cipherrun 0.3.0

A fast, modular, and scalable TLS/SSL security scanner written in Rust
id: hipaa
name: HIPAA Security Rule
version: 1.0
description: Health Insurance Portability and Accountability Act - Technical Safeguards for ePHI Transmission Security
organization: U.S. Department of Health and Human Services (HHS)
effective_date: 2003-04-21

requirements:
  - id: HIPAA-164.312-e-1
    name: Transmission Security - Encryption
    description: Implement technical security measures to guard against unauthorized access to ePHI transmitted over electronic networks
    category: Protocol Security
    severity: high
    remediation: |
      Enable strong encryption for all ePHI transmission:
      - Use TLS 1.2 or TLS 1.3 for network communications
      - Disable obsolete protocols (SSLv2, SSLv3, TLS 1.0, TLS 1.1)
      - Implement end-to-end encryption where required
    rules:
      - type: ProtocolVersion
        allowed:
          - TLS 1.2
          - TLS 1.3
        denied:
          - SSLv2
          - SSLv3
          - TLS 1.0
          - TLS 1.1

  - id: HIPAA-164.312-e-2
    name: Integrity Controls
    description: Implement security measures to ensure ePHI is not improperly altered or destroyed during transmission
    category: Cipher Security
    severity: high
    remediation: |
      Use authenticated encryption to ensure data integrity:
      - Enable AEAD cipher suites (AES-GCM, ChaCha20-Poly1305)
      - These provide both confidentiality and message authentication
      - Disable cipher suites without proper integrity protection
    rules:
      - type: CipherSuite
        preferred_patterns:
          - ".*_GCM.*"
          - ".*_CHACHA20_POLY1305.*"

  - id: HIPAA-164.312-a-1
    name: Access Control - Encryption Strength
    description: Strong encryption algorithms must be used to protect ePHI
    category: Cipher Security
    severity: critical
    remediation: |
      Disable weak and broken encryption algorithms:
      - NULL ciphers (no encryption)
      - EXPORT ciphers (deliberately weakened)
      - DES, 3DES (obsolete)
      - RC4 (broken stream cipher)

      Use only strong, modern cipher suites with AES-256 or AES-128.
    rules:
      - type: CipherSuite
        denied_patterns:
          - ".*_NULL_.*"
          - ".*_EXPORT_.*"
          - ".*_DES_.*"
          - ".*_3DES_.*"
          - ".*_RC4_.*"

  - id: HIPAA-164.312-a-2-iv
    name: Encryption Key Management
    description: Implement procedures for creating, changing, and safeguarding encryption keys
    category: Certificate Security
    severity: high
    remediation: |
      Ensure proper cryptographic key management:
      - Use RSA keys of at least 2048 bits
      - Use ECC keys of at least 256 bits
      - Implement key rotation policies
      - Protect private keys with access controls
    rules:
      - type: CertificateKeySize
        min_rsa_bits: 2048
        min_ecc_bits: 256

  - id: HIPAA-164.312-b
    name: Audit Controls - Certificate Validation
    description: Implement procedures to record and examine activity in systems containing ePHI
    category: Certificate Security
    severity: high
    remediation: |
      Ensure proper certificate validation and monitoring:
      - Verify certificate chains to trusted CAs
      - Monitor certificate expiration dates
      - Maintain audit logs of certificate validation failures
      - Implement certificate revocation checking (OCSP/CRL)
    rules:
      - type: CertificateValidation
        require_valid_chain: true
        require_unexpired: true

  - id: HIPAA-164.308-a-8
    name: Evaluation - No Known Vulnerabilities
    description: Perform periodic technical evaluations to ensure security measures are appropriate
    category: Vulnerability
    severity: critical
    remediation: |
      Regularly assess and remediate TLS/SSL vulnerabilities:
      - Patch Heartbleed, POODLE, BEAST, CRIME, etc.
      - Keep TLS libraries and server software updated
      - Perform quarterly vulnerability assessments
      - Document and track remediation efforts
    rules:
      - type: Vulnerability

  - id: HIPAA-164.312-c-1
    name: Integrity - Strong Hash Functions
    description: Implement policies to ensure data integrity using approved hash functions
    category: Certificate Security
    severity: high
    remediation: |
      Use strong cryptographic hash functions:
      - SHA-256, SHA-384, or SHA-512 for certificate signatures
      - Avoid MD5 and SHA-1 (both cryptographically broken)
    rules:
      - type: SignatureAlgorithm
        allowed:
          - sha256
          - sha384
          - sha512
        denied:
          - md5
          - sha1

  - id: HIPAA-164.312-e-2-i
    name: Forward Secrecy
    description: Implement mechanisms to protect session keys from compromise
    category: Cipher Security
    severity: medium
    remediation: |
      Enable Perfect Forward Secrecy (PFS):
      - Use ECDHE or DHE key exchange
      - Ensures session keys cannot be decrypted even if long-term keys are compromised
      - Disable static RSA key exchange
    rules:
      - type: ForwardSecrecy
        required: true