HIPAA Security Rule 2003¶
Deprecated Framework
This framework has been superseded by HIPAA Omnibus Final Rule 2013. Organizations should migrate to the 2013 rule, which strengthened privacy and security protections and expanded compliance obligations to business associates.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, published in February 2003, establishes national standards to protect electronic protected health information (ePHI). Enforced by the U.S. Department of Health and Human Services (HHS), this rule requires covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. It applies to all healthcare providers, health plans, and healthcare clearinghouses in the United States.
Terraform Registry Subdomain: hipaasecurity2003¶
module "..." {
source = "hipaasecurity2003.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}
module "..." {
source = "https://hipaasecurity2003.compliance.tf/terraform-aws-modules/<module>/aws"
}
Refer to the Terraform Registry Endpoints section for more details.
Implemented Controls¶
The following controls are implemented as part of this framework.
- API Gateway stage cache encryption at rest should be enabled
- API Gateway stage logging should be enabled
- Backup plan min frequency and min retention check
- CloudFront distributions should require encryption in transit
- CloudFront distributions access logs should be enabled
- At least one enabled trail should be present in a region
- CloudTrail trails should be integrated with CloudWatch logs
- CloudTrail trail logs should be encrypted with KMS CMK
- CloudTrail trail log file validation should be enabled
- CloudWatch alarm should have an action configured
- Log group retention period should be at least 365 days
- CodeBuild projects should have logging enabled
- DynamoDB Accelerator (DAX) clusters should be encrypted at rest
- DMS replication instances should not be publicly accessible
- DynamoDB table should be encrypted with AWS KMS
- DynamoDB table should have encryption enabled
- DynamoDB table point-in-time recovery should be enabled
- Attached EBS volumes should have encryption enabled
- EC2 instance should have EBS optimization enabled
- EC2 instances should be in a VPC
- EC2 instances should not have a public IP address
- EFS access points should enforce a user identity
- EFS file system encryption at rest should be enabled
- EKS clusters should be configured to have kubernetes secrets encrypted using KMS
- ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater
- ELB application and classic load balancer logging should be enabled
- ELB application load balancer deletion protection should be enabled
- ELB application load balancers should be configured to drop HTTP headers
- Application Load Balancer should be configured to drop invalid http headers
- EMR cluster Kerberos should be enabled
- ES domain encryption at rest should be enabled
- ES domains should be in a VPC
- Elasticsearch domain node-to-node encryption should be enabled
- IAM password policies for users should have strong configurations
- Lambda functions should be configured with a dead-letter queue
- Lambda functions should be in a VPC
- Log group encryption at rest should be enabled
- OpenSearch domains should have encryption at rest enabled
- OpenSearch domains should use HTTPS
- OpenSearch domains should be in a VPC
- OpenSearch domains node-to-node encryption should be enabled
- RDS DB instance backup should be enabled
- RDS DB instance encryption at rest should be enabled
- RDS DB instances should have iam authentication enabled
- Database logging should be enabled
- RDS DB instance multiple az should be enabled
- RDS DB instances should prohibit public access
- AWS Redshift clusters should have automatic snapshots enabled
- Redshift cluster encryption in transit should be enabled
- Redshift cluster audit logging and encryption should be enabled
- AWS Redshift clusters should be encrypted with KMS
- Redshift clusters should prohibit public access
- S3 bucket cross-region replication should be enabled
- S3 bucket default encryption should be enabled
- S3 bucket default encryption should be enabled with KMS
- S3 bucket logging should be enabled
- S3 bucket object lock should be enabled
- S3 bucket policy should prohibit public access
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 buckets with versioning enabled should have lifecycle policies configured
- S3 bucket versioning should be enabled
- S3 public access should be blocked at account level
- SageMaker endpoint configuration encryption should be enabled
- SageMaker notebook instances should not have direct internet access
- SageMaker notebook instance encryption should be enabled
- SNS topics should be encrypted at rest
- AWS WAF rules should have CloudWatch metrics enabled
Enable/Disable Controls¶
You can customize the Terraform module for the desired compliance requirements by enabling/disabling individual controls.
Examples¶
S3 bucket module with HIPAA Security Rule 2003 compliance framework controls enabled, and a couple of controls disabled¶
module "..." {
source = "https://hipaasecurity2003.compliance.tf/terraform-aws-modules/s3-bucket/aws?disable=apigateway_stage_cache_encryption_at_rest_enabled,apigateway_stage_logging_enabled"
}