Do not report real patient information in public issues. Use synthetic records only.
Before production use, configure managed secrets, TLS, private networking, database encryption, backup encryption, least-privilege access, MFA, audit retention, rate limiting, alerting and a documented incident-response process.
The project is a starter implementation and does not make compliance claims. Security, privacy and clinical safety controls must be assessed for the deployment jurisdiction and organization.