From Silicon to Site: Building Secure Sensors for Healthcare

February 18, 2026·Perspective·Luís Silva, Software Engineer

From Silicon to Site: Building Secure Sensors for Healthcare

Teton develops physical sensors for healthcare facilities. These devices form a kind of nervous system that enables understanding of in-room activity. Getting this right means balancing seamless integration with robust security in some of the most sensitive environments there are.

The threat model

Threat models describe the risks and operational assumptions that guide how we design every device. The core threats we address:

  • Opportunistic physical access during normal facility operations
  • Supply chain vulnerabilities across component sourcing and manufacturing
  • Fleet-wide security implications from individual device compromise
  • Privacy protection even under physical compromise scenarios

The guiding principle is simple: a device cannot leak what it does not have. Minimizing stored information is the strongest protection against breaches.

Security principles

Five foundational principles guide our product development:

Minimize device knowledge

Devices operate without personal identifiers or clinical metadata. They process visual data into anonymized signals and discard the source immediately.

Assume physical access

Our security architecture assumes that someone may have brief physical access to a device. The system is designed so that even in that scenario, no sensitive data is exposed.

Individual trust boundaries

Compromising one device cannot cascade to others. Each unit operates within its own trust boundary, preventing fleet-wide failures from a single point of compromise.

Safe integration

We collaborate with site IT teams to ensure our devices integrate without introducing network risks. Only the compute unit connects to the site network; sensors remain isolated.

Transparency over obscurity

We rely on open standards and invite external scrutiny. Security through obscurity is not a strategy we trust.

Architecture

Only the computing unit connects to site networks. Sensors remain isolated within local loops, with no internet exposure. Processed data is sent upstream without personal identifiers.

System architecture: sensors connect locally to compute units, only anonymized data reaches the network

We periodically disassemble sensors to verify component authenticity and detect any unauthorized hardware modifications. This is not theoretical. It is a regular operational practice.

Operational practices

  • In-house assembly using trusted suppliers with engineering assessments
  • Trained installers deployed to clinical sites
  • Centralized device management with approval requirements before backend communication
  • Continuous monitoring with alert systems for offline or anomalous behavior
  • Bug bounty programs encouraging external security research
  • Open-sourced fleet management tools (Smith UI) for transparency

Security in healthcare sensor deployment requires honest risk assessment, explicit assumption documentation, and deliberate design practices. We improve continuously through external scrutiny and partner collaboration.

Learn more about our security approach

Schedule a demo or visit our Trust Center at trust.teton.ai for detailed documentation.

Book a demo