Benchmark: 164.314(b)(1) Requirements for group health plans
Description
Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant to 164.504(f)(1)(ii) or (iii), or as authorized under 164.508, a group health plan must ensure that its plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the group health plan.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 164.314(b)(1) Requirements for group health plans.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.hipaa_final_omnibus_security_rule_2013_164_314_b_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.hipaa_final_omnibus_security_rule_2013_164_314_b_1 --share
Controls
- CloudTrail trail logs should be encrypted with KMS CMK
- DynamoDB Accelerator (DAX) clusters should be encrypted at rest
- DynamoDB table should have encryption enabled
- Attached EBS volumes should have encryption enabled
- EBS default encryption should be enabled
- EKS clusters should be configured to have kubernetes secrets encrypted using KMS
- ELB classic load balancers should only use SSL or HTTPS listeners
- ES domain encryption at rest should be enabled
- Elasticsearch domain node-to-node encryption should be enabled
- OpenSearch domains should have encryption at rest enabled
- OpenSearch domains should use HTTPS
- OpenSearch domains node-to-node encryption should be enabled
- RDS DB instance encryption at rest should be enabled
- RDS DB snapshots should be encrypted at rest
- Redshift cluster encryption in transit should be enabled
- AWS Redshift clusters should be encrypted with KMS
- Redshift clusters should prohibit public access
- S3 bucket default encryption should be enabled
- S3 bucket default encryption should be enabled with KMS
- S3 buckets should enforce SSL
- S3 buckets should prohibit public read access
- S3 buckets should prohibit public write access
- S3 public access should be blocked at account level
- SageMaker endpoint configuration encryption should be enabled
- SageMaker notebook instance encryption should be enabled
- VPC should be configured to use VPC endpoints