docs: add healthcare and mental wellness security considerations

docs/regulated-domains/healthcare-security.md

@@ -0,0 +1,25 @@
+# Healthcare and Mental Wellness Security Considerations
+
+## Context
+Cloud-native and blockchain-based systems are increasingly used in healthcare and mental wellness. These systems must follow strict privacy and security practices due to the sensitivity of personal health information (PHI/PII).
+
+## Principles
+- **Data minimization:** Never place PHI/PII directly on public chains or in unencrypted logs.  
+- **Consent workflows:** Use Verifiable Credentials (VCs) and Decentralized Identifiers (DIDs) to manage patient consent off-chain, verifying proofs without exposing raw attributes.  
+- **Privacy-preserving analytics:** Apply commitments, zero-knowledge proofs, and aggregation to measure outcomes without leaking individual records.  
+- **Incident readiness:** Define break-glass procedures, rotation plans, and clear audit trails.  
+- **Mental wellness risk:** Misuse or leakage of mental health data has higher ethical stakes; systems must exceed baseline privacy standards.  
+
+## Checklist
+- [ ] No PHI/PII in logs, storage, or transactions.  
+- [ ] Consent captured via VCs/DIDs with expiration + nonce.  
+- [ ] Cloud-native deployments include encryption at rest and in transit.  
+- [ ] Break-glass access is gated and logged.  
+- [ ] Testing covers reentrancy, replay, and denial-of-service threats in consent flows.  
+
+## References
+- CNCF TAG-Security docs  
+- NIST Privacy Framework  
+- HIPAA Security Rule  
+- HL7 FHIR Security and SMART on FHIR  
+- W3C VC and DID Core