HIPAA Security Rule

Pencheff maps findings to the HIPAA Security Rule safeguards that externally-observable controls can cover.

§CFRSafeguardCoverage
164.308(a)(1)Security management processscan_infrastructure, scan_authz
164.308(a)(1)(ii)(D)Information system activity reviewPassive scanner (log leakage)
164.308(a)(4)Access authorizationscan_authz
164.308(a)(7)Contingency planscan_cloud (backup config, metadata)
164.308(a)(8)Evaluation (periodic)Scheduled scans + compliance-full
164.312(a)(1)Access control (RBAC)scan_authz
164.312(a)(2)(i)Unique user identificationscan_auth
164.312(a)(2)(iv)Encryption / decryptionscan_infrastructure, scan_injection
164.312(b)Audit controlsPassive scanner + monitoring overlap
164.312(c)(1)Integrityscan_injection, scan_advanced (deserialization, prototype pollution)
164.312(d)Person / entity authenticationscan_auth, scan_mfa_bypass
164.312(e)(1)Transmission securityscan_infrastructure (TLS)
164.312(e)(2)(ii)Encryption in transitscan_infrastructure

Policy

The compliance-full profile covers the full HIPAA mapping. For PHI-specific scope, add scan_file_handling to ensure uploads are tightly validated.