generalize presets into mosaic profiles with runtime overlays

2026-02-17 11:46:12 -06:00
parent 4eac2c76e6
commit 33bbf60bad
15 changed files with 1868 additions and 0 deletions
--- a/profiles/domains/healthcare-hipaa.json
+++ b/profiles/domains/healthcare-hipaa.json
@@ -0,0 +1,189 @@
+{
+  "name": "Healthcare HIPAA Compliance",
+  "description": "HIPAA compliance requirements for healthcare applications handling PHI",
+  "domainKeywords": ["health", "medical", "patient", "hipaa", "phi", "healthcare"],
+  "compliance": {
+    "regulation": "HIPAA (Health Insurance Portability and Accountability Act)",
+    "scope": "All applications handling Protected Health Information (PHI)",
+    "requirements": [
+      "Encrypt PHI at rest and in transit",
+      "Implement access controls for PHI",
+      "Audit all access to PHI", 
+      "Ensure data integrity",
+      "Implement proper user authentication",
+      "Maintain data minimization practices"
+    ]
+  },
+  "dataClassification": {
+    "phi": {
+      "definition": "Individually identifiable health information",
+      "examples": [
+        "Names, addresses, birth dates",
+        "Phone numbers, email addresses",
+        "Social Security numbers",
+        "Medical record numbers",
+        "Health plan beneficiary numbers",
+        "Account numbers",
+        "Certificate/license numbers",
+        "Vehicle identifiers and serial numbers",
+        "Device identifiers and serial numbers",
+        "Web Universal Resource Locators (URLs)",
+        "Internet Protocol (IP) address numbers",
+        "Biometric identifiers",
+        "Full face photographic images",
+        "Medical diagnoses and treatment information",
+        "Lab results and vital signs"
+      ],
+      "encryption": "AES-256 encryption required",
+      "storage": "Must be encrypted at rest",
+      "transmission": "Must be encrypted in transit (TLS 1.2+)"
+    }
+  },
+  "securityPatterns": {
+    "encryption": {
+      "algorithm": "AES-256",
+      "keyManagement": "Use AWS KMS, Azure Key Vault, or similar",
+      "implementation": "Field-level encryption for PHI columns",
+      "example": "@Encrypted decorator for entity fields"
+    },
+    "authentication": {
+      "method": "Multi-factor authentication required",
+      "tokenType": "JWT with refresh tokens",
+      "sessionTimeout": "Maximum 15 minutes inactive timeout",
+      "passwordPolicy": "Minimum 8 characters, complexity requirements"
+    },
+    "authorization": {
+      "model": "Role-Based Access Control (RBAC)",
+      "principle": "Minimum necessary access",
+      "implementation": "Care group permissions with data segmentation",
+      "auditTrail": "Log all authorization decisions"
+    },
+    "auditLogging": {
+      "requirement": "All PHI access must be logged",
+      "fields": [
+        "User ID",
+        "Patient ID", 
+        "Action performed",
+        "Timestamp",
+        "IP address",
+        "Success/failure",
+        "Data accessed"
+      ],
+      "retention": "6 years minimum",
+      "integrity": "Logs must be tamper-evident"
+    }
+  },
+  "implementationPatterns": {
+    "backend": {
+      "entities": {
+        "phiFields": "Mark PHI fields with @PHIEncrypted decorator",
+        "auditables": "Extend BaseAuditableEntity for PHI entities",
+        "relationships": "Implement proper access control on relationships"
+      },
+      "controllers": {
+        "authentication": "All PHI endpoints require authentication",
+        "authorization": "Check user permissions before PHI access",
+        "logging": "Log all PHI access attempts",
+        "validation": "Validate all inputs to prevent injection"
+      },
+      "services": {
+        "encryption": "Encrypt PHI before database storage",
+        "decryption": "Decrypt PHI only for authorized access",
+        "minimization": "Return only necessary PHI fields",
+        "auditing": "Create audit log entries for all PHI operations"
+      }
+    },
+    "frontend": {
+      "dataHandling": {
+        "localStorage": "Never store PHI in localStorage",
+        "sessionStorage": "Only encrypted session data allowed",
+        "memory": "Clear PHI from component state on unmount",
+        "logging": "Never log PHI to console or external services"
+      },
+      "ui": {
+        "masking": "Mask sensitive data by default",
+        "permissions": "Hide UI elements based on user roles",
+        "timeout": "Implement session timeout with warnings",
+        "accessibility": "Ensure screen readers don't expose PHI inappropriately"
+      }
+    }
+  },
+  "testingRequirements": {
+    "coverage": {
+      "minimum": "80% for all PHI-handling modules",
+      "focus": "Security and privacy controls"
+    },
+    "security": [
+      "Test for PHI leakage in API responses",
+      "Verify encryption of PHI fields",
+      "Test authorization controls",
+      "Validate audit logging functionality",
+      "Test session timeout behavior"
+    ],
+    "compliance": [
+      "Verify minimum necessary access",
+      "Test audit log completeness",
+      "Validate encryption implementation",
+      "Test user access controls",
+      "Verify data retention policies"
+    ]
+  },
+  "context7Libraries": [
+    "@nestjs/jwt",
+    "bcrypt",
+    "helmet",
+    "crypto",
+    "jsonwebtoken",
+    "express-rate-limit"
+  ],
+  "codeTemplates": {
+    "phiEntity": {
+      "description": "Entity with PHI fields",
+      "template": "@Entity()\nexport class Patient {\n  @PHIEncrypted()\n  @Column()\n  firstName: string;\n\n  @AuditableField()\n  @Column()\n  medicalRecordNumber: string;\n}"
+    },
+    "auditLog": {
+      "description": "Audit log entry",
+      "template": "await this.auditService.log({\n  userId: user.id,\n  action: 'VIEW_PATIENT',\n  resourceType: 'Patient',\n  resourceId: patientId,\n  ipAddress: request.ip,\n  timestamp: new Date()\n});"
+    },
+    "authGuard": {
+      "description": "HIPAA auth guard",
+      "template": "@UseGuards(JwtAuthGuard, RolesGuard)\n@RequirePermission('view_patient_phi')\n@ApiSecurity('bearer')"
+    }
+  },
+  "complianceChecklist": [
+    "All PHI fields are encrypted at rest",
+    "All PHI transmission uses TLS 1.2+",
+    "User authentication is implemented with MFA",
+    "Role-based access control is enforced",
+    "All PHI access is logged and auditable",
+    "Session timeout is configured (max 15 minutes)",
+    "Password policies meet HIPAA requirements",
+    "Data backup and recovery procedures are secure",
+    "Incident response procedures are documented",
+    "Employee access is based on minimum necessary principle"
+  ],
+  "riskAssessment": [
+    "Unauthorized access to PHI",
+    "Data breaches due to weak encryption",
+    "Insider threats and inappropriate access",
+    "Data loss due to inadequate backups",
+    "System vulnerabilities and exploits",
+    "Third-party vendor security risks",
+    "Physical security of systems and data",
+    "Network security and access controls",
+    "Application security vulnerabilities",
+    "Business continuity and disaster recovery"
+  ],
+  "incidentResponse": [
+    "Identify and contain the incident",
+    "Assess the scope and severity",
+    "Notify affected individuals if required",
+    "Report to HHS if breach affects 500+ individuals",
+    "Implement corrective actions",
+    "Document all incident response activities",
+    "Conduct post-incident review and lessons learned",
+    "Update security policies and procedures",
+    "Provide additional training if needed",
+    "Monitor for similar incidents"
+  ]
+}