Doctor asks for your private key (legitimate doctors never need it)
  • Unfamiliar addresses in your access grant list
  • Grants you don’t remember creating
  • Suspicious activity on your Aleo account
  • Unexpected transactions
If you suspect compromise, generate a new private key and migrate your records.

Data Entry Best Practices

How you enter medical data affects its security and usefulness.
Enter complete information without unnecessary details:Good: “Diagnosed with Type 2 diabetes, prescribed Metformin 500mg twice daily”Too vague: “Doctor visit”Too detailed: “Arrived at Dr. Smith’s office at 123 Main St at 2pm, waited 15 minutes, discussed family history for 10 minutes…”
Select the correct category for easier organization:
  1. General Health
  2. Laboratory Results
  3. Prescriptions
  4. Imaging/Radiology
  5. Vaccination Records
  6. Surgical Records
  7. Mental Health
  8. Dental Records
  9. Vision/Ophthalmology
  10. Other/Miscellaneous
Make records more useful by including:
  • Date of service
  • Healthcare provider name
  • Facility/clinic name
  • Test results with reference ranges
  • Medication dosages and frequencies

For Healthcare Providers

Verifying Access

As a doctor, always verify access before requesting patient records.
1

Scan patient's QR code

Have the patient display the QR code on their device and scan it:
  • Use a secure QR scanner app
  • Verify it contains an access token (not a phishing link)
  • Confirm the record ID matches what the patient expects
2

Verify access on-chain

Use Salud’s verification endpoint or the Aleo blockchain:
await aleoSDK.execute('verify_access', [
  access_token,
  your_doctor_address,
  record_id
]);
This checks:
  • Token exists and is valid
  • Your address matches
  • Access hasn’t been revoked
  • Access hasn’t expired
3

Request the encrypted record

If verification succeeds, request the encrypted record from the patient:
  • Patient provides the record data separately
  • You decrypt using your credentials
  • Record is visible for the duration of the grant
Important: The access token only proves permission - it doesn’t contain the medical data. Patients must separately share the encrypted record with you.

Doctor Account Security

Use Professional Address

Create a dedicated Aleo address for medical practice - don’t mix with personal use.

Secure Private Key

Store your doctor private key with the same security as patient keys (password manager, encrypted backup).

Audit Access

Keep a log of which patients granted you access and when for compliance purposes.

Respect Expiration

Don’t ask patients for extended access unnecessarily - respect time limits.

Compliance Considerations

While Salud provides the technical infrastructure, you’re responsible for compliance:
HIPAA & Regulatory ComplianceIf you’re a covered entity under HIPAA:
  • Salud is not a Business Associate - it’s a tool patients control
  • You’re responsible for your own record-keeping and reporting
  • Document patient consent for using blockchain-based records
  • Ensure your use complies with local healthcare regulations
  • Maintain traditional EHR systems as required by law
Consult with legal counsel before using Salud in a clinical setting.

Emergency Scenarios

Lost Private Key

If you lose your private key:
1

Check backups immediately

Search for any backups you created:
  • Password manager
  • Encrypted USB drives
  • Paper backups in safe
  • Bank safety deposit box
2

Accept permanent loss

If no backup exists, your records are permanently inaccessible:
  • No password recovery option
  • No “forgot password” mechanism
  • No support team can help
  • Records remain encrypted on blockchain forever
3

Create new account

Generate a new Aleo private key and start fresh:
  • Old records are lost
  • Create new records going forward
  • Re-enter important medical history manually
Prevention is key: Set up multiple backups before you lose your key. Once lost, recovery is impossible.

Suspected Compromise

If you suspect your private key has been compromised:
1

Revoke all access grants immediately

Go to Salud dashboard and revoke all active grants:
  • Prevents attacker from seeing what doctors can access
  • Limits scope of breach
2

Generate new private key

Create a new Aleo account:
  • Don’t reuse the compromised key
  • Store new key securely (password manager)
3

Migrate records

Create new records under the new account:
  • Re-enter important medical data
  • Leave old account dormant
  • Don’t grant access from old account
4

Monitor the compromised account

Watch for unauthorized activity:
  • Check Aleo blockchain explorer for transactions
  • Look for unexpected access grants
  • Document any suspicious activity

QR Code Leaked

If you accidentally shared a QR code publicly:
  1. Revoke the access grant immediately - the token becomes invalid
  2. Generate a new QR code with a fresh access token if still needed
  3. Check access grant history for any unauthorized access attempts
  4. Delete the leaked QR code image from wherever it was posted
Revocation is instant on the blockchain. As soon as you revoke, the token in the QR code becomes useless.

Security Checklist

Use this checklist to ensure you’re following best practices:

Patient Checklist

  • Private key stored in password manager
  • Encrypted backup created and stored securely
  • Private key never shared with anyone
  • Using trusted device with updated software
  • Antivirus/antimalware installed and running
  • Browser extensions minimized
  • QR codes generated fresh for each doctor
  • Access durations set to minimum necessary
  • Access grants reviewed regularly
  • Unused grants revoked promptly
  • Doctor addresses verified before granting access
  • Secure network used (not public WiFi)

Doctor Checklist

  • Professional Aleo address created for medical use
  • Doctor private key secured (password manager)
  • Access verification performed before requesting records
  • Patient access tokens verified on-chain
  • Access expiration respected (no requests after expiry)
  • Patient data handled per HIPAA/local regulations
  • Compliance with healthcare privacy laws confirmed
  • Access log maintained for audit purposes

Additional Resources

Security Overview

Learn about Salud’s security architecture

Privacy Model

Understand zero-knowledge proofs and encryption

Aleo Documentation

Learn more about Aleo blockchain security

Wallet Security Guide

Best practices for managing Aleo wallets

Getting Help

If you have security concerns:
Never share your private key with supportNo legitimate support person will ever ask for your private key. If someone asks for it, it’s a scam.
  • General questions: Check the documentation first
  • Technical issues: Create a GitHub issue
  • Security vulnerabilities: Report privately to the development team
  • Lost private key: No recovery possible - ensure you have backups

Build docs developers (and LLMs) love

Get started for freeTalk to us