# SCRIMED Competitive Defense Brief

Status: competitive-defense-hardening-active
Reviewed: 2026-06-26
Route: /competitive-defense
API: /api/competitive-defense
Boundary: SCRIMED Competitive Defense translates public competitor positioning, known SCRIMED weaknesses, legal/privacy/cybersecurity requirements, and infiltration risks into owned hardening controls. It is strategic readiness evidence only. It does not copy competitor products, assert partnerships, provide legal advice, certify security or compliance, authorize PHI processing, approve penetration testing, guarantee protection from attack, approve customer release, or authorize live clinical care.

## Competitive Threat Profiles
- Abridge: Position SCRIMED as governed healthcare workflow intelligence, not a scribe clone: evidence trace, TrustOS gate, synthetic pilot, and downstream operating proof. Hardening: Package every demo as a context-to-evidence-to-human-review operating loop with explicit no-live-care and no-PHI boundaries. Boundary: No copied clinical documentation models, no patient data, no customer-logo implication, and no clinical superiority claim.
- Ambience Healthcare: Run synthetic specialty bake-offs where buyers score evidence completeness, review friction, policy fit, operational actionability, and claim safety. Hardening: Create a no-PHI bake-off packet and route all time-saved, ROI, coding, and clinical-quality phrases through claim guard and qualified review. Boundary: No specialty performance, coding accuracy, reimbursement, or clinical quality claims without qualified external review.
- Nabla: Use the Health Records Safety Exchange, interoperability conformance, API contract catalog, and Platform Power controls as the visible trust catalog. Hardening: Label every connector family as synthetic-ready, contract-ready, protected-gated, or blocked-live-use. Boundary: No production connector, EHR integration, API SLA, PHI authority, or customer deployment claim until buyer-approved contracts exist.
- Suki: Lead with healthcare operating-system breadth: Atlas evidence, AgentOS workflows, TrustOS controls, PayerIQ evidence, and protected buyer proof. Hardening: Add security-and-revenue adjacency controls to every sales packet and keep all ROI/security/certification claims in blocked-claim registers. Boundary: No trust-portal equivalence, EHR breadth claim, ROI guarantee, security certification, or clinical reasoning authority.
- Microsoft Dragon Copilot: Win as the inspectable governance-and-workflow overlay that can prepare no-PHI proof packets before an incumbent platform procurement decision hardens. Hardening: Make launch readiness, legal/privacy/cyber boundaries, buyer packet evidence, and workflow loops visible before every sales call. Boundary: No Microsoft partnership, Azure equivalence, platform-scale equivalence, Dragon parity, or managed-security implication.
- Oracle Health: Position SCRIMED as complementing incumbent systems through governed no-PHI pilots, connector prerequisites, and operational evidence packets. Hardening: Attach an incumbent-system complement boundary to interoperability, health records, payer, financial, and deployment profile copy. Boundary: No Oracle integration, EHR replacement, ONC certification, production connector, or incumbent-data migration claim.
- Hippocratic AI: Treat TrustOS, Clinical Guardian, human review, no-live-care boundary, claim guard, and protected evidence release as the safety product. Hardening: Add agent threat modeling, clinical escalation boundaries, and model-output review to the defense operating cadence. Boundary: No clinical validation, voice-agent parity, autonomous care, diagnosis, prescribing, or customer-logo claim.
- Notable: Package AgentOS as a governed workforce builder with approvals, audit, no-PHI fixtures, and buyer-defined success metrics. Hardening: Add agent permission boundaries, tool-call approvals, and excessive-agency checks to every workflow template. Boundary: No autonomous patient outreach, production writeback, connector-hub parity, or unsupervised operations claim.
- Commure: Use PayerIQ, Atlas, finance methodology gates, and no-PHI revenue-risk packets to show evidence readiness before value claims. Hardening: Route every revenue, denial, coding, or margin phrase through Enterprise Business Ops and finance methodology controls. Boundary: No reimbursement guarantee, revenue guarantee, ROI guarantee, coding finality, or production billing automation claim.
- Cohere Health: Make PayerIQ policy evidence, appeal packet preparation, and payer-friction detection human-reviewed and synthetic-only. Hardening: Add payer-submission hard stops to workflow outputs and brief exports. Boundary: No payer approval, prior authorization submission, payment-integrity certification, claim submission, or appeal filing authority.

## Strength Hardening Tracks
- Governance-first healthcare intelligence OS: active. Attach one proof route, one buyer outcome, one blocked claim, and one human-review gate to each product claim. Proof: /product.
- No-PHI protected pilot pathway: active. Keep protected evidence exports disabled or gated until named reviewer signoff, customer permission, and release authority are recorded. Proof: /pilot-workspace/access.
- Interoperability and health-record safety: harden-now. Expose connector maturity labels and required contracts before any pilot, demo, or API conversation. Proof: /health-records.
- Claims-safe competitor counter-positioning: harden-now. Route all competitor-counter statements through no-copy, no-partnership, no-parity, no-certification, no-customer-proof checks. Proof: /competitive-intelligence.
- Legal, privacy, and cybersecurity gatekeeping: external-review-required. Define qualified-review gates, evidence owners, and blocked public claims for each legal/privacy/cyber domain before public growth campaigns expand. Proof: /global-certification-readiness.
- 24/7 review and innovation loop: active. Keep the loop as internal readiness, create escalation-only incident handoff, and keep future research private until qualified review. Proof: /continuous-review-audit.

## Legal, Privacy, And Cyber Controls
- Claims and legal review firewall: harden-now. Every sales, investor, marketing, PR, website, and competitor-comparison claim must map to approved, evidence-required, or prohibited status. Boundary: This is not legal advice or final approval; qualified counsel remains required for legal positions.
- No-PHI default and minimum-necessary privacy path: active. Public and pilot workflows remain synthetic, metadata-only, or business-contact-only until PHI authority, BAA/DPA, risk analysis, and customer approvals exist. Boundary: No PHI processing authority, HIPAA compliance certification, BAA execution, or live data approval is created by this control.
- NIST CSF operating profile: harden-now. Map each SCRIMED launch and buyer route to an owner, protected asset class, preventive control, detection signal, response action, and recovery evidence. Boundary: This profile is readiness evidence only; it is not SOC 2, HITRUST, ISO, penetration-test, or managed-security certification.
- LLM and agent threat model: harden-now. Each agent workflow must name allowed tools, denied tools, prompt-injection checks, output handling rules, human-review triggers, and audit evidence. Boundary: This is not a model-safety certification, live autonomous AI approval, or permission to process PHI.
- Identity, AAL2, and secret hygiene: active. Protected mutation and packet routes require tenant identity, AAL2-capable operator proof, no-secret test flows, and explicit token-disposal instructions. Boundary: No bypass of AAL2, no token minting by readiness pages, and no public secret storage.
- Dependency and supply-chain review: harden-now. Run typecheck, lint, build, audit, and integrity checks before production promotion; record exceptions as limitation packets. Boundary: This is not a completed third-party security assessment or guarantee against supply-chain attack.
- Incident response and breach-notification readiness: external-review-required. Classify incidents, preserve audit evidence, notify qualified legal/privacy/security reviewers, freeze affected releases, and prepare customer-safe communications. Boundary: This does not provide legal advice, breach determination, notification approval, or managed incident-response service.
- Vendor, connector, and buyer evidence room gate: protected-gated. Route provider security reviews, procurement evidence, external approval evidence, and connector references through protected metadata-only workspaces. Boundary: No BAA/DPA execution, vendor approval, connector approval, customer release, or procurement approval is created here.

## Infiltration Deterrence Layers
- Public route and API surface: prevent Keep public APIs read-only, synthetic-only, rate-limit-ready, cache-safe, header-bounded, and free of secrets or PHI. Detect: Monitor unusual request volume, response-code spikes, route misses, API schema drift, and smoke failures. Hard stop: No public endpoint may expose secrets, PHI, protected packet contents, or tenant mutation authority.
- Tenant identity and protected workspace: prevent Require tenant-scoped identity, AAL2-capable operator proof, fail-closed protected routes, and explicit release authority. Detect: Track access-log reconciliation, packet export attempts, reviewer signoff gaps, and tenant session verification failures. Hard stop: No protected packet export without authenticated workspace access and release authority chain.
- Agent tool execution: prevent Use tool allowlists, human approval checkpoints, denied action lists, prompt-injection review, and output handling boundaries. Detect: Record tool attempts, denied action counts, reviewer overrides, anomalous prompt patterns, and TrustOS decisions. Hard stop: No autonomous clinical action, payer submission, writeback, patient outreach, or production connector call.
- Health-record and interoperability path: prevent Restrict to synthetic fixtures, no-PHI extraction, metadata-only connector planning, and contract-ready/live-blocked labels. Detect: Flag live-data fields, production endpoint URLs, patient identifiers, connector credential requests, and writeback verbs. Hard stop: No PHI, patient matching, live connector, diagnosis, order entry, payer submission, or EHR writeback.
- Commercial, investor, and legal claims: prevent Claims register, QA Claim Guard, no-copy competitor boundary, investor-readiness boundaries, and legal review gates. Detect: Scan copy for guarantee, certification, partnership, valuation, securities, reimbursement, clinical, or customer-permission phrases. Hard stop: No public claim of certification, approval, partnership, customer proof, revenue guarantee, or legal conclusion.
- Build and dependency pipeline: prevent Run typecheck, lint, build, audit, public smoke, launch-domain preflight, and no-secret operator checks before promotion. Detect: Compare smoke deltas, lockfile changes, generated artifacts, route inventory changes, and unexpected API/header changes. Hard stop: No production promotion when build, smoke, audit, or launch-domain evidence fails without documented workaround.

## External Review Gates
- Counsel-reviewed claims and competitor comparison: required-before-public-claim. Trigger: Any page, deck, PR, investor packet, email, or sales call compares SCRIMED to a named competitor or asserts legal/security/compliance status. Output: Approved, evidence-required, or prohibited claim classification.
- Privacy and HIPAA risk analysis: required-before-production. Trigger: Any workflow proposes ePHI, patient identifiers, live health records, provider connector credentials, or customer production data. Output: Risk analysis, BAA/DPA path, minimum-necessary scope, retention rule, and incident-response owner.
- Security assessment and penetration-test authorization: required-before-production. Trigger: Any customer asks for production deployment, security certification, public trust badge, or penetration-test proof. Output: Scoped test authorization, remediation plan, evidence packet, and public-claim decision.
- Customer release and evidence distribution: required-before-buyer-release. Trigger: Any buyer proof packet, customer-named result, diligence artifact, or protected workspace evidence is proposed for external distribution. Output: Named reviewer signoff, recipient list, lockbox/access log, approved language, and expiry.

## No-Authority Boundary
- legalAdvice: not-legal-advice
- privacyAdvice: qualified-privacy-review-required
- securityCertification: not-security-certified
- penetrationTesting: not-penetration-test-authorization
- phiProcessing: not-authorized-production-phi
- customerRelease: customer-permission-and-release-control-required
- competitorPartnership: not-third-party-partnership
- attackGuarantee: not-protection-guarantee
- clinicalCare: not-authorized-live-care

Run every public competitor, investor, sales, security, privacy, and launch claim through Competitive Defense before expansion: prove the source, name the SCRIMED counter-position, attach the proof route, preserve no-copy/no-PHI/no-certification boundaries, and escalate legal/privacy/cyber claims to qualified review.