bmad-plus 0.7.5 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (294) hide show
  1. package/CHANGELOG.md +450 -425
  2. package/LICENSE +21 -21
  3. package/README.md +555 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +576 -426
  31. package/readme-international/README.es.md +578 -518
  32. package/readme-international/README.fr.md +576 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
  46. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
  47. package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
  48. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
  49. package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
  50. package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
  51. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
  52. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
  53. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
  54. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
  55. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
  56. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
  57. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
  58. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
  59. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
  60. package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
  61. package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
  62. package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
  63. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
  64. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  65. package/src/bmad-plus/module-help.csv +10 -10
  66. package/src/bmad-plus/module.yaml +283 -280
  67. package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
  68. package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
  69. package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
  70. package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
  71. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  111. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  112. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  113. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  114. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  115. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  116. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  117. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  118. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  119. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  120. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  121. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  122. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  123. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  124. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  125. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  126. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  127. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  128. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  129. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  130. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  131. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  132. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  133. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  134. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  135. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  136. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  137. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  138. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  139. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  140. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  141. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  142. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  143. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  144. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  145. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  146. package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
  147. package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
  148. package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
  149. package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
  150. package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
  151. package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
  152. package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
  153. package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
  154. package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
  155. package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
  156. package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
  157. package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
  158. package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
  159. package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
  160. package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
  161. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  162. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  163. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  164. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  165. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  166. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  167. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  168. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  169. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  170. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  171. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  172. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  173. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  174. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  175. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  176. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  177. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  178. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  179. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  180. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  181. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  182. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  183. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  184. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  185. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  186. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  187. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  188. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  189. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  190. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  191. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  192. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  193. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  194. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  195. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  196. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  197. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  198. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  199. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  200. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  201. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  202. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  203. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  204. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  205. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  206. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  207. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  208. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  209. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  210. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  211. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  212. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  213. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  214. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  215. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  216. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  217. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  218. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  219. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  220. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  221. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  222. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  223. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  224. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  225. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  226. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  227. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  228. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  229. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  230. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  231. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  232. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  233. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  234. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  235. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  236. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  237. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  238. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  239. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  240. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  241. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  242. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  243. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  244. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  245. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  246. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  247. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  248. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  249. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  250. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  251. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  252. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  253. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  254. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  255. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  256. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  257. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  258. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  259. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  260. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  261. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  262. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  263. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  264. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  265. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  266. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  267. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  268. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  269. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  270. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  271. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  272. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  273. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  274. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  275. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  276. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  277. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  278. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  279. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  280. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  281. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  282. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  283. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  284. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  285. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  286. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  287. package/tools/cli/commands/autoconfig.js +498 -489
  288. package/tools/cli/commands/doctor.js +222 -222
  289. package/tools/cli/commands/install.js +739 -739
  290. package/tools/cli/commands/memory.js +194 -194
  291. package/tools/cli/commands/scan.js +360 -350
  292. package/tools/cli/commands/uninstall.js +96 -96
  293. package/tools/cli/commands/update.js +174 -174
  294. package/tools/cli/i18n.js +763 -763
@@ -1,299 +1,299 @@
1
- # HIPAA Security Rule Reference
2
- ## 45 CFR Part 164, Subparts A and C
3
-
4
- ---
5
-
6
- ## Table of Contents
7
- 1. [Scope & Applicability](#1-scope--applicability)
8
- 2. [General Rules](#2-general-rules)
9
- 3. [Administrative Safeguards](#3-administrative-safeguards)
10
- 4. [Physical Safeguards](#4-physical-safeguards)
11
- 5. [Technical Safeguards](#5-technical-safeguards)
12
- 6. [Organizational Requirements](#6-organizational-requirements)
13
- 7. [Policies, Procedures & Documentation](#7-policies-procedures--documentation)
14
- 8. [Risk Analysis Deep Dive](#8-risk-analysis-deep-dive)
15
- 9. [Cloud & Modern Architecture Guidance](#9-cloud--modern-architecture-guidance)
16
- 10. [Implementation Checklist](#10-implementation-checklist)
17
-
18
- ---
19
-
20
- ## 1. Scope & Applicability
21
-
22
- The Security Rule applies to **ePHI** (electronic Protected Health Information) — PHI that is:
23
- - Created, received, maintained, or transmitted in electronic form
24
- - Stored on any electronic media (servers, workstations, laptops, mobile devices, removable media, cloud)
25
-
26
- **Applies to:**
27
- - Covered Entities (CEs)
28
- - Business Associates (BAs) — directly under HITECH (2009)
29
-
30
- **Does NOT cover:**
31
- - PHI in paper form (Privacy Rule covers this)
32
- - Verbal communications
33
-
34
- ---
35
-
36
- ## 2. General Rules
37
-
38
- ### Three Safeguard Categories
39
- All CEs and BAs must implement:
40
- 1. **Administrative Safeguards** — Policies, procedures, workforce management
41
- 2. **Physical Safeguards** — Facility access, workstation, device controls
42
- 3. **Technical Safeguards** — Technology-based protections for ePHI
43
-
44
- ### Required vs. Addressable
45
- | Designation | Meaning |
46
- |------------|---------|
47
- | **Required** | Must implement — no flexibility |
48
- | **Addressable** | Must assess whether reasonable and appropriate; if so implement; if not, document why and implement an equivalent alternative |
49
-
50
- > **Common Misconception**: "Addressable" does NOT mean optional. You must either implement it or formally document why you didn't and what you did instead.
51
-
52
- ### Flexibility Principle (§164.306(b))
53
- Implementation may consider:
54
- - Size, complexity, and capabilities of the CE/BA
55
- - Technical infrastructure, hardware, and software security capabilities
56
- - Costs of security measures
57
- - Probability and criticality of potential risks
58
-
59
- ---
60
-
61
- ## 3. Administrative Safeguards
62
- ### §164.308
63
-
64
- | Standard | Req/Addr | Description |
65
- |----------|----------|-------------|
66
- | **Security Management Process** (§164.308(a)(1)) | Required | Framework for protecting ePHI |
67
- | → Risk Analysis | Required | Assess threats, vulnerabilities, likelihood, impact |
68
- | → Risk Management | Required | Implement security measures to reduce risk to reasonable level |
69
- | → Sanction Policy | Required | Apply sanctions for workforce violations |
70
- | → Information System Activity Review | Required | Regularly review audit logs, access reports, incident reports |
71
- | **Assigned Security Responsibility** (§164.308(a)(2)) | Required | Designate a Security Official |
72
- | **Workforce Security** (§164.308(a)(3)) | Required | Control workforce access to ePHI |
73
- | → Authorization/Supervision | Addressable | Supervise workforce members working with ePHI |
74
- | → Workforce Clearance Procedure | Addressable | Determine appropriate access levels |
75
- | → Termination Procedures | Addressable | Revoke access upon termination |
76
- | **Information Access Management** (§164.308(a)(4)) | Required | Grant appropriate access to ePHI |
77
- | → Isolating Healthcare Clearinghouse Function | Required (if applicable) | Separate clearinghouse from rest of org |
78
- | → Access Authorization | Addressable | Process for authorizing access |
79
- | → Access Establishment and Modification | Addressable | Process for granting/modifying access |
80
- | **Security Awareness and Training** (§164.308(a)(5)) | Required | Train all workforce members |
81
- | → Security Reminders | Addressable | Periodic security updates |
82
- | → Protection from Malicious Software | Addressable | Anti-malware procedures |
83
- | → Log-in Monitoring | Addressable | Monitor failed log-in attempts |
84
- | → Password Management | Addressable | Guidance on creating/changing passwords |
85
- | **Security Incident Procedures** (§164.308(a)(6)) | Required | Respond to security incidents |
86
- | → Response and Reporting | Required | Identify, respond to, mitigate, document incidents |
87
- | **Contingency Plan** (§164.308(a)(7)) | Required | Respond to emergencies affecting ePHI |
88
- | → Data Backup Plan | Required | Create retrievable exact copies of ePHI |
89
- | → Disaster Recovery Plan | Required | Restore lost ePHI data |
90
- | → Emergency Mode Operation Plan | Required | Continue critical business processes during emergency |
91
- | → Testing and Revision | Addressable | Implement procedures for periodic testing of contingency plans |
92
- | → Applications and Data Criticality Analysis | Addressable | Assess relative criticality of applications |
93
- | **Evaluation** (§164.308(a)(8)) | Required | Periodic technical/non-technical evaluation |
94
- | **Business Associate Contracts** (§164.308(b)(1)) | Required | BAA with all BAs handling ePHI |
95
-
96
- ---
97
-
98
- ## 4. Physical Safeguards
99
- ### §164.310
100
-
101
- | Standard | Req/Addr | Description |
102
- |----------|----------|-------------|
103
- | **Facility Access Controls** (§164.310(a)(1)) | Required | Limit physical access to systems containing ePHI |
104
- | → Contingency Operations | Addressable | Access during disaster recovery |
105
- | → Facility Security Plan | Addressable | Safeguard facility and equipment |
106
- | → Access Control and Validation | Addressable | Control access to facilities based on role |
107
- | → Maintenance Records | Addressable | Document repairs/modifications to physical security |
108
- | **Workstation Use** (§164.310(b)) | Required | Specify proper functions and physical surroundings for workstations |
109
- | **Workstation Security** (§164.310(c)) | Required | Physical safeguards for workstations accessing ePHI |
110
- | **Device and Media Controls** (§164.310(d)(1)) | Required | Govern receipt and removal of hardware/media |
111
- | → Disposal | Required | Properly dispose of media containing ePHI (wiping, destruction) |
112
- | → Media Re-use | Required | Remove ePHI before reuse of electronic media |
113
- | → Accountability | Addressable | Track movements of hardware/media |
114
- | → Data Backup and Storage | Addressable | Create retrievable copy before moving equipment |
115
-
116
- ---
117
-
118
- ## 5. Technical Safeguards
119
- ### §164.312
120
-
121
- | Standard | Req/Addr | Description |
122
- |----------|----------|-------------|
123
- | **Access Control** (§164.312(a)(1)) | Required | Allow only authorized persons/software to access ePHI |
124
- | → Unique User Identification | Required | Assign unique names/numbers to identify and track user identity |
125
- | → Emergency Access Procedure | Required | Obtain ePHI during emergency |
126
- | → Automatic Logoff | Addressable | Terminate sessions after inactivity |
127
- | → Encryption and Decryption | Addressable | Encrypt/decrypt ePHI |
128
- | **Audit Controls** (§164.312(b)) | Required | Hardware/software/procedural mechanisms to record and examine activity in systems containing ePHI |
129
- | **Integrity** (§164.312(c)(1)) | Required | Protect ePHI from improper alteration or destruction |
130
- | → Mechanism to Authenticate ePHI | Addressable | Corroborate that ePHI has not been altered |
131
- | **Person or Entity Authentication** (§164.312(d)) | Required | Verify identity of person/entity seeking access |
132
- | **Transmission Security** (§164.312(e)(1)) | Required | Guard against unauthorized access to ePHI transmitted over electronic networks |
133
- | → Integrity Controls | Addressable | Ensure ePHI is not improperly modified during transmission |
134
- | → Encryption | Addressable | Encrypt ePHI in transit |
135
-
136
- ---
137
-
138
- ## 6. Organizational Requirements
139
- ### §164.314
140
-
141
- ### Business Associate Contracts (§164.314(a)):
142
- BAA must require the BA to:
143
- - Implement Administrative, Physical, and Technical Safeguards
144
- - Ensure subcontractors do the same (sign sub-BAAs)
145
- - Report security incidents (including successful and unsuccessful attempts)
146
- - Authorize termination of contract if CE determines BA has violated a material term
147
-
148
- ### Group Health Plans (§164.314(b)):
149
- Plan documents must require plan sponsors to:
150
- - Implement reasonable and appropriate security measures
151
- - Not use/disclose ePHI except as permitted
152
- - Report security incidents to the plan
153
-
154
- ---
155
-
156
- ## 7. Policies, Procedures & Documentation
157
- ### §164.316
158
-
159
- ### Policies and Procedures (§164.316(a)):
160
- - Must implement reasonable and appropriate policies to comply with the Security Rule
161
- - Must update as necessary
162
-
163
- ### Documentation Requirements (§164.316(b)):
164
- - Maintain written (electronic or paper) policies, procedures, and records required by the Security Rule
165
- - **Retention**: 6 years from creation date OR date last in effect (whichever is later)
166
- - Make documentation available to those responsible for implementing procedures
167
- - Review documentation periodically and update as needed
168
-
169
- ---
170
-
171
- ## 8. Risk Analysis Deep Dive
172
-
173
- Risk Analysis (§164.308(a)(1)(ii)(A)) is the **foundation** of HIPAA Security compliance. HHS has emphasized it is the most commonly cited deficiency in enforcement actions.
174
-
175
- ### Required Components:
176
- 1. **Scope**: All ePHI created, received, maintained, or transmitted (not just EHR — includes backups, emails, mobile devices)
177
- 2. **Threat Identification**: Identify potential threats to ePHI (natural, human, environmental)
178
- 3. **Vulnerability Identification**: Identify security vulnerabilities
179
- 4. **Likelihood Assessment**: Assess probability that each threat would exploit each vulnerability
180
- 5. **Impact Assessment**: Assess potential impact of threat occurrence
181
- 6. **Risk Level Determination**: Combine likelihood + impact = risk level (High/Medium/Low)
182
- 7. **Current Controls**: Document existing security measures and their effectiveness
183
-
184
- ### Risk Management (§164.308(a)(1)(ii)(B)):
185
- - Implement security measures sufficient to reduce risks to a reasonable and appropriate level
186
- - Prioritize based on risk level
187
- - Document all decisions
188
-
189
- ### Common Risk Analysis Mistakes (HHS Enforcement Findings):
190
- - Only analyzing the EHR system (missing emails, mobile devices, backups, printers)
191
- - Performing once and never updating
192
- - Not documenting the analysis
193
- - Confusing risk analysis with gap analysis
194
- - Assigning risk levels without methodology
195
-
196
- ### NIST Framework Alignment:
197
- HHS recommends NIST SP 800-30 for risk analysis methodology. NIST SP 800-66 is the HIPAA-specific guidance.
198
-
199
- ---
200
-
201
- ## 9. Cloud & Modern Architecture Guidance
202
-
203
- ### Cloud Service Providers (CSPs):
204
- - CSPs storing ePHI are Business Associates — **BAA is required**
205
- - AWS, Azure, GCP all offer HIPAA-eligible services under BAA
206
- - BAA does not transfer compliance responsibility — CE/BA must configure properly
207
-
208
- ### Key Cloud Considerations:
209
-
210
- **Encryption:**
211
- - At rest: AES-256 minimum (addressable but industry standard)
212
- - In transit: TLS 1.2+ minimum; TLS 1.3 recommended
213
- - Key management: Use dedicated KMS (AWS KMS, Azure Key Vault, GCP Cloud KMS)
214
- - Customer-managed keys preferred for higher sensitivity
215
-
216
- **Access Control:**
217
- - Implement IAM with least-privilege principle
218
- - Use MFA for all accounts with ePHI access
219
- - Separate service accounts from human accounts
220
- - Regularly audit and rotate credentials
221
-
222
- **Audit Logging:**
223
- - Enable CloudTrail (AWS), Activity Log (Azure), Cloud Audit Logs (GCP)
224
- - Log: API calls, data access, authentication events, configuration changes
225
- - Immutable log storage (S3 with Object Lock, etc.)
226
- - Retention: Minimum 6 years for HIPAA records
227
- - Alert on anomalous access patterns
228
-
229
- **Network Security:**
230
- - VPC/private network for ePHI systems
231
- - Security groups / network policies: deny-by-default
232
- - No direct internet exposure of ePHI datastores
233
- - WAF for any public-facing applications handling ePHI
234
-
235
- **Mobile & BYOD:**
236
- - MDM/EMM solution required if devices access ePHI
237
- - Remote wipe capability
238
- - Screen lock enforcement
239
- - Encrypted storage
240
- - App-level controls (MAM) if possible
241
-
242
- ### API & Application Security:
243
- - Authentication: OAuth 2.0 + OIDC; consider SMART on FHIR for health apps
244
- - Input validation to prevent injection attacks
245
- - No ePHI in URLs (appears in logs)
246
- - No ePHI in error messages
247
- - Rate limiting on endpoints handling ePHI
248
- - FHIR APIs: HL7 FHIR R4 with SMART on FHIR is the modern standard
249
-
250
- ### DevOps / CI-CD:
251
- - No real PHI in dev/test environments (use synthetic data)
252
- - Secrets management (never hardcode credentials)
253
- - SAST/DAST scanning in pipeline
254
- - Dependency scanning for vulnerabilities
255
- - Infrastructure as Code security scanning
256
-
257
- ---
258
-
259
- ## 10. Implementation Checklist
260
-
261
- ### Administrative
262
- - [ ] Designate Security Official
263
- - [ ] Conduct and document Risk Analysis covering ALL ePHI
264
- - [ ] Implement Risk Management Plan with prioritized remediation
265
- - [ ] Implement sanction policy for violations
266
- - [ ] Review system activity regularly (audit logs)
267
- - [ ] Establish workforce clearance procedures
268
- - [ ] Implement access authorization process
269
- - [ ] Conduct annual Security Awareness Training (document it)
270
- - [ ] Implement anti-malware protection
271
- - [ ] Monitor failed login attempts
272
- - [ ] Document and implement Password/Credential Policy
273
- - [ ] Implement Security Incident Response Plan
274
- - [ ] Create Data Backup Plan (test it)
275
- - [ ] Create Disaster Recovery Plan (test it)
276
- - [ ] Create Emergency Mode Operation Plan
277
- - [ ] Execute BAAs with all vendors handling ePHI
278
- - [ ] Conduct periodic Security Rule evaluations
279
-
280
- ### Physical
281
- - [ ] Implement facility access controls (badge, keypad, locks)
282
- - [ ] Create and implement Facility Security Plan
283
- - [ ] Document workstation use policies
284
- - [ ] Implement workstation physical security
285
- - [ ] Implement media disposal procedures (certificates of destruction)
286
- - [ ] Implement media re-use procedures (secure wiping)
287
- - [ ] Track hardware/media movements
288
-
289
- ### Technical
290
- - [ ] Assign unique user IDs (no shared accounts)
291
- - [ ] Implement role-based access control (RBAC)
292
- - [ ] Implement MFA for all ePHI access
293
- - [ ] Implement automatic session timeout
294
- - [ ] Implement encryption at rest (AES-256)
295
- - [ ] Implement encryption in transit (TLS 1.2+)
296
- - [ ] Enable and monitor audit logs
297
- - [ ] Implement integrity controls (checksums, digital signatures)
298
- - [ ] Implement entity authentication mechanisms
299
- - [ ] Test transmission security controls
1
+ # HIPAA Security Rule Reference
2
+ ## 45 CFR Part 164, Subparts A and C
3
+
4
+ ---
5
+
6
+ ## Table of Contents
7
+ 1. [Scope & Applicability](#1-scope--applicability)
8
+ 2. [General Rules](#2-general-rules)
9
+ 3. [Administrative Safeguards](#3-administrative-safeguards)
10
+ 4. [Physical Safeguards](#4-physical-safeguards)
11
+ 5. [Technical Safeguards](#5-technical-safeguards)
12
+ 6. [Organizational Requirements](#6-organizational-requirements)
13
+ 7. [Policies, Procedures & Documentation](#7-policies-procedures--documentation)
14
+ 8. [Risk Analysis Deep Dive](#8-risk-analysis-deep-dive)
15
+ 9. [Cloud & Modern Architecture Guidance](#9-cloud--modern-architecture-guidance)
16
+ 10. [Implementation Checklist](#10-implementation-checklist)
17
+
18
+ ---
19
+
20
+ ## 1. Scope & Applicability
21
+
22
+ The Security Rule applies to **ePHI** (electronic Protected Health Information) — PHI that is:
23
+ - Created, received, maintained, or transmitted in electronic form
24
+ - Stored on any electronic media (servers, workstations, laptops, mobile devices, removable media, cloud)
25
+
26
+ **Applies to:**
27
+ - Covered Entities (CEs)
28
+ - Business Associates (BAs) — directly under HITECH (2009)
29
+
30
+ **Does NOT cover:**
31
+ - PHI in paper form (Privacy Rule covers this)
32
+ - Verbal communications
33
+
34
+ ---
35
+
36
+ ## 2. General Rules
37
+
38
+ ### Three Safeguard Categories
39
+ All CEs and BAs must implement:
40
+ 1. **Administrative Safeguards** — Policies, procedures, workforce management
41
+ 2. **Physical Safeguards** — Facility access, workstation, device controls
42
+ 3. **Technical Safeguards** — Technology-based protections for ePHI
43
+
44
+ ### Required vs. Addressable
45
+ | Designation | Meaning |
46
+ |------------|---------|
47
+ | **Required** | Must implement — no flexibility |
48
+ | **Addressable** | Must assess whether reasonable and appropriate; if so implement; if not, document why and implement an equivalent alternative |
49
+
50
+ > **Common Misconception**: "Addressable" does NOT mean optional. You must either implement it or formally document why you didn't and what you did instead.
51
+
52
+ ### Flexibility Principle (§164.306(b))
53
+ Implementation may consider:
54
+ - Size, complexity, and capabilities of the CE/BA
55
+ - Technical infrastructure, hardware, and software security capabilities
56
+ - Costs of security measures
57
+ - Probability and criticality of potential risks
58
+
59
+ ---
60
+
61
+ ## 3. Administrative Safeguards
62
+ ### §164.308
63
+
64
+ | Standard | Req/Addr | Description |
65
+ |----------|----------|-------------|
66
+ | **Security Management Process** (§164.308(a)(1)) | Required | Framework for protecting ePHI |
67
+ | → Risk Analysis | Required | Assess threats, vulnerabilities, likelihood, impact |
68
+ | → Risk Management | Required | Implement security measures to reduce risk to reasonable level |
69
+ | → Sanction Policy | Required | Apply sanctions for workforce violations |
70
+ | → Information System Activity Review | Required | Regularly review audit logs, access reports, incident reports |
71
+ | **Assigned Security Responsibility** (§164.308(a)(2)) | Required | Designate a Security Official |
72
+ | **Workforce Security** (§164.308(a)(3)) | Required | Control workforce access to ePHI |
73
+ | → Authorization/Supervision | Addressable | Supervise workforce members working with ePHI |
74
+ | → Workforce Clearance Procedure | Addressable | Determine appropriate access levels |
75
+ | → Termination Procedures | Addressable | Revoke access upon termination |
76
+ | **Information Access Management** (§164.308(a)(4)) | Required | Grant appropriate access to ePHI |
77
+ | → Isolating Healthcare Clearinghouse Function | Required (if applicable) | Separate clearinghouse from rest of org |
78
+ | → Access Authorization | Addressable | Process for authorizing access |
79
+ | → Access Establishment and Modification | Addressable | Process for granting/modifying access |
80
+ | **Security Awareness and Training** (§164.308(a)(5)) | Required | Train all workforce members |
81
+ | → Security Reminders | Addressable | Periodic security updates |
82
+ | → Protection from Malicious Software | Addressable | Anti-malware procedures |
83
+ | → Log-in Monitoring | Addressable | Monitor failed log-in attempts |
84
+ | → Password Management | Addressable | Guidance on creating/changing passwords |
85
+ | **Security Incident Procedures** (§164.308(a)(6)) | Required | Respond to security incidents |
86
+ | → Response and Reporting | Required | Identify, respond to, mitigate, document incidents |
87
+ | **Contingency Plan** (§164.308(a)(7)) | Required | Respond to emergencies affecting ePHI |
88
+ | → Data Backup Plan | Required | Create retrievable exact copies of ePHI |
89
+ | → Disaster Recovery Plan | Required | Restore lost ePHI data |
90
+ | → Emergency Mode Operation Plan | Required | Continue critical business processes during emergency |
91
+ | → Testing and Revision | Addressable | Implement procedures for periodic testing of contingency plans |
92
+ | → Applications and Data Criticality Analysis | Addressable | Assess relative criticality of applications |
93
+ | **Evaluation** (§164.308(a)(8)) | Required | Periodic technical/non-technical evaluation |
94
+ | **Business Associate Contracts** (§164.308(b)(1)) | Required | BAA with all BAs handling ePHI |
95
+
96
+ ---
97
+
98
+ ## 4. Physical Safeguards
99
+ ### §164.310
100
+
101
+ | Standard | Req/Addr | Description |
102
+ |----------|----------|-------------|
103
+ | **Facility Access Controls** (§164.310(a)(1)) | Required | Limit physical access to systems containing ePHI |
104
+ | → Contingency Operations | Addressable | Access during disaster recovery |
105
+ | → Facility Security Plan | Addressable | Safeguard facility and equipment |
106
+ | → Access Control and Validation | Addressable | Control access to facilities based on role |
107
+ | → Maintenance Records | Addressable | Document repairs/modifications to physical security |
108
+ | **Workstation Use** (§164.310(b)) | Required | Specify proper functions and physical surroundings for workstations |
109
+ | **Workstation Security** (§164.310(c)) | Required | Physical safeguards for workstations accessing ePHI |
110
+ | **Device and Media Controls** (§164.310(d)(1)) | Required | Govern receipt and removal of hardware/media |
111
+ | → Disposal | Required | Properly dispose of media containing ePHI (wiping, destruction) |
112
+ | → Media Re-use | Required | Remove ePHI before reuse of electronic media |
113
+ | → Accountability | Addressable | Track movements of hardware/media |
114
+ | → Data Backup and Storage | Addressable | Create retrievable copy before moving equipment |
115
+
116
+ ---
117
+
118
+ ## 5. Technical Safeguards
119
+ ### §164.312
120
+
121
+ | Standard | Req/Addr | Description |
122
+ |----------|----------|-------------|
123
+ | **Access Control** (§164.312(a)(1)) | Required | Allow only authorized persons/software to access ePHI |
124
+ | → Unique User Identification | Required | Assign unique names/numbers to identify and track user identity |
125
+ | → Emergency Access Procedure | Required | Obtain ePHI during emergency |
126
+ | → Automatic Logoff | Addressable | Terminate sessions after inactivity |
127
+ | → Encryption and Decryption | Addressable | Encrypt/decrypt ePHI |
128
+ | **Audit Controls** (§164.312(b)) | Required | Hardware/software/procedural mechanisms to record and examine activity in systems containing ePHI |
129
+ | **Integrity** (§164.312(c)(1)) | Required | Protect ePHI from improper alteration or destruction |
130
+ | → Mechanism to Authenticate ePHI | Addressable | Corroborate that ePHI has not been altered |
131
+ | **Person or Entity Authentication** (§164.312(d)) | Required | Verify identity of person/entity seeking access |
132
+ | **Transmission Security** (§164.312(e)(1)) | Required | Guard against unauthorized access to ePHI transmitted over electronic networks |
133
+ | → Integrity Controls | Addressable | Ensure ePHI is not improperly modified during transmission |
134
+ | → Encryption | Addressable | Encrypt ePHI in transit |
135
+
136
+ ---
137
+
138
+ ## 6. Organizational Requirements
139
+ ### §164.314
140
+
141
+ ### Business Associate Contracts (§164.314(a)):
142
+ BAA must require the BA to:
143
+ - Implement Administrative, Physical, and Technical Safeguards
144
+ - Ensure subcontractors do the same (sign sub-BAAs)
145
+ - Report security incidents (including successful and unsuccessful attempts)
146
+ - Authorize termination of contract if CE determines BA has violated a material term
147
+
148
+ ### Group Health Plans (§164.314(b)):
149
+ Plan documents must require plan sponsors to:
150
+ - Implement reasonable and appropriate security measures
151
+ - Not use/disclose ePHI except as permitted
152
+ - Report security incidents to the plan
153
+
154
+ ---
155
+
156
+ ## 7. Policies, Procedures & Documentation
157
+ ### §164.316
158
+
159
+ ### Policies and Procedures (§164.316(a)):
160
+ - Must implement reasonable and appropriate policies to comply with the Security Rule
161
+ - Must update as necessary
162
+
163
+ ### Documentation Requirements (§164.316(b)):
164
+ - Maintain written (electronic or paper) policies, procedures, and records required by the Security Rule
165
+ - **Retention**: 6 years from creation date OR date last in effect (whichever is later)
166
+ - Make documentation available to those responsible for implementing procedures
167
+ - Review documentation periodically and update as needed
168
+
169
+ ---
170
+
171
+ ## 8. Risk Analysis Deep Dive
172
+
173
+ Risk Analysis (§164.308(a)(1)(ii)(A)) is the **foundation** of HIPAA Security compliance. HHS has emphasized it is the most commonly cited deficiency in enforcement actions.
174
+
175
+ ### Required Components:
176
+ 1. **Scope**: All ePHI created, received, maintained, or transmitted (not just EHR — includes backups, emails, mobile devices)
177
+ 2. **Threat Identification**: Identify potential threats to ePHI (natural, human, environmental)
178
+ 3. **Vulnerability Identification**: Identify security vulnerabilities
179
+ 4. **Likelihood Assessment**: Assess probability that each threat would exploit each vulnerability
180
+ 5. **Impact Assessment**: Assess potential impact of threat occurrence
181
+ 6. **Risk Level Determination**: Combine likelihood + impact = risk level (High/Medium/Low)
182
+ 7. **Current Controls**: Document existing security measures and their effectiveness
183
+
184
+ ### Risk Management (§164.308(a)(1)(ii)(B)):
185
+ - Implement security measures sufficient to reduce risks to a reasonable and appropriate level
186
+ - Prioritize based on risk level
187
+ - Document all decisions
188
+
189
+ ### Common Risk Analysis Mistakes (HHS Enforcement Findings):
190
+ - Only analyzing the EHR system (missing emails, mobile devices, backups, printers)
191
+ - Performing once and never updating
192
+ - Not documenting the analysis
193
+ - Confusing risk analysis with gap analysis
194
+ - Assigning risk levels without methodology
195
+
196
+ ### NIST Framework Alignment:
197
+ HHS recommends NIST SP 800-30 for risk analysis methodology. NIST SP 800-66 is the HIPAA-specific guidance.
198
+
199
+ ---
200
+
201
+ ## 9. Cloud & Modern Architecture Guidance
202
+
203
+ ### Cloud Service Providers (CSPs):
204
+ - CSPs storing ePHI are Business Associates — **BAA is required**
205
+ - AWS, Azure, GCP all offer HIPAA-eligible services under BAA
206
+ - BAA does not transfer compliance responsibility — CE/BA must configure properly
207
+
208
+ ### Key Cloud Considerations:
209
+
210
+ **Encryption:**
211
+ - At rest: AES-256 minimum (addressable but industry standard)
212
+ - In transit: TLS 1.2+ minimum; TLS 1.3 recommended
213
+ - Key management: Use dedicated KMS (AWS KMS, Azure Key Vault, GCP Cloud KMS)
214
+ - Customer-managed keys preferred for higher sensitivity
215
+
216
+ **Access Control:**
217
+ - Implement IAM with least-privilege principle
218
+ - Use MFA for all accounts with ePHI access
219
+ - Separate service accounts from human accounts
220
+ - Regularly audit and rotate credentials
221
+
222
+ **Audit Logging:**
223
+ - Enable CloudTrail (AWS), Activity Log (Azure), Cloud Audit Logs (GCP)
224
+ - Log: API calls, data access, authentication events, configuration changes
225
+ - Immutable log storage (S3 with Object Lock, etc.)
226
+ - Retention: Minimum 6 years for HIPAA records
227
+ - Alert on anomalous access patterns
228
+
229
+ **Network Security:**
230
+ - VPC/private network for ePHI systems
231
+ - Security groups / network policies: deny-by-default
232
+ - No direct internet exposure of ePHI datastores
233
+ - WAF for any public-facing applications handling ePHI
234
+
235
+ **Mobile & BYOD:**
236
+ - MDM/EMM solution required if devices access ePHI
237
+ - Remote wipe capability
238
+ - Screen lock enforcement
239
+ - Encrypted storage
240
+ - App-level controls (MAM) if possible
241
+
242
+ ### API & Application Security:
243
+ - Authentication: OAuth 2.0 + OIDC; consider SMART on FHIR for health apps
244
+ - Input validation to prevent injection attacks
245
+ - No ePHI in URLs (appears in logs)
246
+ - No ePHI in error messages
247
+ - Rate limiting on endpoints handling ePHI
248
+ - FHIR APIs: HL7 FHIR R4 with SMART on FHIR is the modern standard
249
+
250
+ ### DevOps / CI-CD:
251
+ - No real PHI in dev/test environments (use synthetic data)
252
+ - Secrets management (never hardcode credentials)
253
+ - SAST/DAST scanning in pipeline
254
+ - Dependency scanning for vulnerabilities
255
+ - Infrastructure as Code security scanning
256
+
257
+ ---
258
+
259
+ ## 10. Implementation Checklist
260
+
261
+ ### Administrative
262
+ - [ ] Designate Security Official
263
+ - [ ] Conduct and document Risk Analysis covering ALL ePHI
264
+ - [ ] Implement Risk Management Plan with prioritized remediation
265
+ - [ ] Implement sanction policy for violations
266
+ - [ ] Review system activity regularly (audit logs)
267
+ - [ ] Establish workforce clearance procedures
268
+ - [ ] Implement access authorization process
269
+ - [ ] Conduct annual Security Awareness Training (document it)
270
+ - [ ] Implement anti-malware protection
271
+ - [ ] Monitor failed login attempts
272
+ - [ ] Document and implement Password/Credential Policy
273
+ - [ ] Implement Security Incident Response Plan
274
+ - [ ] Create Data Backup Plan (test it)
275
+ - [ ] Create Disaster Recovery Plan (test it)
276
+ - [ ] Create Emergency Mode Operation Plan
277
+ - [ ] Execute BAAs with all vendors handling ePHI
278
+ - [ ] Conduct periodic Security Rule evaluations
279
+
280
+ ### Physical
281
+ - [ ] Implement facility access controls (badge, keypad, locks)
282
+ - [ ] Create and implement Facility Security Plan
283
+ - [ ] Document workstation use policies
284
+ - [ ] Implement workstation physical security
285
+ - [ ] Implement media disposal procedures (certificates of destruction)
286
+ - [ ] Implement media re-use procedures (secure wiping)
287
+ - [ ] Track hardware/media movements
288
+
289
+ ### Technical
290
+ - [ ] Assign unique user IDs (no shared accounts)
291
+ - [ ] Implement role-based access control (RBAC)
292
+ - [ ] Implement MFA for all ePHI access
293
+ - [ ] Implement automatic session timeout
294
+ - [ ] Implement encryption at rest (AES-256)
295
+ - [ ] Implement encryption in transit (TLS 1.2+)
296
+ - [ ] Enable and monitor audit logs
297
+ - [ ] Implement integrity controls (checksums, digital signatures)
298
+ - [ ] Implement entity authentication mechanisms
299
+ - [ ] Test transmission security controls