Skip to main content

Overview

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting sensitive patient health information. The HIPAA Security Rule specifically requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic Protected Health Information (ePHI). Wazuh helps organizations monitor and maintain HIPAA compliance through security event detection and technical safeguard monitoring.

HIPAA Requirements Coverage

Wazuh maps security events to HIPAA Security Rule requirements through the rule.hipaa field. The compliance requirements are defined in: Source: plugins/main/common/compliance-requirements/hipaa-requirements.ts All monitored requirements are from 45 CFR § 164.312 - Technical Safeguards.

Technical Safeguards Requirements

Access Control (§ 164.312(a))

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.Technical Measures:
  • User authentication systems
  • Authorization controls
  • Access control lists (ACLs)
  • Role-based access control (RBAC)
  • Least privilege enforcement
Monitored by:
  • Unauthorized access attempts
  • Access control violations
  • Authentication failures
  • Authorization bypasses
  • Privilege escalation attempts
Wazuh Detection: Failed login attempts, unauthorized file access, permission changes, privilege abuse
Assign a unique name and/or number for identifying and tracking user identity.Technical Measures:
  • Unique user IDs for all users
  • No shared accounts
  • User identification in all logs
  • Account lifecycle management
Monitored by:
  • User account creation/deletion
  • Shared account usage detection
  • Non-unique identifier alerts
  • Account naming violations
Wazuh Detection: Account creation events, shared credential usage, identity tracking violations
Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.Technical Measures:
  • Break-glass access procedures
  • Emergency access accounts
  • Emergency access logging
  • Post-emergency access review
Monitored by:
  • Emergency account usage
  • Break-glass procedure activation
  • Out-of-hours ePHI access
  • Emergency access pattern analysis
Wazuh Detection: Emergency account logins, unusual access times, break-glass activations
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.Technical Measures:
  • Session timeout configuration
  • Idle session termination
  • Automatic logout enforcement
  • Session management controls
Monitored by:
  • Session timeout violations
  • Inactive session detection
  • Session management failures
  • Long-running session alerts
Wazuh Detection: Session timeout events, idle session warnings, session termination logs
Implement a mechanism to encrypt and decrypt electronic protected health information.Technical Measures:
  • ePHI encryption at rest
  • ePHI encryption in transit
  • Cryptographic key management
  • Encryption strength requirements
Monitored by:
  • Unencrypted ePHI access
  • Weak encryption usage
  • Encryption failures
  • Key management violations
Wazuh Detection: Unencrypted data access, weak cipher usage, encryption service failures

Audit Controls (§ 164.312(b))

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.Technical Measures:
  • Comprehensive logging systems
  • Audit trail generation
  • Log analysis and review
  • Security Information and Event Management (SIEM)
  • Activity monitoring
Monitored by:
  • All ePHI access events
  • System activity logs
  • User actions on ePHI systems
  • Security event logs
  • Administrative actions
Wazuh Detection: All security events related to ePHI systems, providing comprehensive audit trail
This requirement is the foundation for HIPAA compliance monitoring. Wazuh provides the audit control mechanism required by this section.

Integrity Controls (§ 164.312(c))

Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.Technical Measures:
  • Data integrity verification
  • Version control systems
  • Change tracking
  • Backup and recovery procedures
  • Write protection mechanisms
Monitored by:
  • Unauthorized data modifications
  • Data deletion events
  • Integrity violation alerts
  • Improper change attempts
Wazuh Detection: File modification alerts, unauthorized changes, data integrity violations
Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.Technical Measures:
  • File integrity monitoring (FIM)
  • Digital signatures
  • Checksums and hash verification
  • Audit logs for data changes
  • Integrity validation systems
Monitored by:
  • File integrity violations
  • Checksum mismatches
  • Unauthorized file modifications
  • Digital signature failures
Wazuh Detection: FIM alerts for ePHI file changes, integrity check failures, unauthorized modifications
Enable Wazuh File Integrity Monitoring (FIM) on all directories containing ePHI to meet this requirement.

Person or Entity Authentication (§ 164.312(d))

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.Technical Measures:
  • Multi-factor authentication (MFA)
  • Password policies
  • Biometric authentication
  • Certificate-based authentication
  • Single sign-on (SSO) with strong authentication
Monitored by:
  • Authentication attempts
  • Failed authentication events
  • MFA bypass attempts
  • Weak authentication usage
  • Authentication mechanism failures
Wazuh Detection: Failed logins, authentication errors, MFA failures, suspicious authentication patterns

Transmission Security (§ 164.312(e))

Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.Technical Measures:
  • TLS/SSL for data in transit
  • VPN for remote access
  • Secure protocols (HTTPS, SFTP, etc.)
  • Network encryption
  • Wireless security (WPA3)
Monitored by:
  • Unencrypted transmissions
  • Insecure protocol usage
  • Network security violations
  • Unauthorized network access
  • Man-in-the-middle attempts
Wazuh Detection: Unencrypted connections, insecure protocol usage, network intrusion attempts
Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.Technical Measures:
  • Message integrity checks
  • Data transmission validation
  • Checksum verification
  • Digital signatures for transmitted data
  • Secure messaging protocols
Monitored by:
  • Transmission integrity failures
  • Data corruption detection
  • Message tampering alerts
  • Integrity check failures
Wazuh Detection: Network integrity violations, corrupted transmission alerts, data tampering attempts
Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.Technical Measures:
  • End-to-end encryption
  • Transport layer security
  • Email encryption
  • File transfer encryption
  • Application-level encryption
Monitored by:
  • Unencrypted ePHI transmissions
  • Weak encryption protocols
  • Encryption failures
  • Policy violations
Wazuh Detection: Unencrypted data transfers, weak cipher usage, encryption service failures

Using the HIPAA Dashboard

Accessing HIPAA Compliance View

1

Open HIPAA Module

Navigate to the HIPAA section in the Wazuh Dashboard overview.
2

Review Technical Safeguards

The dashboard displays all 164.312 technical safeguard requirements.
3

Filter by Requirement Type

Click on requirement categories: Access Control (a), Audit Controls (b), Integrity (c), Authentication (d), or Transmission Security (e).
4

Analyze ePHI Security Events

Review security events mapped to each technical safeguard requirement.

Dashboard Components

The HIPAA dashboard includes:
  • Top requirements by alert count - Identifies technical safeguard violations
  • Access control monitoring - Tracks § 164.312(a) compliance
  • Audit trail coverage - Monitors § 164.312(b) implementation
  • Integrity violations - Shows § 164.312(c) events
  • Authentication failures - Displays § 164.312(d) issues
  • Transmission security - Monitors § 164.312(e) compliance
Source: plugins/main/public/components/overview/hipaa/dashboards/dashboard-panels.ts

Data Source Implementation

The HIPAA data source filters events by the rule.hipaa field: 
const KEY_EXIST = 'rule.hipaa';
Reference: plugins/main/public/components/common/data-source/pattern/events/hipaa/hipaa-data-source.ts:5

Event Columns

HIPAA events table displays:
  • Timestamp
  • Rule description
  • HIPAA requirement (rule.hipaa field)
  • Alert level
  • ePHI system identifier
  • Agent information
Source: plugins/main/public/components/overview/hipaa/events/hipaa-columns.tsx:8

Compliance Reporting for HIPAA

HIPAA Requirement Naming Convention

HIPAA requirements follow the pattern 164.312.[section].[subsection].[element]:
  • 164.312.a.1 - Technical safeguards, Access Control, standard
  • 164.312.a.2.I - Access Control, implementation specification I (required)
  • 164.312.c.2 - Integrity Controls, addressable implementation specification

Generating HIPAA Reports

1

Define Audit Period

Select the date range for the HIPAA compliance audit.
2

Filter by ePHI Systems

Focus on agents and systems that process ePHI.
3

Document Technical Safeguards

Export evidence of technical safeguard implementation per § 164.312.
4

Include Audit Controls

Demonstrate audit control implementation (§ 164.312(b)) through log exports.
5

Generate Compliance Evidence

Create reports showing compliance with required and addressable specifications.

Required vs. Addressable Specifications

Must be implemented by all covered entities:
  • 164.312.a.1 - Access Control (standard)
  • 164.312.a.2.I - Unique User Identification
  • 164.312.a.2.II - Emergency Access Procedure
  • 164.312.b - Audit Controls
  • 164.312.c.1 - Integrity
  • 164.312.d - Person or Entity Authentication
  • 164.312.e.1 - Transmission Security
Wazuh helps monitor all required specifications.

HIPAA-Specific Use Cases

Audit Controls (§ 164.312(b))

Wazuh serves as the audit control mechanism:

Access Logging

Record all ePHI access events with user identification and timestamps.

Activity Monitoring

Monitor and examine all activity on systems containing ePHI.

Security Event Detection

Detect and alert on security events affecting ePHI systems.

Audit Trail Integrity

Protect audit logs from tampering using file integrity monitoring.

File Integrity Monitoring for ePHI

Meets § 164.312(c.2) - Mechanism to Authenticate ePHI: 
<!-- Configure FIM for ePHI directories -->
<syscheck>
  <directories check_all="yes" realtime="yes">/path/to/ephi/data</directories>
  <directories check_all="yes" realtime="yes">/var/www/medical-records</directories>
</syscheck>
Wazuh will alert on any unauthorized modifications to ePHI files.

Access Control Monitoring

Track § 164.312(a) compliance:
  • Monitor successful and failed authentication attempts
  • Detect unauthorized access attempts
  • Track privilege escalation
  • Identify shared account usage
  • Monitor emergency access procedures

Transmission Security

Monitor § 164.312(e) compliance:
  • Detect unencrypted ePHI transmissions
  • Identify insecure protocol usage (HTTP, FTP, Telnet)
  • Monitor VPN connections for remote access
  • Track network intrusion attempts
  • Verify encryption usage for data in transit

Integration with Other Modules

HIPAA requirements appear in:
  • MITRE ATT&CK view - Maps ePHI protection to attack techniques
  • File Integrity Monitoring - Implements § 164.312(c.2)
  • Vulnerability Detection - Supports risk analysis requirements
  • NIST 800-53 - Crosswalk between HIPAA and NIST controls
Reference: plugins/main/public/components/overview/mitre/framework/components/techniques/components/rule-details.tsx:120

Requirement Data Structure

The complete HIPAA requirements mapping: 
export const hipaaRequirementsFile = {
  '164.312.a.1': 'Implement technical policies and procedures...',
  '164.312.a.2.I': 'Assign a unique name and/or number...',
  '164.312.a.2.II': 'Establish procedures for emergency access...',
  '164.312.a.2.III': 'Implement electronic procedures for session termination...',
  '164.312.a.2.IV': 'Implement a mechanism to encrypt and decrypt...',
  '164.312.b': 'Implement audit controls...',
  '164.312.c.1': 'Implement policies to protect from alteration...',
  '164.312.c.2': 'Implement mechanisms to corroborate integrity...',
  '164.312.d': 'Implement procedures to verify identity...',
  '164.312.e.1': 'Implement technical security measures for transmission...',
  '164.312.e.2.I': 'Implement integrity controls for transmission...',
  '164.312.e.2.II': 'Implement encryption for transmission...',
};
Full definition: plugins/main/common/compliance-requirements/hipaa-requirements.ts:12

Best Practices

Focus on Required Specs

Prioritize monitoring of required implementation specifications.

Enable FIM for ePHI

Use file integrity monitoring on all ePHI storage locations (§ 164.312.c.2).

Monitor Access Controls

Track all access control events to demonstrate § 164.312(a) compliance.

Maintain Audit Trails

Retain audit logs as required by § 164.312(b) and organizational policy.

Regular Security Reviews

Review HIPAA dashboard regularly to identify technical safeguard violations.

Document Addressable Specs

Document implementation or alternatives for addressable specifications.

Risk Analysis Integration

Wazuh data supports HIPAA Security Rule § 164.308(a)(1)(ii)(A) risk analysis:
  • Threat identification - Security events show active threats to ePHI
  • Vulnerability assessment - Integration with vulnerability scanning
  • Impact analysis - Alert severity indicates potential impact
  • Likelihood determination - Alert frequency shows likelihood of threats
  • Compliance Overview
  • [File Integrity Monitoring(/modules/file-integrity-monitoring) - Implements § 164.312(c.2)
  • [Log Analysis(/modules/threat-hunting) - Implements § 164.312(b)
  • [Vulnerability Detection(/modules/vulnerability-detection) - Supports risk analysis
  • [Incident Response(/guides/threat-analysis) - Supports breach notification requirements