Ewii for Healthcare

Hospitals, payors, and clinical-AI platforms share a constraint that’s easy to articulate and hard to satisfy: PHI cannot leave the network. AI tools that need to query PHI — for clinical decision support, claims processing, population analytics — either move PHI (unacceptable) or run inside the network (operationally painful). Ewii is the third option.

Air-gapped database access

The clinical-data store stays where it is. The Client container, deployed inside the hospital or payor network, is the only thing that touches it. Identity-verified queries flow outbound to the operator’s Hub; query results return on the same connection. PHI never crosses the network boundary in a form the operator can store. The Hub sees ciphertext only.

Hand-drafted schematic flow diagram showing the PHI query path through the hospital network boundary. LEFT REGION — CLINICAL AI PLATFORM: copper-amber rectangle containing HUB with inner sub-rectangles TRUST BUNDLE STORE and PER-QUERY AUTHORIZATION PLANE. CENTER — ENCRYPTED RELAY: narrow dashed-border band with slate-gray label ENCRYPTED RELAY and copper-amber annotation HUB SEES CIPHERTEXT ONLY. RIGHT REGION — HOSPITAL / PAYOR NETWORK: copper-amber rectangle with inner dashed boundary labeled PHI BOUNDARY; inside it a CLINICAL DATA STORE sub-rectangle with horizontal ruled lines, and a CLIENT copper-amber rectangle beside it with a forest-green check annotation IDENTITY VALIDATED. Outbound arrow from Client through relay to Hub labeled IDENTITY-VERIFIED QUERY / PORT 443. Return dashed arrow from Hub back to Client labeled ChaCha20-Poly1305 RESULT, with clay-red annotation QUERY CONTENT NOT LOGGED BY HUB. FIG. 1 — PHI QUERY PATH THROUGH HOSPITAL NETWORK in lower right. Corner crop marks on bone-white canvas. — FIG. 1 PHI query path through the hospital network boundary

PHI never leaves the network

Application-layer encryption (ChaCha20-Poly1305) is end-to-end between the Client and a workload-bound Hub endpoint. The Client decrypts query results in the customer’s memory; the Hub never sees plaintext PHI. Logs from the Client capture metadata (query identifier, timestamp, size) but not query content. We can show your privacy officer the exact set of fields the Hub side observes.

BAA-ready Hub deployment

For US healthcare deployments, our standard Hub posture is BAA-ready: the operator runs the Hub under a BAA with us, and we, in turn, are willing to enter into a BAA with each operator that needs one. For Canadian healthcare deployments, we align to PHIPA and provincial equivalents (BC PIPA, Quebec’s Loi 25). Our Trust Center pack includes a sample BAA and a PHIPA mapping.

Identity-verified queries replace network-level access

Today, your operator’s service account probably has network-level read access to the clinical database. Tomorrow, with Ewii, it has identity-verified per-query access — the Client enforces what queries are allowed, the Hub validates the identity at every connection, and every query is logged. Network-level access becomes per-query access. Audit becomes possible.

Talk to an architect

Bring your privacy officer if you can. We’ll show you the data-flow diagram, the BAA shape, the audit trail your auditor will see, and what the rollout looks like. 60 minutes.

Air-gapped database access

PHI never leaves the network

BAA-ready Hub deployment

Identity-verified queries replace network-level access

Talk to an architect

Talk to an architect about your sector.