hipaa | HIPAA Compliance for Meteor apps

Our infrastructure is hosted on Google Cloud and uses postgresql instances via Cloud SQL

I need to configure logging for HIPAA compliance. I have read 2 articles from Google's documentation:

https://cloud.google.com/logging/docs/audit/configure-data-access#config-console https://cloud.google.com/sql/docs/postgres/pg-audit#overview

The first talks about enabling Audit Logs from within IAM, here I can select Cloud SQL and enable r+w logs for data and admins

The second talks about PgAudit and sets the following flag pgaudit.log=all

I have a couple of questions:

1. How do IAM logs and PgAudit differ, should I enable both or is there redundancy by doing so?
2. For HIPAA compliance using PgAudit, should I log all or is there another value that makes sense

I'm designing a mobile application that uses Identity Platform and Firestore to store customer's PHI records. Both Identity Platform and Firestore are mentioned as products covered by Google Cloud BAA. Will that architecture solution also fit HIPAA? I have found a tutorial at Cloud Architecture Center https://cloud.google.com/architecture/authenticating-users-to-firestore-with-identity-platform-and-google-identities and want to be sure that example fits HIPAA requirements.

My company has 2 AWS accounts. On the first (lets call it playground), I have full administrative permissions. On the second (lets call it production) I have limited IAM permissions

I enabled AWS Config (using the terraform file on the appendix) on both accounts.

• On the playground it runs smoothly, everything is fine.
• One the production, it fails. More specifically, it fails to detect the account's resources with the message "Your resources are being discovered" as shown in the screenshot below.

I initially suspected this could be an IAM role permission issue.

e.g running

aws configservice list-discovered-resources --resource-type AWS::EC2::SecurityGroup --profile playground gives me a list of the SecurityGroups discovered by the AWS Config on the playground (pretty much what I see on the console dashboard).

On the other hand:

aws configservice list-discovered-resources --resource-type AWS::EC2::SecurityGroup --profile production returns a null list (there are security groups though. Same results with other types such as AWS::EC2::Instance)

I'm trying to configure my server so that it terminates https connections at the EC2 instances. This is all on Elastic Beanstalk, and my environment is Node.js. The connection from the client to the load-balancer is already https, but I am taking this extra measure to meet HIPAA requirements.

I feel like I followed the instructions on AWS docs to the T, but am getting a "502 Bad Gateway" error. Below are the steps I took. Please let me know if you need more information.

1. Added secure listener on Application Load Balancer using the console. (followed instructions here)

2. Made a self-signed certificate using OpenSSL. For "Common Name," entered the qualified domain registered with Route 53 (looks something like server.example.com). (followed instructions here)

3. Configured nginx to listen on port 443 and terminate SSL connections using the certificate by creating a config file .ebextensions/https-instance.config (followed instructions here)

--- from here on, the contents of the config files can be found here----

1. Configured the secure listener on the load balancer to forward to port 443 of instances using config file .ebextensions/https-reencrypt-alb.config

2. Configured security group of the load balancer using .ebextensions/https-lbsecuritygroup.config

3. Configured security group of the EC2 instances using .ebextensions/https-backendsecurity.config

Thanks in advance for any help.

EDIT 1:

• The server returns a valid response if I make a http request (i.e. http://server.example.com).
• The security group rules are currently set so that both load balancer and instances allow All Traffic from Anywhere on all ports.
• The error.log for nginx shows rows and rows of 2021/03/19 17:33:43 [error] 12568#0: *159 connect() failed (111: Connection refused) while connecting to upstream, client: 172.XX.XX.XX, server: , request: "GET / HTTP/1.1", upstream: "http://127.X.X.X:8081/", host: "172.XX.X.XXX" (X's are my redaction)

AWS ALBs allow one to configure an SSL/TLS certificate for encrypting traffic between the client and the LB. Traffic between the LB and the target can be protected with a certificate, but target certificates are not validated... as outlined here: https://github.com/aws-quickstart/quickstart-compliance-hipaa/issues/9#issuecomment-693746199

Question: Does traffic within a VPC require additional measures to secure and prevent unauthorized access? Does AWS VPC have additional security mechanisms to prevent snooping, or unauthorized access to unencrypted traffic flowing within a VPC? Are their any tangible benefits to applying a certificate to the LB target in the above scenario considering that the certificate will not be validated?

How can I read this json file continuously (let say last 1 min. logs), and select a specific log information out of the json file (where hostname = wazuh) ?

{"timestamp":"2020-07-20T11:35:53.884+0000","rule":{"level":5,"description":"sshd: Attempt to login using a non-existent user","id":"5710","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":477,"mail":false,"groups":["syslog","sshd","invalid_login","authentication_failed"],"pci_dss":["10.2.4","10.2.5","10.6.1"],"gpg13":["7.1"],"gdpr":["IV_35.7.d","IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AU.6"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh.arge.uno"},"manager":{"name":"wazuh.arge.uno"},"id":"1595244953.11291408","full_log":"Jul 20 11:35:52 wazuh sshd[9453]: Disconnected from invalid user versa 129.204.148.56 port 44580 [preauth]","predecoder":{"program_name":"sshd","timestamp":"Jul 20 11:35:52","hostname":"wazuh"},"decoder":{"name":"sshd"},"location":"/var/log/auth.log"} ........

I am working on deciding the technology stack for one of health-related application. We are targetting for HIPAA compliance for the same.

Definitely Native is a good option but I am looking for cost-effective option from development as well as maintenance perspective that's why looking into Flutter Framework. It is satisfying most of the functional as well as technical needs.

I need answers of,

• Is there anything inside Flutter framework itself which is not compliant with Hippa?
• Any challenges that I can't see at this moment but people have faced in compliance?
• Popular third parties not to be used like Firebase, Crashlytics etc? Definitely, at the time of adding new package we will do analysis then we will add it.

I created a post a few days ago - which you can find here Remove last name but keep initial. I got the answer I needed for PHP but now I need to figure out how to do the same exact thing with xslt template.

I cannot show last names on my reviews due to hipaa laws, so I'm trying to keep the first name and only show the initial of the last name.

Here is my xml structure if needed (data.xml):

I cannot show last names on my reviews due to hipaa laws, so I'm trying to keep the first name and only show the initial of the last name.

For example:
Carole Baskin left a 5 Star Review on Google...

I would need it to say:
Carole B left a 5 Star Review on Google.

Here is my xml structure if needed: