bmad-plus 0.7.5 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (281) hide show
  1. package/CHANGELOG.md +479 -425
  2. package/LICENSE +21 -21
  3. package/README.md +557 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +584 -426
  31. package/readme-international/README.es.md +601 -518
  32. package/readme-international/README.fr.md +599 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  46. package/src/bmad-plus/module-help.csv +10 -10
  47. package/src/bmad-plus/module.yaml +283 -280
  48. package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
  49. package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
  50. package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
  51. package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
  52. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  53. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  54. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  55. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  56. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  57. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  58. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  59. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  60. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  61. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  62. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  63. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  64. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  65. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  66. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  67. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  68. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  69. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  70. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  71. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  111. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  112. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  113. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  114. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  115. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  116. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  117. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  118. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  119. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  120. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  121. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  122. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  123. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  124. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  125. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  126. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  127. package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
  128. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  129. package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
  130. package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
  131. package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
  132. package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
  133. package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
  134. package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
  135. package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
  136. package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
  137. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
  138. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
  139. package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
  140. package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
  141. package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
  142. package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
  143. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  144. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  145. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  146. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  147. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  148. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  149. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  150. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  151. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  152. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  153. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  154. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  155. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  156. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  157. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  158. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  159. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  160. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  161. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  162. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  163. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  164. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  165. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  166. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  167. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  168. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  169. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  170. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  171. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  172. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  173. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  174. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  175. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  176. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  177. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  178. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  179. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  180. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  181. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  182. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  183. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  184. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  185. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  186. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  187. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  188. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  189. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  190. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  191. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  192. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  193. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  194. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  195. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  196. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  197. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  198. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  199. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  200. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  201. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  202. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  203. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  204. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  205. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  206. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  207. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  208. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  209. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  210. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  211. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  212. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  213. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  214. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  215. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  216. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  217. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  218. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  219. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  220. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  221. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  222. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  223. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  224. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  225. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  226. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  227. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  228. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  229. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  230. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  231. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  232. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  233. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  234. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  235. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  236. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  237. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  238. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  239. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  240. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  241. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  242. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  243. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  244. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  245. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  246. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  247. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  248. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  249. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  250. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  251. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  252. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  253. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  254. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  255. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  256. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  257. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  258. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  259. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  260. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  261. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  262. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  263. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  264. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  265. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  266. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  267. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  268. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  269. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  270. package/tools/bmad-plus-npx.js +3 -5
  271. package/tools/cli/commands/autoconfig.js +508 -489
  272. package/tools/cli/commands/doctor.js +219 -222
  273. package/tools/cli/commands/install.js +548 -739
  274. package/tools/cli/commands/memory.js +194 -194
  275. package/tools/cli/commands/scan.js +362 -350
  276. package/tools/cli/commands/uninstall.js +96 -96
  277. package/tools/cli/commands/update.js +116 -174
  278. package/tools/cli/i18n.js +845 -763
  279. package/tools/cli/lib/memory-init.js +114 -0
  280. package/tools/cli/lib/pack-copy.js +84 -0
  281. package/tools/cli/lib/packs.js +114 -0
@@ -1,299 +1,299 @@
1
- # HIPAA Security Rule Reference
2
- ## 45 CFR Part 164, Subparts A and C
3
-
4
- ---
5
-
6
- ## Table of Contents
7
- 1. [Scope & Applicability](#1-scope--applicability)
8
- 2. [General Rules](#2-general-rules)
9
- 3. [Administrative Safeguards](#3-administrative-safeguards)
10
- 4. [Physical Safeguards](#4-physical-safeguards)
11
- 5. [Technical Safeguards](#5-technical-safeguards)
12
- 6. [Organizational Requirements](#6-organizational-requirements)
13
- 7. [Policies, Procedures & Documentation](#7-policies-procedures--documentation)
14
- 8. [Risk Analysis Deep Dive](#8-risk-analysis-deep-dive)
15
- 9. [Cloud & Modern Architecture Guidance](#9-cloud--modern-architecture-guidance)
16
- 10. [Implementation Checklist](#10-implementation-checklist)
17
-
18
- ---
19
-
20
- ## 1. Scope & Applicability
21
-
22
- The Security Rule applies to **ePHI** (electronic Protected Health Information) — PHI that is:
23
- - Created, received, maintained, or transmitted in electronic form
24
- - Stored on any electronic media (servers, workstations, laptops, mobile devices, removable media, cloud)
25
-
26
- **Applies to:**
27
- - Covered Entities (CEs)
28
- - Business Associates (BAs) — directly under HITECH (2009)
29
-
30
- **Does NOT cover:**
31
- - PHI in paper form (Privacy Rule covers this)
32
- - Verbal communications
33
-
34
- ---
35
-
36
- ## 2. General Rules
37
-
38
- ### Three Safeguard Categories
39
- All CEs and BAs must implement:
40
- 1. **Administrative Safeguards** — Policies, procedures, workforce management
41
- 2. **Physical Safeguards** — Facility access, workstation, device controls
42
- 3. **Technical Safeguards** — Technology-based protections for ePHI
43
-
44
- ### Required vs. Addressable
45
- | Designation | Meaning |
46
- |------------|---------|
47
- | **Required** | Must implement — no flexibility |
48
- | **Addressable** | Must assess whether reasonable and appropriate; if so implement; if not, document why and implement an equivalent alternative |
49
-
50
- > **Common Misconception**: "Addressable" does NOT mean optional. You must either implement it or formally document why you didn't and what you did instead.
51
-
52
- ### Flexibility Principle (§164.306(b))
53
- Implementation may consider:
54
- - Size, complexity, and capabilities of the CE/BA
55
- - Technical infrastructure, hardware, and software security capabilities
56
- - Costs of security measures
57
- - Probability and criticality of potential risks
58
-
59
- ---
60
-
61
- ## 3. Administrative Safeguards
62
- ### §164.308
63
-
64
- | Standard | Req/Addr | Description |
65
- |----------|----------|-------------|
66
- | **Security Management Process** (§164.308(a)(1)) | Required | Framework for protecting ePHI |
67
- | → Risk Analysis | Required | Assess threats, vulnerabilities, likelihood, impact |
68
- | → Risk Management | Required | Implement security measures to reduce risk to reasonable level |
69
- | → Sanction Policy | Required | Apply sanctions for workforce violations |
70
- | → Information System Activity Review | Required | Regularly review audit logs, access reports, incident reports |
71
- | **Assigned Security Responsibility** (§164.308(a)(2)) | Required | Designate a Security Official |
72
- | **Workforce Security** (§164.308(a)(3)) | Required | Control workforce access to ePHI |
73
- | → Authorization/Supervision | Addressable | Supervise workforce members working with ePHI |
74
- | → Workforce Clearance Procedure | Addressable | Determine appropriate access levels |
75
- | → Termination Procedures | Addressable | Revoke access upon termination |
76
- | **Information Access Management** (§164.308(a)(4)) | Required | Grant appropriate access to ePHI |
77
- | → Isolating Healthcare Clearinghouse Function | Required (if applicable) | Separate clearinghouse from rest of org |
78
- | → Access Authorization | Addressable | Process for authorizing access |
79
- | → Access Establishment and Modification | Addressable | Process for granting/modifying access |
80
- | **Security Awareness and Training** (§164.308(a)(5)) | Required | Train all workforce members |
81
- | → Security Reminders | Addressable | Periodic security updates |
82
- | → Protection from Malicious Software | Addressable | Anti-malware procedures |
83
- | → Log-in Monitoring | Addressable | Monitor failed log-in attempts |
84
- | → Password Management | Addressable | Guidance on creating/changing passwords |
85
- | **Security Incident Procedures** (§164.308(a)(6)) | Required | Respond to security incidents |
86
- | → Response and Reporting | Required | Identify, respond to, mitigate, document incidents |
87
- | **Contingency Plan** (§164.308(a)(7)) | Required | Respond to emergencies affecting ePHI |
88
- | → Data Backup Plan | Required | Create retrievable exact copies of ePHI |
89
- | → Disaster Recovery Plan | Required | Restore lost ePHI data |
90
- | → Emergency Mode Operation Plan | Required | Continue critical business processes during emergency |
91
- | → Testing and Revision | Addressable | Implement procedures for periodic testing of contingency plans |
92
- | → Applications and Data Criticality Analysis | Addressable | Assess relative criticality of applications |
93
- | **Evaluation** (§164.308(a)(8)) | Required | Periodic technical/non-technical evaluation |
94
- | **Business Associate Contracts** (§164.308(b)(1)) | Required | BAA with all BAs handling ePHI |
95
-
96
- ---
97
-
98
- ## 4. Physical Safeguards
99
- ### §164.310
100
-
101
- | Standard | Req/Addr | Description |
102
- |----------|----------|-------------|
103
- | **Facility Access Controls** (§164.310(a)(1)) | Required | Limit physical access to systems containing ePHI |
104
- | → Contingency Operations | Addressable | Access during disaster recovery |
105
- | → Facility Security Plan | Addressable | Safeguard facility and equipment |
106
- | → Access Control and Validation | Addressable | Control access to facilities based on role |
107
- | → Maintenance Records | Addressable | Document repairs/modifications to physical security |
108
- | **Workstation Use** (§164.310(b)) | Required | Specify proper functions and physical surroundings for workstations |
109
- | **Workstation Security** (§164.310(c)) | Required | Physical safeguards for workstations accessing ePHI |
110
- | **Device and Media Controls** (§164.310(d)(1)) | Required | Govern receipt and removal of hardware/media |
111
- | → Disposal | Required | Properly dispose of media containing ePHI (wiping, destruction) |
112
- | → Media Re-use | Required | Remove ePHI before reuse of electronic media |
113
- | → Accountability | Addressable | Track movements of hardware/media |
114
- | → Data Backup and Storage | Addressable | Create retrievable copy before moving equipment |
115
-
116
- ---
117
-
118
- ## 5. Technical Safeguards
119
- ### §164.312
120
-
121
- | Standard | Req/Addr | Description |
122
- |----------|----------|-------------|
123
- | **Access Control** (§164.312(a)(1)) | Required | Allow only authorized persons/software to access ePHI |
124
- | → Unique User Identification | Required | Assign unique names/numbers to identify and track user identity |
125
- | → Emergency Access Procedure | Required | Obtain ePHI during emergency |
126
- | → Automatic Logoff | Addressable | Terminate sessions after inactivity |
127
- | → Encryption and Decryption | Addressable | Encrypt/decrypt ePHI |
128
- | **Audit Controls** (§164.312(b)) | Required | Hardware/software/procedural mechanisms to record and examine activity in systems containing ePHI |
129
- | **Integrity** (§164.312(c)(1)) | Required | Protect ePHI from improper alteration or destruction |
130
- | → Mechanism to Authenticate ePHI | Addressable | Corroborate that ePHI has not been altered |
131
- | **Person or Entity Authentication** (§164.312(d)) | Required | Verify identity of person/entity seeking access |
132
- | **Transmission Security** (§164.312(e)(1)) | Required | Guard against unauthorized access to ePHI transmitted over electronic networks |
133
- | → Integrity Controls | Addressable | Ensure ePHI is not improperly modified during transmission |
134
- | → Encryption | Addressable | Encrypt ePHI in transit |
135
-
136
- ---
137
-
138
- ## 6. Organizational Requirements
139
- ### §164.314
140
-
141
- ### Business Associate Contracts (§164.314(a)):
142
- BAA must require the BA to:
143
- - Implement Administrative, Physical, and Technical Safeguards
144
- - Ensure subcontractors do the same (sign sub-BAAs)
145
- - Report security incidents (including successful and unsuccessful attempts)
146
- - Authorize termination of contract if CE determines BA has violated a material term
147
-
148
- ### Group Health Plans (§164.314(b)):
149
- Plan documents must require plan sponsors to:
150
- - Implement reasonable and appropriate security measures
151
- - Not use/disclose ePHI except as permitted
152
- - Report security incidents to the plan
153
-
154
- ---
155
-
156
- ## 7. Policies, Procedures & Documentation
157
- ### §164.316
158
-
159
- ### Policies and Procedures (§164.316(a)):
160
- - Must implement reasonable and appropriate policies to comply with the Security Rule
161
- - Must update as necessary
162
-
163
- ### Documentation Requirements (§164.316(b)):
164
- - Maintain written (electronic or paper) policies, procedures, and records required by the Security Rule
165
- - **Retention**: 6 years from creation date OR date last in effect (whichever is later)
166
- - Make documentation available to those responsible for implementing procedures
167
- - Review documentation periodically and update as needed
168
-
169
- ---
170
-
171
- ## 8. Risk Analysis Deep Dive
172
-
173
- Risk Analysis (§164.308(a)(1)(ii)(A)) is the **foundation** of HIPAA Security compliance. HHS has emphasized it is the most commonly cited deficiency in enforcement actions.
174
-
175
- ### Required Components:
176
- 1. **Scope**: All ePHI created, received, maintained, or transmitted (not just EHR — includes backups, emails, mobile devices)
177
- 2. **Threat Identification**: Identify potential threats to ePHI (natural, human, environmental)
178
- 3. **Vulnerability Identification**: Identify security vulnerabilities
179
- 4. **Likelihood Assessment**: Assess probability that each threat would exploit each vulnerability
180
- 5. **Impact Assessment**: Assess potential impact of threat occurrence
181
- 6. **Risk Level Determination**: Combine likelihood + impact = risk level (High/Medium/Low)
182
- 7. **Current Controls**: Document existing security measures and their effectiveness
183
-
184
- ### Risk Management (§164.308(a)(1)(ii)(B)):
185
- - Implement security measures sufficient to reduce risks to a reasonable and appropriate level
186
- - Prioritize based on risk level
187
- - Document all decisions
188
-
189
- ### Common Risk Analysis Mistakes (HHS Enforcement Findings):
190
- - Only analyzing the EHR system (missing emails, mobile devices, backups, printers)
191
- - Performing once and never updating
192
- - Not documenting the analysis
193
- - Confusing risk analysis with gap analysis
194
- - Assigning risk levels without methodology
195
-
196
- ### NIST Framework Alignment:
197
- HHS recommends NIST SP 800-30 for risk analysis methodology. NIST SP 800-66 is the HIPAA-specific guidance.
198
-
199
- ---
200
-
201
- ## 9. Cloud & Modern Architecture Guidance
202
-
203
- ### Cloud Service Providers (CSPs):
204
- - CSPs storing ePHI are Business Associates — **BAA is required**
205
- - AWS, Azure, GCP all offer HIPAA-eligible services under BAA
206
- - BAA does not transfer compliance responsibility — CE/BA must configure properly
207
-
208
- ### Key Cloud Considerations:
209
-
210
- **Encryption:**
211
- - At rest: AES-256 minimum (addressable but industry standard)
212
- - In transit: TLS 1.2+ minimum; TLS 1.3 recommended
213
- - Key management: Use dedicated KMS (AWS KMS, Azure Key Vault, GCP Cloud KMS)
214
- - Customer-managed keys preferred for higher sensitivity
215
-
216
- **Access Control:**
217
- - Implement IAM with least-privilege principle
218
- - Use MFA for all accounts with ePHI access
219
- - Separate service accounts from human accounts
220
- - Regularly audit and rotate credentials
221
-
222
- **Audit Logging:**
223
- - Enable CloudTrail (AWS), Activity Log (Azure), Cloud Audit Logs (GCP)
224
- - Log: API calls, data access, authentication events, configuration changes
225
- - Immutable log storage (S3 with Object Lock, etc.)
226
- - Retention: Minimum 6 years for HIPAA records
227
- - Alert on anomalous access patterns
228
-
229
- **Network Security:**
230
- - VPC/private network for ePHI systems
231
- - Security groups / network policies: deny-by-default
232
- - No direct internet exposure of ePHI datastores
233
- - WAF for any public-facing applications handling ePHI
234
-
235
- **Mobile & BYOD:**
236
- - MDM/EMM solution required if devices access ePHI
237
- - Remote wipe capability
238
- - Screen lock enforcement
239
- - Encrypted storage
240
- - App-level controls (MAM) if possible
241
-
242
- ### API & Application Security:
243
- - Authentication: OAuth 2.0 + OIDC; consider SMART on FHIR for health apps
244
- - Input validation to prevent injection attacks
245
- - No ePHI in URLs (appears in logs)
246
- - No ePHI in error messages
247
- - Rate limiting on endpoints handling ePHI
248
- - FHIR APIs: HL7 FHIR R4 with SMART on FHIR is the modern standard
249
-
250
- ### DevOps / CI-CD:
251
- - No real PHI in dev/test environments (use synthetic data)
252
- - Secrets management (never hardcode credentials)
253
- - SAST/DAST scanning in pipeline
254
- - Dependency scanning for vulnerabilities
255
- - Infrastructure as Code security scanning
256
-
257
- ---
258
-
259
- ## 10. Implementation Checklist
260
-
261
- ### Administrative
262
- - [ ] Designate Security Official
263
- - [ ] Conduct and document Risk Analysis covering ALL ePHI
264
- - [ ] Implement Risk Management Plan with prioritized remediation
265
- - [ ] Implement sanction policy for violations
266
- - [ ] Review system activity regularly (audit logs)
267
- - [ ] Establish workforce clearance procedures
268
- - [ ] Implement access authorization process
269
- - [ ] Conduct annual Security Awareness Training (document it)
270
- - [ ] Implement anti-malware protection
271
- - [ ] Monitor failed login attempts
272
- - [ ] Document and implement Password/Credential Policy
273
- - [ ] Implement Security Incident Response Plan
274
- - [ ] Create Data Backup Plan (test it)
275
- - [ ] Create Disaster Recovery Plan (test it)
276
- - [ ] Create Emergency Mode Operation Plan
277
- - [ ] Execute BAAs with all vendors handling ePHI
278
- - [ ] Conduct periodic Security Rule evaluations
279
-
280
- ### Physical
281
- - [ ] Implement facility access controls (badge, keypad, locks)
282
- - [ ] Create and implement Facility Security Plan
283
- - [ ] Document workstation use policies
284
- - [ ] Implement workstation physical security
285
- - [ ] Implement media disposal procedures (certificates of destruction)
286
- - [ ] Implement media re-use procedures (secure wiping)
287
- - [ ] Track hardware/media movements
288
-
289
- ### Technical
290
- - [ ] Assign unique user IDs (no shared accounts)
291
- - [ ] Implement role-based access control (RBAC)
292
- - [ ] Implement MFA for all ePHI access
293
- - [ ] Implement automatic session timeout
294
- - [ ] Implement encryption at rest (AES-256)
295
- - [ ] Implement encryption in transit (TLS 1.2+)
296
- - [ ] Enable and monitor audit logs
297
- - [ ] Implement integrity controls (checksums, digital signatures)
298
- - [ ] Implement entity authentication mechanisms
299
- - [ ] Test transmission security controls
1
+ # HIPAA Security Rule Reference
2
+ ## 45 CFR Part 164, Subparts A and C
3
+
4
+ ---
5
+
6
+ ## Table of Contents
7
+ 1. [Scope & Applicability](#1-scope--applicability)
8
+ 2. [General Rules](#2-general-rules)
9
+ 3. [Administrative Safeguards](#3-administrative-safeguards)
10
+ 4. [Physical Safeguards](#4-physical-safeguards)
11
+ 5. [Technical Safeguards](#5-technical-safeguards)
12
+ 6. [Organizational Requirements](#6-organizational-requirements)
13
+ 7. [Policies, Procedures & Documentation](#7-policies-procedures--documentation)
14
+ 8. [Risk Analysis Deep Dive](#8-risk-analysis-deep-dive)
15
+ 9. [Cloud & Modern Architecture Guidance](#9-cloud--modern-architecture-guidance)
16
+ 10. [Implementation Checklist](#10-implementation-checklist)
17
+
18
+ ---
19
+
20
+ ## 1. Scope & Applicability
21
+
22
+ The Security Rule applies to **ePHI** (electronic Protected Health Information) — PHI that is:
23
+ - Created, received, maintained, or transmitted in electronic form
24
+ - Stored on any electronic media (servers, workstations, laptops, mobile devices, removable media, cloud)
25
+
26
+ **Applies to:**
27
+ - Covered Entities (CEs)
28
+ - Business Associates (BAs) — directly under HITECH (2009)
29
+
30
+ **Does NOT cover:**
31
+ - PHI in paper form (Privacy Rule covers this)
32
+ - Verbal communications
33
+
34
+ ---
35
+
36
+ ## 2. General Rules
37
+
38
+ ### Three Safeguard Categories
39
+ All CEs and BAs must implement:
40
+ 1. **Administrative Safeguards** — Policies, procedures, workforce management
41
+ 2. **Physical Safeguards** — Facility access, workstation, device controls
42
+ 3. **Technical Safeguards** — Technology-based protections for ePHI
43
+
44
+ ### Required vs. Addressable
45
+ | Designation | Meaning |
46
+ |------------|---------|
47
+ | **Required** | Must implement — no flexibility |
48
+ | **Addressable** | Must assess whether reasonable and appropriate; if so implement; if not, document why and implement an equivalent alternative |
49
+
50
+ > **Common Misconception**: "Addressable" does NOT mean optional. You must either implement it or formally document why you didn't and what you did instead.
51
+
52
+ ### Flexibility Principle (§164.306(b))
53
+ Implementation may consider:
54
+ - Size, complexity, and capabilities of the CE/BA
55
+ - Technical infrastructure, hardware, and software security capabilities
56
+ - Costs of security measures
57
+ - Probability and criticality of potential risks
58
+
59
+ ---
60
+
61
+ ## 3. Administrative Safeguards
62
+ ### §164.308
63
+
64
+ | Standard | Req/Addr | Description |
65
+ |----------|----------|-------------|
66
+ | **Security Management Process** (§164.308(a)(1)) | Required | Framework for protecting ePHI |
67
+ | → Risk Analysis | Required | Assess threats, vulnerabilities, likelihood, impact |
68
+ | → Risk Management | Required | Implement security measures to reduce risk to reasonable level |
69
+ | → Sanction Policy | Required | Apply sanctions for workforce violations |
70
+ | → Information System Activity Review | Required | Regularly review audit logs, access reports, incident reports |
71
+ | **Assigned Security Responsibility** (§164.308(a)(2)) | Required | Designate a Security Official |
72
+ | **Workforce Security** (§164.308(a)(3)) | Required | Control workforce access to ePHI |
73
+ | → Authorization/Supervision | Addressable | Supervise workforce members working with ePHI |
74
+ | → Workforce Clearance Procedure | Addressable | Determine appropriate access levels |
75
+ | → Termination Procedures | Addressable | Revoke access upon termination |
76
+ | **Information Access Management** (§164.308(a)(4)) | Required | Grant appropriate access to ePHI |
77
+ | → Isolating Healthcare Clearinghouse Function | Required (if applicable) | Separate clearinghouse from rest of org |
78
+ | → Access Authorization | Addressable | Process for authorizing access |
79
+ | → Access Establishment and Modification | Addressable | Process for granting/modifying access |
80
+ | **Security Awareness and Training** (§164.308(a)(5)) | Required | Train all workforce members |
81
+ | → Security Reminders | Addressable | Periodic security updates |
82
+ | → Protection from Malicious Software | Addressable | Anti-malware procedures |
83
+ | → Log-in Monitoring | Addressable | Monitor failed log-in attempts |
84
+ | → Password Management | Addressable | Guidance on creating/changing passwords |
85
+ | **Security Incident Procedures** (§164.308(a)(6)) | Required | Respond to security incidents |
86
+ | → Response and Reporting | Required | Identify, respond to, mitigate, document incidents |
87
+ | **Contingency Plan** (§164.308(a)(7)) | Required | Respond to emergencies affecting ePHI |
88
+ | → Data Backup Plan | Required | Create retrievable exact copies of ePHI |
89
+ | → Disaster Recovery Plan | Required | Restore lost ePHI data |
90
+ | → Emergency Mode Operation Plan | Required | Continue critical business processes during emergency |
91
+ | → Testing and Revision | Addressable | Implement procedures for periodic testing of contingency plans |
92
+ | → Applications and Data Criticality Analysis | Addressable | Assess relative criticality of applications |
93
+ | **Evaluation** (§164.308(a)(8)) | Required | Periodic technical/non-technical evaluation |
94
+ | **Business Associate Contracts** (§164.308(b)(1)) | Required | BAA with all BAs handling ePHI |
95
+
96
+ ---
97
+
98
+ ## 4. Physical Safeguards
99
+ ### §164.310
100
+
101
+ | Standard | Req/Addr | Description |
102
+ |----------|----------|-------------|
103
+ | **Facility Access Controls** (§164.310(a)(1)) | Required | Limit physical access to systems containing ePHI |
104
+ | → Contingency Operations | Addressable | Access during disaster recovery |
105
+ | → Facility Security Plan | Addressable | Safeguard facility and equipment |
106
+ | → Access Control and Validation | Addressable | Control access to facilities based on role |
107
+ | → Maintenance Records | Addressable | Document repairs/modifications to physical security |
108
+ | **Workstation Use** (§164.310(b)) | Required | Specify proper functions and physical surroundings for workstations |
109
+ | **Workstation Security** (§164.310(c)) | Required | Physical safeguards for workstations accessing ePHI |
110
+ | **Device and Media Controls** (§164.310(d)(1)) | Required | Govern receipt and removal of hardware/media |
111
+ | → Disposal | Required | Properly dispose of media containing ePHI (wiping, destruction) |
112
+ | → Media Re-use | Required | Remove ePHI before reuse of electronic media |
113
+ | → Accountability | Addressable | Track movements of hardware/media |
114
+ | → Data Backup and Storage | Addressable | Create retrievable copy before moving equipment |
115
+
116
+ ---
117
+
118
+ ## 5. Technical Safeguards
119
+ ### §164.312
120
+
121
+ | Standard | Req/Addr | Description |
122
+ |----------|----------|-------------|
123
+ | **Access Control** (§164.312(a)(1)) | Required | Allow only authorized persons/software to access ePHI |
124
+ | → Unique User Identification | Required | Assign unique names/numbers to identify and track user identity |
125
+ | → Emergency Access Procedure | Required | Obtain ePHI during emergency |
126
+ | → Automatic Logoff | Addressable | Terminate sessions after inactivity |
127
+ | → Encryption and Decryption | Addressable | Encrypt/decrypt ePHI |
128
+ | **Audit Controls** (§164.312(b)) | Required | Hardware/software/procedural mechanisms to record and examine activity in systems containing ePHI |
129
+ | **Integrity** (§164.312(c)(1)) | Required | Protect ePHI from improper alteration or destruction |
130
+ | → Mechanism to Authenticate ePHI | Addressable | Corroborate that ePHI has not been altered |
131
+ | **Person or Entity Authentication** (§164.312(d)) | Required | Verify identity of person/entity seeking access |
132
+ | **Transmission Security** (§164.312(e)(1)) | Required | Guard against unauthorized access to ePHI transmitted over electronic networks |
133
+ | → Integrity Controls | Addressable | Ensure ePHI is not improperly modified during transmission |
134
+ | → Encryption | Addressable | Encrypt ePHI in transit |
135
+
136
+ ---
137
+
138
+ ## 6. Organizational Requirements
139
+ ### §164.314
140
+
141
+ ### Business Associate Contracts (§164.314(a)):
142
+ BAA must require the BA to:
143
+ - Implement Administrative, Physical, and Technical Safeguards
144
+ - Ensure subcontractors do the same (sign sub-BAAs)
145
+ - Report security incidents (including successful and unsuccessful attempts)
146
+ - Authorize termination of contract if CE determines BA has violated a material term
147
+
148
+ ### Group Health Plans (§164.314(b)):
149
+ Plan documents must require plan sponsors to:
150
+ - Implement reasonable and appropriate security measures
151
+ - Not use/disclose ePHI except as permitted
152
+ - Report security incidents to the plan
153
+
154
+ ---
155
+
156
+ ## 7. Policies, Procedures & Documentation
157
+ ### §164.316
158
+
159
+ ### Policies and Procedures (§164.316(a)):
160
+ - Must implement reasonable and appropriate policies to comply with the Security Rule
161
+ - Must update as necessary
162
+
163
+ ### Documentation Requirements (§164.316(b)):
164
+ - Maintain written (electronic or paper) policies, procedures, and records required by the Security Rule
165
+ - **Retention**: 6 years from creation date OR date last in effect (whichever is later)
166
+ - Make documentation available to those responsible for implementing procedures
167
+ - Review documentation periodically and update as needed
168
+
169
+ ---
170
+
171
+ ## 8. Risk Analysis Deep Dive
172
+
173
+ Risk Analysis (§164.308(a)(1)(ii)(A)) is the **foundation** of HIPAA Security compliance. HHS has emphasized it is the most commonly cited deficiency in enforcement actions.
174
+
175
+ ### Required Components:
176
+ 1. **Scope**: All ePHI created, received, maintained, or transmitted (not just EHR — includes backups, emails, mobile devices)
177
+ 2. **Threat Identification**: Identify potential threats to ePHI (natural, human, environmental)
178
+ 3. **Vulnerability Identification**: Identify security vulnerabilities
179
+ 4. **Likelihood Assessment**: Assess probability that each threat would exploit each vulnerability
180
+ 5. **Impact Assessment**: Assess potential impact of threat occurrence
181
+ 6. **Risk Level Determination**: Combine likelihood + impact = risk level (High/Medium/Low)
182
+ 7. **Current Controls**: Document existing security measures and their effectiveness
183
+
184
+ ### Risk Management (§164.308(a)(1)(ii)(B)):
185
+ - Implement security measures sufficient to reduce risks to a reasonable and appropriate level
186
+ - Prioritize based on risk level
187
+ - Document all decisions
188
+
189
+ ### Common Risk Analysis Mistakes (HHS Enforcement Findings):
190
+ - Only analyzing the EHR system (missing emails, mobile devices, backups, printers)
191
+ - Performing once and never updating
192
+ - Not documenting the analysis
193
+ - Confusing risk analysis with gap analysis
194
+ - Assigning risk levels without methodology
195
+
196
+ ### NIST Framework Alignment:
197
+ HHS recommends NIST SP 800-30 for risk analysis methodology. NIST SP 800-66 is the HIPAA-specific guidance.
198
+
199
+ ---
200
+
201
+ ## 9. Cloud & Modern Architecture Guidance
202
+
203
+ ### Cloud Service Providers (CSPs):
204
+ - CSPs storing ePHI are Business Associates — **BAA is required**
205
+ - AWS, Azure, GCP all offer HIPAA-eligible services under BAA
206
+ - BAA does not transfer compliance responsibility — CE/BA must configure properly
207
+
208
+ ### Key Cloud Considerations:
209
+
210
+ **Encryption:**
211
+ - At rest: AES-256 minimum (addressable but industry standard)
212
+ - In transit: TLS 1.2+ minimum; TLS 1.3 recommended
213
+ - Key management: Use dedicated KMS (AWS KMS, Azure Key Vault, GCP Cloud KMS)
214
+ - Customer-managed keys preferred for higher sensitivity
215
+
216
+ **Access Control:**
217
+ - Implement IAM with least-privilege principle
218
+ - Use MFA for all accounts with ePHI access
219
+ - Separate service accounts from human accounts
220
+ - Regularly audit and rotate credentials
221
+
222
+ **Audit Logging:**
223
+ - Enable CloudTrail (AWS), Activity Log (Azure), Cloud Audit Logs (GCP)
224
+ - Log: API calls, data access, authentication events, configuration changes
225
+ - Immutable log storage (S3 with Object Lock, etc.)
226
+ - Retention: Minimum 6 years for HIPAA records
227
+ - Alert on anomalous access patterns
228
+
229
+ **Network Security:**
230
+ - VPC/private network for ePHI systems
231
+ - Security groups / network policies: deny-by-default
232
+ - No direct internet exposure of ePHI datastores
233
+ - WAF for any public-facing applications handling ePHI
234
+
235
+ **Mobile & BYOD:**
236
+ - MDM/EMM solution required if devices access ePHI
237
+ - Remote wipe capability
238
+ - Screen lock enforcement
239
+ - Encrypted storage
240
+ - App-level controls (MAM) if possible
241
+
242
+ ### API & Application Security:
243
+ - Authentication: OAuth 2.0 + OIDC; consider SMART on FHIR for health apps
244
+ - Input validation to prevent injection attacks
245
+ - No ePHI in URLs (appears in logs)
246
+ - No ePHI in error messages
247
+ - Rate limiting on endpoints handling ePHI
248
+ - FHIR APIs: HL7 FHIR R4 with SMART on FHIR is the modern standard
249
+
250
+ ### DevOps / CI-CD:
251
+ - No real PHI in dev/test environments (use synthetic data)
252
+ - Secrets management (never hardcode credentials)
253
+ - SAST/DAST scanning in pipeline
254
+ - Dependency scanning for vulnerabilities
255
+ - Infrastructure as Code security scanning
256
+
257
+ ---
258
+
259
+ ## 10. Implementation Checklist
260
+
261
+ ### Administrative
262
+ - [ ] Designate Security Official
263
+ - [ ] Conduct and document Risk Analysis covering ALL ePHI
264
+ - [ ] Implement Risk Management Plan with prioritized remediation
265
+ - [ ] Implement sanction policy for violations
266
+ - [ ] Review system activity regularly (audit logs)
267
+ - [ ] Establish workforce clearance procedures
268
+ - [ ] Implement access authorization process
269
+ - [ ] Conduct annual Security Awareness Training (document it)
270
+ - [ ] Implement anti-malware protection
271
+ - [ ] Monitor failed login attempts
272
+ - [ ] Document and implement Password/Credential Policy
273
+ - [ ] Implement Security Incident Response Plan
274
+ - [ ] Create Data Backup Plan (test it)
275
+ - [ ] Create Disaster Recovery Plan (test it)
276
+ - [ ] Create Emergency Mode Operation Plan
277
+ - [ ] Execute BAAs with all vendors handling ePHI
278
+ - [ ] Conduct periodic Security Rule evaluations
279
+
280
+ ### Physical
281
+ - [ ] Implement facility access controls (badge, keypad, locks)
282
+ - [ ] Create and implement Facility Security Plan
283
+ - [ ] Document workstation use policies
284
+ - [ ] Implement workstation physical security
285
+ - [ ] Implement media disposal procedures (certificates of destruction)
286
+ - [ ] Implement media re-use procedures (secure wiping)
287
+ - [ ] Track hardware/media movements
288
+
289
+ ### Technical
290
+ - [ ] Assign unique user IDs (no shared accounts)
291
+ - [ ] Implement role-based access control (RBAC)
292
+ - [ ] Implement MFA for all ePHI access
293
+ - [ ] Implement automatic session timeout
294
+ - [ ] Implement encryption at rest (AES-256)
295
+ - [ ] Implement encryption in transit (TLS 1.2+)
296
+ - [ ] Enable and monitor audit logs
297
+ - [ ] Implement integrity controls (checksums, digital signatures)
298
+ - [ ] Implement entity authentication mechanisms
299
+ - [ ] Test transmission security controls