Gap Analysis — Executive Summary¶
As of: 2026-04-04 — reflects DA-11 (NVS baseline), DA-15 (NHC full deployment), DA-18 (HA/DR + docs)
Risk Summary¶
| Risk Level | Count |
|---|---|
| Critical | 0 |
| High | 2 |
| Medium | 3 |
| Done/Partial | 23 |
| Total open | 5 |
Remaining Critical Gap¶
No Critical gaps remaining. All NHC HIPAA controls are in place.
Compliance Score¶
| Category | Items | Done | % |
|---|---|---|---|
| Encryption | 3 | 2 | 67% |
| Audit & Logging | 2 | 2 | 100% |
| Monitoring | 3 | 3 | 100% |
| Access Control | 2 | 0 | 0% |
| Network | 1 | 1 | 100% |
| Backup & DR | 3 | 3 | 100% |
| Documentation | 2 | 2 | 100% |
| Policies | 4 | 2 | 50% |
| Infrastructure | 2 | 1 | 50% |
| BAA | 2 | 1 | 50% |
| Total | 24 | 17 | 71% |
NHC Account: 23/23 Technical Controls Passing
All infrastructure-level HIPAA technical controls are implemented in the NHC account. Remaining gaps are organizational (MFA SCP, BAA audit) and NVS-account-specific.
Remediation Phases¶
See Remediation Roadmap for the full prioritized plan.
| Phase | Focus | Items | Status |
|---|---|---|---|
| 1 | Encryption & Network baseline | 8 | ✅ Complete |
| 2 | App infrastructure (EC2 + RDS) | 4 | ✅ Complete (DA-15 Phase 2) |
| 3 | HTTPS + WAF | 3 | ✅ Complete (DA-15 Phase 3) |
| 4 | Screenshot PHI Controls | 3 | Pending (DA-16 / screenshot feature) |
| 5 | HA & Disaster Recovery | 4 | ✅ Complete (DA-18) — Multi-AZ, auto-recovery, ElastiCache, cross-region DR |
| 6 | Access Controls & Hardening | 4 | Pending |
| 7 | Process & Documentation | 7 | Partial — draft policies exist |
What's Left¶
| # | Gap | Priority | Blocker |
|---|---|---|---|
| 1 | MFA enforcement SCP at Org level | High | Org-level policy needed |
| 2 | NVS EBS encryption (existing volumes) | High | Requires maintenance window |
| 3 | NVS VPC hardening (EC2 off public IP) | Medium | DA-13 — EC2 migration |
| 4 | Formal security risk assessment sign-off | Medium | Administrative |
| 5 | Third-party BAA audit (SaaS inventory) | Medium | Administrative |
Key Assumption¶
All PHI controls in the NHC account also apply to the NVS screenshot S3 bucket when the screenshot feature goes live. NVS is not currently handling PHI.