Skip to content

Nova Home Care — Infrastructure Docs

Technical

nova-infra/hipaa-compliance-aws-infra

Technical Checklist¶

Last updated: 2026-04-04 — reflects DA-18

Use this checklist to verify technical HIPAA controls are in place. Each item maps to a gap ID in checklists/gap-analysis.yml.

Encryption at Rest¶

Encryption in Transit¶

ENC-003 NHC Django API ALB: HTTPS only (port 443), HTTP → HTTPS redirect (DA-15 Phase 3)
ENC-003 NVS Laravel ALB: HTTPS only, HTTP → HTTPS redirect — pending
ENC-003 TLS 1.2 minimum enforced on all NHC ALB listeners (DA-15)
ENC-003 ElastiCache Redis in-transit encryption (TLS) enabled (DA-18)
ENC-003 S3 access via HTTPS only (bucket policy) (DA-11, DA-15)

Network Segmentation¶

NET-001 NHC EC2 instances in private subnets (no public IPs) (DA-15)
NET-001 NAT Gateway for outbound internet (DA-15)
NET-001 ALB in public subnet, EC2 in private (DA-15)
NET-001 Security groups: EC2 allows inbound only from ALB SG (DA-15)
NET-001 NVS EC2 in private subnet — deferred to DA-13

Audit Logging¶

AUD-001 CloudTrail multi-region trail enabled (NVS) (DA-11)
AUD-001 CloudTrail multi-region trail enabled (NHC) (DA-15)
AUD-001 CloudTrail logs encrypted with KMS CMK (NVS + NHC)
AUD-001 CloudTrail log file validation enabled (NVS + NHC)
AUD-002 VPC Flow Logs enabled (NVS VPC) — deferred to DA-13
AUD-002 VPC Flow Logs enabled (NHC VPC) — pending
AUD-003 WAF logs → CloudWatch (Django ALB: 90-day retention) (DA-15)
AUD-003 WAF logs → CloudWatch (Foursites ALB: 30-day retention) (DA-15)

Monitoring & Detection¶

MON-001 AWS Config enabled in NVS account (DA-11)
MON-001 AWS Config enabled in NHC account (DA-15)
MON-001 HIPAA conformance pack deployed (NVS DA-11; NHC DA-15)
MON-002 GuardDuty enabled (NVS) (DA-11)
MON-002 GuardDuty enabled (NHC) (DA-15)
MON-002 GuardDuty org-delegated admin configured
MON-003 Security Hub enabled (NVS) (DA-11)
MON-003 Security Hub enabled (NHC) (DA-15)
MON-004 EC2 Auto-Recovery alarms on all 4 NHC instances (DA-18)

Access Control¶

ACC-001 MFA enforcement SCP applied at Org OU level
ACC-001 Root account has no active access keys
ACC-001 Root account MFA enabled
ACC-002 IAM roles audited for over-permissive policies
ACC-002 No wildcard * actions on IAM policies for PHI resources
ACC-002 SSM Session Manager enabled on all EC2 (no SSH open) (DA-15)
ACC-002 Cross-account IAM role NVS → NHC scoped correctly

Screenshot PHI Controls¶

DOC-002 Screenshot S3 bucket created with SSE-KMS (DA-11)
DOC-002 Screenshot bucket: block all public access (DA-11)
DOC-002 Screenshot bucket: S3 access logging enabled (DA-11)
DOC-002 Screenshot bucket: versioning enabled (DA-11)
DOC-002 CloudWatch alarm on screenshot bucket GetObject anomalies
DOC-002 Lifecycle policy on screenshot bucket (90-day deletion)

Backup & DR¶

POL-002 AWS Backup plan deployed (NHC) (DA-15)
POL-002 Backup vault encrypted with KMS CMK (DA-15)
POL-002 Cross-region backup copy enabled (NHC → us-west-2) (DA-18)
POL-002 Backup restore tested
POL-003 RDS Multi-AZ enabled — Django MySQL (DA-18)
POL-003 RDS Multi-AZ enabled — WP CMS MariaDB (DA-18)
POL-003 ElastiCache Redis managed cluster (DA-18)
POL-003 EC2 Auto-Recovery alarms (all 4 instances) (DA-18)

Summary¶

Category	Total	Done	Pending
Encryption at Rest	10	9	1
Encryption in Transit	5	4	1
Network	5	4	1
Audit Logging	8	6	2
Monitoring	9	8	1
Access Control	7	1	6
Screenshot PHI	6	4	2
Backup & DR	8	7	1
Total	58	43	15
Compliance			74%