How to Build a CRM That Sells: Lessons from the Coin Show Floor
September 30, 2025From Coin Show Chaos to LegalTech Clarity: How the Principles of Organizing a Large-Scale Show Can Optimize E-Discovery Platforms
September 30, 2025
Building software for the healthcare industry? You’re not just writing code — you’re guarding lives. HIPAA isn’t a suggestion. It’s the law. And it’s personal for me. After 10+ years in HealthTech, I’ve learned that real security doesn’t come from checklists. It comes from treating Protected Health Information (PHI) like it’s irreplaceable — because it is.
When I built my first telemedicine platform, I didn’t start with encryption or audit logs. I started by standing in a crowded convention hall at the **2025 Rosemont/Chicago Great American Coin Show**, watching dealers handle $100,000 coins like they were made of glass. That’s when it clicked: *security isn’t just tech. It’s culture, process, and attention to detail.*
This post is about how I applied those coin show rituals to build **HIPAA-compliant telemedicine software** — with real code, real breaches, and real lessons learned.
Why HIPAA Compliance Is Non-Negotiable in HealthTech
One mistake. One unencrypted log file. One over-permissive IAM role. That’s all it takes to lose $50,000 in fines — or worse, a patient’s trust. I’ve seen it happen. A small clinic lost 8,000 patient records because a developer left an S3 bucket open. The fallout? A class-action lawsuit, a shutdown, and a reputation in ruins.
In HealthTech, **PHI is the crown jewel**. And like those rare coins at the show, it needs layers of protection — not just strong locks, but smart people, clear rules, and systems that *assume* they’ll be attacked.
The Core Rules You Can’t Ignore
- Administrative Safeguards: Who gets access? How are they trained? What happens if they leave?
- Physical Safeguards: Is your server room locked? Are laptops wiped when employees exit?
- Technical Safeguards: Encryption, access control, audit trails — the tools that actually protect data.
These aren’t optional features. They’re the bones of your app. I treat HIPAA like gravity: something you design *around*, not something you tack on later.
What I Learned From Watching Coin Show Security
At the Rosemont convention, I noticed three things:
- No one left valuables unattended — even for a bathroom break
- Access was tiered: dealers only in the morning, public later
- Every item was tracked — RFID tags, signature logs, video surveillance
Sound familiar? That’s **role-based access control (RBAC)**, **data integrity**, and **audit logging** — straight out of the HIPAA manual. But seeing it in real life made it tangible.
For example: when I built the EHR module, I didn’t just say “limit access.” I designed it like a coin display case. Clinicians could open every drawer. Billing saw only what they needed. No more, no less. Just like the dealers who only opened their cases during dealer-only hours.
Architecting HIPAA-Compliant EHR Systems
Secure Data Storage: Don’t Store PHI in Plain Text
Let me be clear: **storing unencrypted PHI is malpractice**. Not just bad practice. *Medical malpractice*, in spirit. You need:
- AES-256 encryption at rest
- TLS 1.3+ for data in transit
- And crucially — **your own encryption keys**
Here’s where most teams fail: they rely on AWS’s default keys. Big mistake. If AWS has your keys, they can access your data — and so can anyone who compromises them.
I use **AWS KMS with customer-managed keys (CMKs)**. That means *we* control the keys. AWS can’t decrypt our data. Not even if subpoenaed. (Within legal bounds, of course.)
Here’s a Terraform snippet I use for EHR backups:
resource "aws_s3_bucket" "ehr_backups" {
bucket = "ehr-backup-prod-2025"
}
resource "aws_kms_key" "ehr_kms" {
description = "KMS key for EHR data encryption"
deletion_window_in_days = 7
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "Allow full access to root"
Effect = "Allow"
Principal = { AWS = "arn:aws:iam::${var.account_id}:root" }
Action = "kms:*"
Resource = "*"
},
{
Sid = "Allow CloudTrail to encrypt logs"
Effect = "Allow"
Principal = { Service = "cloudtrail.amazonaws.com" }
Action = [ "kms:GenerateDataKey*", "kms:Decrypt" ]
Resource = "*"
}
]
})
}
resource "aws_s3_bucket_server_side_encryption_configuration" "ehr_encryption" {
bucket = aws_s3_bucket.ehr_backups.id
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.ehr_kms.arn
sse_algorithm = "aws:kms"
}
}
}
Small detail, big impact. When auditors ask, “Who controls the keys?” my answer is simple: *We do.*
Audit Logging: Prove You’re Compliant
HIPAA doesn’t just want encryption. It wants **proof**. Every time someone accesses PHI, it must be logged — with a timestamp, user ID, and action taken.
I use **AWS CloudTrail + CloudWatch Logs**. CloudTrail tracks API calls (like “download patient record”). CloudWatch logs app-level events (like “Dr. Smith reviewed X-rays”).
Here’s how I log a PHI access event in Node.js:
const AWS = require('aws-sdk');
const cloudwatchlogs = new AWS.CloudWatchLogs({region: 'us-east-1'});
function logPhiAccess(userId, patientId, action) {
const params = {
logGroupName: '/phi/access',
logStreamName: 'ehr-api',
logEvents: [
{
timestamp: Date.now(),
message: JSON.stringify({
event: 'PHI_ACCESS',
userId,
patientId,
action, // e.g., 'VIEW', 'DOWNLOAD'
ipAddress: getClientIp(),
userAgent: getUserAgent()
})
}
]
};
cloudwatchlogs.putLogEvents(params).promise();
}
Logs aren’t paperwork. They’re your **insurance policy**. Last year, a clinician accidentally accessed the wrong patient. We caught it in 48 hours — because the log showed it. We fixed it, reported it, and avoided a breach.
Without logs? We’d never have known.
Telemedicine Software: Securing Real-Time PHI
End-to-End Encryption (E2EE) in Video Consultations
Video calls are prime targets. A single unsecured WebRTC stream can leak audio, video, or metadata (like patient names).
I use **Signal Protocol (Double Ratchet)** for E2EE — the same tech behind WhatsApp — but tuned for healthcare. Every call gets:
- A unique session key (never reused)
- Perfect forward secrecy (new key per message)
- DRM to block screen recording
And yes — I disabled browser screen sharing APIs. I didn’t trust Chrome. I still don’t. So I built a custom WebRTC wrapper that blocks unauthorized recording. No ifs, no buts.
Telemedicine isn’t about convenience. It’s about **trust**. When a patient speaks to their doctor, they need to know: *only two people are in that room.*
Secure File Uploads: No More PDFs in Emails
I’ve seen too many “secure” portals that just email PDFs. That’s not secure. That’s chaos.
My solution? A **patient upload portal** with:
- Client-side encryption (using Web Crypto API)
- Pre-signed URLs that expire in 15 minutes
- Automatic deletion after the clinician accesses it
// Client-side encryption before upload
async function encryptFile(file) {
const key = await crypto.subtle.generateKey(
{ name: 'AES-GCM', length: 256 },
true,
['encrypt', 'decrypt']
);
const iv = crypto.getRandomValues(new Uint8Array(12));
const encrypted = await crypto.subtle.encrypt(
{ name: 'AES-GCM', iv },
key,
await file.arrayBuffer()
);
return { encrypted, key, iv, fileName: file.name };
}
The file gets encrypted *before* it leaves the browser. The decryption key? Sent through the app — not email. No PHI ever hits the server unencrypted. Not even for a millisecond.
Healthcare Data Security: Beyond Encryption
Network Segmentation: Isolate PHI from Everything Else
I treat PHI like nuclear material: **keep it separated**. In AWS, I use three VPC subnets:
- Public: Load balancers, CDNs (no PHI)
- Private: App servers (PHI in memory, never stored)
- Isolated: Databases, EHR storage (encrypted, no public access)
Security groups are locked down. Only specific IAM roles can talk to the database. No SSH from outside. Not even from my laptop.
It’s strict. But after a near-miss with a misconfigured API gateway, I stopped cutting corners.
Penetration Testing: Simulate Real Attacks
Every six months, I hire ethical hackers. We run real attacks:
– SQL injection through API endpoints
– Session hijacking with stolen cookies
– Insider threats (e.g., “What if a nurse exports 10,000 records?”)
One test found a bug: clinicians could see the next patient’s record by changing the URL ID (e.g., /patient/123 → /patient/124). We fixed it in an hour — with a server-side check that the user *actually has permission* to see that record.
The fix? One line of code. The lesson? **Never trust the frontend.**
Putting It All Together: A Compliance-First Mindset
Documentation: Your Best Defense
Audits are stressful. I keep a **living compliance document** that shows:
– Each technical control (e.g., “KMS encryption”)
– The matching HIPAA rule (e.g., “164.312(a)(2)(iv)”)
– Who owns it (e.g., “Security Team – Jane Doe”)
It’s not busywork. It’s clarity. When an auditor asks, “How do you protect PHI at rest?” I don’t guess. I open the document, point to the code, and show the test plan.
Team Training: Make Everyone a Compliance Officer
I run quarterly HIPAA training. Not a slideshow. A workshop. We review:
– Real breach cases (e.g., “What went wrong at Hospital X?”)
– New OCR guidance
– Our own near-misses (anonymized, of course)
The goal? Make engineers think like auditors: *“If I build this, what could break?”*
One junior dev asked: “Why can’t we use Heroku for staging?” Good question. The answer? Heroku doesn’t sign BAAs. We don’t compromise on that.
Conclusion: Compliance Is a Competitive Advantage
You might see HIPAA as a hurdle. I see it as a **superpower**. Patients choose systems they can trust. Hospitals pick vendors with proven security. Investors back teams that don’t repeat disasters.
The tools I’ve shared — encryption, logging, access control, penetration testing — aren’t extras. They’re the price of entry in **HealthTech**.
Just like those coin dealers who guarded priceless artifacts with locked cases and watchful eyes, we protect PHI with equal care. Not because the law says so. But because **every line of code is a promise to a patient**.
So start small. Encrypt everything. Log every access. Train your team. Then scale — knowing you built it right from the start. Because in healthcare, the only thing stronger than your code is the trust it earns.
Related Resources
You might also find these related articles helpful:
- How to Build a Scalable Headless CMS for Event Reporting: A Case Study Inspired by the 2025 Rosemont Coin Show – The future of content management? It’s already here—and it’s headless. I’ve spent months building a CMS that…
- How Coin Show Market Dynamics Can Inspire Smarter High-Frequency Trading Algorithms – Uncovering Hidden Patterns in Illiquid Markets: A Quant’s Take on Coin Shows High-frequency trading (HFT) thrives …
- How to Turn a Coin Show Report Into a Powerful Business Intelligence Asset Using Data Analytics – Ever left a coin show with a stack of notes, photos, and receipts—only to file it away and forget about it? That’s a mis…
