Wazuh and HIPAA - Electronic Health Information Protection
Wazuh supports HIPAA (Health Insurance Portability and Accountability Act) requirements through file integrity monitoring, log analysis, configuration assessment, malware detection, vulnerability detection, and active response. The default ruleset ships with pre-tagged hipaa_XXX.XXX.X labels covering the Security Rule requirements.
HIPAA Security Rule Overview
The HIPAA Security Rule (Part 164, Subpart C) defines security standards for protecting electronic protected health information (ePHI). The standard establishes three categories of safeguards:
- Administrative safeguards - security management policies and procedures
- Physical safeguards - physical access controls for systems containing ePHI
- Technical safeguards - technology-based mechanisms for protecting ePHI
Wazuh primarily addresses technical and administrative safeguards through its monitoring and analysis modules.
HIPAA Safeguard Mapping to Wazuh Modules
Administrative Safeguards
| HIPAA Requirement | Description | Wazuh Module | Rule Group |
|---|---|---|---|
| 164.308(a)(1)(i) | Security management process | Log analysis , SCA | hipaa_164.308.a.1 |
| 164.308(a)(1)(ii)(A) | Risk analysis | Vulnerability Detector , alert analysis | hipaa_164.308.a.1 |
| 164.308(a)(3)(i) | Workforce security | Access monitoring, log analysis | hipaa_164.308.a.3 |
| 164.308(a)(5)(i) | Security awareness training | User action auditing | hipaa_164.308.a.5 |
| 164.308(a)(6)(i) | Incident response procedures | Active response , alerting | hipaa_164.308.a.6 |
| 164.308(a)(8) | Compliance evaluation | SCA, Vulnerability Detector | hipaa_164.308.a.8 |
Physical Safeguards
| HIPAA Requirement | Description | Wazuh Module | Rule Group |
|---|---|---|---|
| 164.310(a)(1) | Facility access controls | Physical access control system log analysis | hipaa_164.310.a.1 |
| 164.310(b) | Workstation controls | FIM , SCA | hipaa_164.310.b |
| 164.310(d)(1) | Device and media controls | System inventory , FIM | hipaa_164.310.d.1 |
Technical Safeguards
| HIPAA Requirement | Description | Wazuh Module | Rule Group |
|---|---|---|---|
| 164.312(a)(1) | Access control | Authentication log analysis | hipaa_164.312.a.1 |
| 164.312(a)(2)(i) | Unique user identification | Account monitoring | hipaa_164.312.a.2 |
| 164.312(a)(2)(iii) | Automatic session termination | SCA, log analysis | hipaa_164.312.a.2 |
| 164.312(b) | Audit controls | Log analysis | hipaa_164.312.b |
| 164.312(c)(1) | Integrity controls | FIM | hipaa_164.312.c.1 |
| 164.312(c)(2) | Authentication mechanisms | Log analysis, SCA | hipaa_164.312.c.2 |
| 164.312(d) | Person or entity authentication | Authentication monitoring | hipaa_164.312.d |
| 164.312(e)(1) | Transmission security | SCA, log analysis | hipaa_164.312.e.1 |
| 164.312(e)(2)(i) | Integrity controls for transmission | FIM, SCA | hipaa_164.312.e.2 |
Access Control - 164.312(a)
Wazuh tracks authentication and authorization events to enforce access controls on systems containing ePHI.
Authentication Monitoring
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
<localfile>
<log_format>eventchannel</log_format>
<location>Security</location>
<query>Event[System[(EventID=4624 or EventID=4625 or EventID=4634)]]</query>
</localfile>Wazuh rules automatically classify authentication events:
- Successful authentication - level 3
- Failed authentication attempt - level 5
- Multiple failed attempts (brute force) - level 10
Privileged Access Monitoring
<rule id="100200" level="8">
<if_sid>5715</if_sid>
<user>root</user>
<description>Root SSH login to ePHI system</description>
<group>hipaa_164.312.a.1,hipaa_164.312.d,authentication_success,</group>
</rule>Audit Controls - 164.312(b)
HIPAA requires implementing hardware, software, and procedural mechanisms to record and examine activity in information systems containing ePHI.
Audit Configuration
Wazuh delivers comprehensive auditing through:
- Centralized log collection - the agent collects logs from all systems containing ePHI
- Real-time analysis - detection rules process events immediately
- Archiving - complete storage of all events for retrospective analysis
<ossec_config>
<global>
<logall_json>yes</logall_json>
</global>
</ossec_config>User Activity Tracking
To monitor user actions on ePHI systems, use system call monitoring :
<localfile>
<log_format>audit</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>Integrity Controls - 164.312(c)
ePHI File Monitoring
FIM provides integrity controls for electronic protected health information:
<syscheck>
<directories check_all="yes" whodata="yes" report_changes="yes">/var/data/ephi</directories>
<directories check_all="yes" whodata="yes">/opt/ehr/database</directories>
<directories check_all="yes" realtime="yes">/var/data/medical_records</directories>
</syscheck>Custom ePHI Rules
<rule id="100210" level="10">
<if_sid>550</if_sid>
<match>/var/data/ephi|/opt/ehr|/var/data/medical_records</match>
<description>ePHI file integrity violation: unauthorized modification detected</description>
<group>hipaa_164.312.c.1,ephi_integrity,</group>
</rule>
<rule id="100211" level="12">
<if_sid>553</if_sid>
<match>/var/data/ephi|/opt/ehr|/var/data/medical_records</match>
<description>ePHI file deleted: potential data destruction</description>
<group>hipaa_164.312.c.1,ephi_integrity,</group>
</rule>Transmission Security - 164.312(e)
Wazuh verifies data transmission encryption configuration through the SCA module :
checks:
- id: 30001
title: "Ensure TLS 1.2 or higher is enforced"
compliance:
- hipaa: ["164.312.e.1"]
condition: all
rules:
- 'f:/etc/ssl/openssl.cnf -> r:^\s*MinProtocol\s*=\s*(TLSv1\.2|TLSv1\.3)'
- id: 30002
title: "Ensure SSH uses strong ciphers"
compliance:
- hipaa: ["164.312.e.2"]
condition: all
rules:
- 'f:/etc/ssh/sshd_config -> r:^\s*Ciphers\s+.*aes256'Risk Analysis - 164.308(a)(1)(ii)(A)
Wazuh supports the risk analysis process through:
Vulnerability Detection
The Vulnerability Detector identifies vulnerabilities in software installed on systems containing ePHI:
<vulnerability-detector>
<enabled>yes</enabled>
<interval>12h</interval>
<run_on_start>yes</run_on_start>
<provider name="nvd">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>Configuration Assessment
SCA checks systems against CIS Benchmark standards, identifying deviations from secure configurations.
Alert Analysis
Alert classification by severity level (0-15) and MITRE ATT&CK mapping provides data for risk assessment.
Incident Response - 164.308(a)(6)
HIPAA requires documented incident response procedures. Wazuh supports this through active response :
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_group>hipaa_164.312.a.1</rules_group>
<timeout>3600</timeout>
</active-response>Configure integrations for incident notifications:
<integration>
<name>slack</name>
<level>10</level>
<group>ephi_integrity</group>
<hook_url>https://hooks.slack.com/services/XXX/YYY/ZZZ</hook_url>
</integration>HIPAA Rule Groups
Wazuh uses the hipaa_ prefix followed by the requirement number. Retrieve available tags:
docker exec wazuh-manager grep -r "hipaa_" /var/ossec/ruleset/rules/ | \
grep -oP 'hipaa_[\d.a-z]+' | sort -uKey groups:
| Group | Requirement |
|---|---|
hipaa_164.308.a.1 | Security management process |
hipaa_164.308.a.3 | Workforce security |
hipaa_164.308.a.5 | Security awareness training |
hipaa_164.308.a.6 | Incident response |
hipaa_164.310.a.1 | Facility access controls |
hipaa_164.310.b | Workstation controls |
hipaa_164.310.d.1 | Device controls |
hipaa_164.312.a.1 | Access control |
hipaa_164.312.b | Audit controls |
hipaa_164.312.c.1 | Integrity controls |
hipaa_164.312.d | Authentication |
hipaa_164.312.e.1 | Transmission security |
HIPAA Dashboard Module
The Wazuh Dashboard includes a HIPAA module under Modules > Regulatory compliance > HIPAA. The module provides:
- Alert overview by HIPAA Security Rule section
- Alert distribution across safeguard categories
- Compliance event timeline
- Per-agent and per-group detail views
Generating HIPAA Reports
To query HIPAA-related alerts via the API:
curl -sk -u admin:$WAZUH_ADMIN_PASS \
"https://localhost:9200/wazuh-alerts-*/_search" \
-H "Content-Type: application/json" \
-d '{
"size": 0,
"query": {
"bool": {
"must": [
{ "range": { "timestamp": { "gte": "now-30d" } } },
{ "exists": { "field": "rule.hipaa" } }
]
}
},
"aggs": {
"hipaa_requirements": {
"terms": { "field": "rule.hipaa", "size": 50 }
}
}
}' | jq '.aggregations.hipaa_requirements.buckets'Troubleshooting
HIPAA alerts not appearing in the dashboard
- Verify that rules contain
hipaa_tags in the<group>field - Confirm the HIPAA module is enabled in the dashboard settings
- Check the time range filter for correctness
FIM not generating alerts for ePHI files
- Confirm directory paths to ePHI data are correct in the
<syscheck>configuration - Verify agent file read permissions on monitored directories
- Confirm
auditdis installed when usingwhodatamode
Missing audit data for 164.312(b)
- Review the log collection configuration in
ossec.conf - Confirm authentication log sources are specified
- Verify archiving is enabled via the
logall_jsonparameter
Active response not triggering
- Verify the rule group in
<active-response>matches the groups defined in rules - Confirm the response script has execute permissions
- Check active response logs at
/var/ossec/logs/active-responses.log