HIPAA Vendor & Third-Party Risk Management

Covered Entity (Hospital)
         ↓
Business Associate (EHR Vendor)
         ↓
Subcontractor BA (Cloud Provider)
         ↓
Subcontractor BA (CDN Provider)

from dataclasses import dataclass, field
from typing import List, Optional
from datetime import datetime, timedelta
from enum import Enum

class BAARequiredProvision(Enum):
    """Required provisions per 45 CFR 164.504(e)"""
    PHI_USE_LIMITS = "Limits on PHI uses and disclosures"
    SAFEGUARDS = "Appropriate safeguards requirement"
    SUBCONTRACTOR_OBLIGATIONS = "Subcontractor must agree to same restrictions"
    INDIVIDUAL_ACCESS = "Provide access to individuals"
    INDIVIDUAL_AMENDMENT = "Provide amendment rights to individuals"
    ACCOUNTING_DISCLOSURE = "Provide accounting of disclosures"
    HHS_ACCESS = "Make info available to HHS"
    RETURN_DESTROY = "Return or destroy PHI on termination"
    BREACH_REPORTING = "Report breaches to covered entity"
    COMPLIANCE_BOOKS = "Make books/records available for compliance"

@dataclass
class BAAProvision:
    """Single provision in a BAA"""
    
    requirement: BAARequiredProvision
    contractual_language: str
    negotiation_notes: str
    compliance_verification_method: str
    is_satisfied: bool = False
    custom_terms: Optional[str] = None
    
    def to_contract_text(self) -> str:
        """Generate contract language for this provision"""
        base = f"""
        {self.requirement.value}:
        {self.contractual_language}
        """
        if self.custom_terms:
            base += f"\n\nAdditional Terms:\n{self.custom_terms}"
        return base

@dataclass
class BusinessAssociateAgreement:
    """Complete BAA structure and management"""
    
    covered_entity_name: str
    business_associate_name: str
    effective_date: datetime
    provisions: List[BAAProvision] = field(default_factory=list)
    term_years: int = 3
    auto_renewal: bool = True
    termination_notice_days: int = 30
    breach_notification_hours: int = 24
    phi_description: str = ""
    permitted_uses: List[str] = field(default_factory=list)
    permitted_disclosures: List[str] = field(default_factory=list)
    subcontractors_allowed: bool = True
    subcontractor_approval_required: bool = True
    
    @property
    def expiration_date(self) -> datetime:
        return self.effective_date + timedelta(days=365 * self.term_years)
    
    def validate_completeness(self) -> dict:
        """Check if BAA has all required provisions"""
        missing = []
        weak = []
        
        required_provisions = set(BAARequiredProvision)
        present_provisions = {p.requirement for p in self.provisions}
        
        missing = list(required_provisions - present_provisions)
        
        for provision in self.provisions:
            if not provision.is_satisfied:
                weak.append(provision.requirement)
        
        return {
            "is_valid": len(missing) == 0,
            "missing_provisions": missing,
            "weak_provisions": weak,
            "completeness_score": len(present_provisions) / len(required_provisions)
        }
    
    def generate_contract(self) -> str:
        """Generate full BAA contract text"""
        contract = f"""
BUSINESS ASSOCIATE AGREEMENT

This Business Associate Agreement ("Agreement") is entered into as of 
{self.effective_date.strftime('%B %d, %Y')} by and between:

COVERED ENTITY: {self.covered_entity_name}
BUSINESS ASSOCIATE: {self.business_associate_name}

ARTICLE I - DEFINITIONS

1.1 "Protected Health Information" or "PHI" means individually identifiable 
health information as defined by 45 CFR § 160.103.

1.2 "Security Incident" means the attempted or successful unauthorized access, 
use, disclosure, modification, or destruction of information.

1.3 "Breach" means the acquisition, access, use, or disclosure of PHI in a 
manner not permitted which compromises the security or privacy of the PHI.

ARTICLE II - DESCRIPTION OF PHI

{self.phi_description}

ARTICLE III - PERMITTED USES AND DISCLOSURES

3.1 Business Associate may use and disclose PHI only for the following purposes:
"""
        for i, use in enumerate(self.permitted_uses, 1):
            contract += f"\n   {i}. {use}"
        
        contract += "\n\n3.2 Business Associate may disclose PHI for the following:\n"
        for i, disclosure in enumerate(self.permitted_disclosures, 1):
            contract += f"\n   {i}. {disclosure}"
        
        contract += "\n\nARTICLE IV - OBLIGATIONS OF BUSINESS ASSOCIATE\n"
        
        for provision in self.provisions:
            contract += f"\n{provision.to_contract_text()}"
        
        contract += f"""

ARTICLE V - TERM AND TERMINATION

5.1 This Agreement shall be effective for a period of {self.term_years} years 
from the Effective Date.

5.2 {"This Agreement shall automatically renew for successive one-year periods." 
     if self.auto_renewal 
     else "This Agreement shall not automatically renew."}

5.3 Either party may terminate this Agreement with {self.termination_notice_days} 
days written notice.

ARTICLE VI - BREACH NOTIFICATION

6.1 Business Associate shall report any Breach or Security Incident to Covered 
Entity within {self.breach_notification_hours} hours of discovery.

ARTICLE VII - SUBCONTRACTORS

7.1 Business Associate {"may" if self.subcontractors_allowed else "may not"} 
use subcontractors to create, receive, maintain, or transmit PHI.

{"7.2 Business Associate must obtain prior written approval from Covered Entity before engaging any subcontractor with PHI access." if self.subcontractor_approval_required else ""}

IN WITNESS WHEREOF, the parties have executed this Agreement as of the date 
first written above.

COVERED ENTITY: ___________________________  Date: ____________

BUSINESS ASSOCIATE: ________________________  Date: ____________
"""
        return contract

# Example: Create a comprehensive BAA
def create_comprehensive_baa() -> BusinessAssociateAgreement:
    """Create a BAA with all required and recommended provisions"""
    
    baa = BusinessAssociateAgreement(
        covered_entity_name="Acme Health System",
        business_associate_name="SecureCloud Healthcare Solutions",
        effective_date=datetime.now(),
        term_years=3,
        phi_description="""
        Electronic Protected Health Information including but not limited to:
        - Patient demographic information
        - Medical records and clinical notes
        - Billing and payment information
        - Health plan eligibility information
        - Treatment and diagnosis information
        """,
        permitted_uses=[
            "Hosting and maintaining the Covered Entity's EHR system",
            "Providing data backup and disaster recovery services",
            "Performing system maintenance and updates",
            "Providing technical support to Covered Entity's workforce"
        ],
        permitted_disclosures=[
            "To Covered Entity as required for treatment, payment, or healthcare operations",
            "To individuals as directed by Covered Entity",
            "As required by law",
            "To subcontractors with prior approval and valid BAA"
        ],
        breach_notification_hours=24,
        subcontractors_allowed=True,
        subcontractor_approval_required=True
    )
    
    # Add required provisions
    provisions = [
        BAAProvision(
            requirement=BAARequiredProvision.PHI_USE_LIMITS,
            contractual_language="""
            Business Associate agrees to use or disclose PHI only as permitted 
            or required by this Agreement or as required by law. Business Associate 
            shall not use or disclose PHI in any manner that would violate the 
            Privacy Rule if done by Covered Entity.
            """,
            negotiation_notes="Standard language, typically non-negotiable",
            compliance_verification_method="Annual audit of data access logs",
            is_satisfied=True
        ),
        BAAProvision(
            requirement=BAARequiredProvision.SAFEGUARDS,
            contractual_language="""
            Business Associate shall implement administrative, physical, and 
            technical safeguards that reasonably and appropriately protect the 
            confidentiality, integrity, and availability of ePHI. Business 
            Associate shall:
            
            a) Maintain SOC 2 Type II certification
            b) Conduct annual penetration testing
            c) Encrypt all PHI in transit and at rest using AES-256
            d) Implement role-based access controls
            e) Maintain detailed audit logs for minimum 6 years
            """,
            negotiation_notes="Negotiate specific certifications required",
            compliance_verification_method="Annual SOC 2 report review, penetration test results",
            is_satisfied=True,
            custom_terms="Business Associate shall provide Covered Entity with current SOC 2 Type II report within 30 days of request."
        ),
        BAAProvision(
            requirement=BAARequiredProvision.BREACH_REPORTING,
            contractual_language="""
            Business Associate shall report to Covered Entity any Security 
            Incident or Breach of which it becomes aware within 24 hours of 
            discovery. Reports shall include:
            
            a) Date and time of discovery
            b) Description of the incident
            c) Types of PHI potentially involved
            d) Number of individuals potentially affected
            e) Immediate steps taken to contain the incident
            f) Planned remediation actions
            """,
            negotiation_notes="24 hours is more stringent than HIPAA's 'without unreasonable delay'",
            compliance_verification_method="Incident response plan review, tabletop exercises",
            is_satisfied=True
        ),
        BAAProvision(
            requirement=BAARequiredProvision.SUBCONTRACTOR_OBLIGATIONS,
            contractual_language="""
            Business Associate shall ensure that any subcontractor that creates, 
            receives, maintains, or transmits PHI on behalf of Business Associate 
            agrees to the same restrictions and conditions that apply to Business 
            Associate. Business Associate shall:
            
            a) Obtain prior written approval from Covered Entity before engaging 
               any subcontractor with PHI access
            b) Maintain written agreements with all subcontractors
            c) Provide copies of subcontractor agreements upon request
            d) Be responsible for the acts and omissions of its subcontractors
            """,
            negotiation_notes="Consider requiring prior approval vs. notification only",
            compliance_verification_method="Subcontractor register review, BAA chain verification",
            is_satisfied=True
        ),
        BAAProvision(
            requirement=BAARequiredProvision.INDIVIDUAL_ACCESS,
            contractual_language="""
            Business Associate shall make PHI available to individuals in 
            accordance with 45 CFR § 164.524 within 15 business days of request. 
            Business Associate shall:
            
            a) Maintain the capability to provide PHI in electronic format
            b) Respond to access requests forwarded by Covered Entity
            c) Not charge fees exceeding the cost of labor for copying
            """,
            negotiation_notes="15 days is more stringent than HIPAA's 30 days",
            compliance_verification_method="Test access requests, review response times",
            is_satisfied=True
        ),
        BAAProvision(
            requirement=BAARequiredProvision.RETURN_DESTROY,
            contractual_language="""
            Upon termination of this Agreement, Business Associate shall:
            
            a) Return or destroy all PHI within 30 days
            b) Provide written certification of destruction
            c) Not retain any copies of PHI
            
            If return or destruction is not feasible, Business Associate shall:
            a) Extend protections of this Agreement indefinitely
            b) Limit further uses and disclosures to those purposes that make 
               return or destruction infeasible
            c) Provide written explanation of infeasibility
            """,
            negotiation_notes="Define 'infeasible' scenarios in advance",
            compliance_verification_method="Termination checklist, destruction certificates",
            is_satisfied=True
        )
    ]
    
    baa.provisions = provisions
    return baa

from dataclasses import dataclass, field
from typing import List, Dict, Optional
from enum import Enum
from datetime import datetime, date

class RiskLevel(Enum):
    CRITICAL = "critical"
    HIGH = "high"
    MEDIUM = "medium"
    LOW = "low"

class VendorCategory(Enum):
    CLOUD_INFRASTRUCTURE = "Cloud Infrastructure"
    EHR_EMR = "EHR/EMR System"
    BILLING_REVENUE = "Billing/Revenue Cycle"
    DATA_ANALYTICS = "Data Analytics"
    COMMUNICATION = "Communication Platform"
    MEDICAL_DEVICE = "Medical Device/IoMT"
    PROFESSIONAL_SERVICE = "Professional Services"
    IT_MANAGED_SERVICES = "IT Managed Services"

@dataclass
class SecurityQuestionnaire:
    """Comprehensive vendor security assessment"""
    
    vendor_name: str
    category: VendorCategory
    assessment_date: date = field(default_factory=date.today)
    
    # Organization & Governance
    has_security_team: bool = False
    has_ciso: bool = False
    employee_count: int = 0
    years_in_business: int = 0
    
    # Certifications & Compliance
    soc2_type2: bool = False
    soc2_report_date: Optional[date] = None
    hitrust_certified: bool = False
    iso27001_certified: bool = False
    hipaa_attestation: bool = False
    
    # Technical Controls
    encryption_at_rest: bool = False
    encryption_in_transit: bool = False
    encryption_algorithm: str = ""
    mfa_required: bool = False
    sso_supported: bool = False
    
    # Access Management
    rbac_implemented: bool = False
    least_privilege_enforced: bool = False
    access_reviews_frequency: str = ""
    privileged_access_management: bool = False
    
    # Network Security
    firewall_implemented: bool = False
    ids_ips_deployed: bool = False
    network_segmentation: bool = False
    ddos_protection: bool = False
    
    # Vulnerability Management
    vulnerability_scanning_frequency: str = ""
    penetration_testing_frequency: str = ""
    last_pentest_date: Optional[date] = None
    pentest_findings_remediated: bool = False
    
    # Incident Response
    incident_response_plan: bool = False
    ir_plan_tested: bool = False
    breach_notification_hours: int = 72
    cyber_insurance_coverage: float = 0.0
    
    # Data Handling
    data_retention_policy: bool = False
    data_destruction_process: bool = False
    backup_frequency: str = ""
    backup_encryption: bool = False
    backup_testing_frequency: str = ""
    
    # Subcontractors
    uses_subcontractors: bool = False
    subcontractor_security_requirements: bool = False
    subcontractor_list_available: bool = False
    
    # Physical Security
    data_center_locations: List[str] = field(default_factory=list)
    physical_access_controls: bool = False
    environmental_controls: bool = False
    
    def calculate_risk_score(self) -> tuple[float, RiskLevel]:
        """Calculate overall vendor risk score"""
        score = 100  # Start with perfect score
        deductions = []
        
        # Critical controls (major deductions)
        if not self.encryption_at_rest:
            score -= 15
            deductions.append("No encryption at rest (-15)")
        if not self.encryption_in_transit:
            score -= 15
            deductions.append("No encryption in transit (-15)")
        if not self.mfa_required:
            score -= 10
            deductions.append("MFA not required (-10)")
        if not self.incident_response_plan:
            score -= 10
            deductions.append("No incident response plan (-10)")
        
        # Important controls (moderate deductions)
        if not self.soc2_type2:
            score -= 8
            deductions.append("No SOC 2 Type II (-8)")
        if not self.penetration_testing_frequency:
            score -= 8
            deductions.append("No penetration testing (-8)")
        if not self.rbac_implemented:
            score -= 5
            deductions.append("No RBAC (-5)")
        if not self.backup_encryption:
            score -= 5
            deductions.append("Backups not encrypted (-5)")
        
        # Nice-to-have controls (minor deductions)
        if not self.hitrust_certified:
            score -= 3
            deductions.append("No HITRUST (-3)")
        if not self.has_ciso:
            score -= 3
            deductions.append("No CISO (-3)")
        
        # Determine risk level
        if score >= 85:
            risk_level = RiskLevel.LOW
        elif score >= 70:
            risk_level = RiskLevel.MEDIUM
        elif score >= 50:
            risk_level = RiskLevel.HIGH
        else:
            risk_level = RiskLevel.CRITICAL
        
        return max(0, score), risk_level
    
    def generate_assessment_report(self) -> str:
        """Generate a detailed assessment report"""
        score, risk_level = self.calculate_risk_score()
        
        report = f"""
VENDOR SECURITY ASSESSMENT REPORT
==================================

Vendor: {self.vendor_name}
Category: {self.category.value}
Assessment Date: {self.assessment_date}

OVERALL RISK SCORE: {score}/100 ({risk_level.value.upper()})

EXECUTIVE SUMMARY
-----------------
"""
        if risk_level == RiskLevel.LOW:
            report += "Vendor demonstrates strong security posture suitable for PHI handling."
        elif risk_level == RiskLevel.MEDIUM:
            report += "Vendor has acceptable security with some areas requiring improvement."
        elif risk_level == RiskLevel.HIGH:
            report += "Vendor has significant security gaps that must be addressed before engagement."
        else:
            report += "CRITICAL: Vendor security is inadequate for PHI handling. Do not engage."
        
        report += f"""

COMPLIANCE STATUS
-----------------
SOC 2 Type II: {'✅ Yes' if self.soc2_type2 else '❌ No'}
HITRUST: {'✅ Yes' if self.hitrust_certified else '❌ No'}  
ISO 27001: {'✅ Yes' if self.iso27001_certified else '❌ No'}
HIPAA Attestation: {'✅ Yes' if self.hipaa_attestation else '❌ No'}

ENCRYPTION STATUS
-----------------
Data at Rest: {'✅ ' + self.encryption_algorithm if self.encryption_at_rest else '❌ Not encrypted'}
Data in Transit: {'✅ TLS/HTTPS' if self.encryption_in_transit else '❌ Not encrypted'}
Backups: {'✅ Encrypted' if self.backup_encryption else '❌ Not encrypted'}

ACCESS CONTROLS
---------------
MFA Required: {'✅ Yes' if self.mfa_required else '❌ No'}
RBAC Implemented: {'✅ Yes' if self.rbac_implemented else '❌ No'}
SSO Supported: {'✅ Yes' if self.sso_supported else '❌ No'}

INCIDENT RESPONSE
-----------------
IR Plan Exists: {'✅ Yes' if self.incident_response_plan else '❌ No'}
IR Plan Tested: {'✅ Yes' if self.ir_plan_tested else '❌ No'}
Breach Notification: Within {self.breach_notification_hours} hours
Cyber Insurance: ${self.cyber_insurance_coverage:,.0f}

DATA LOCATIONS
--------------
{', '.join(self.data_center_locations) if self.data_center_locations else 'Not specified'}
"""
        return report

@dataclass
class VendorDueDiligenceProcess:
    """Full vendor due diligence workflow"""
    
    vendor_name: str
    category: VendorCategory
    
    # Process stages
    initial_screening_complete: bool = False
    questionnaire_received: bool = False
    questionnaire_reviewed: bool = False
    documentation_reviewed: bool = False
    reference_checks_complete: bool = False
    technical_assessment_complete: bool = False
    legal_review_complete: bool = False
    risk_acceptance_signed: bool = False
    
    # Collected materials
    questionnaire: Optional[SecurityQuestionnaire] = None
    soc2_report_reviewed: bool = False
    pentest_report_reviewed: bool = False
    baa_negotiated: bool = False
    
    # Decisions
    approved: bool = False
    approval_date: Optional[date] = None
    conditions: List[str] = field(default_factory=list)
    review_date: Optional[date] = None
    
    def get_completion_percentage(self) -> float:
        """Calculate how complete the due diligence is"""
        stages = [
            self.initial_screening_complete,
            self.questionnaire_received,
            self.questionnaire_reviewed,
            self.documentation_reviewed,
            self.reference_checks_complete,
            self.technical_assessment_complete,
            self.legal_review_complete,
            self.risk_acceptance_signed
        ]
        return sum(stages) / len(stages) * 100
    
    def get_next_steps(self) -> List[str]:
        """Return list of next steps needed"""
        steps = []
        
        if not self.initial_screening_complete:
            steps.append("Complete initial vendor screening")
        if not self.questionnaire_received:
            steps.append("Send and collect security questionnaire")
        if not self.questionnaire_reviewed:
            steps.append("Review completed questionnaire")
        if not self.documentation_reviewed:
            steps.append("Request and review SOC 2, pentest reports")
        if not self.reference_checks_complete:
            steps.append("Contact references (especially healthcare clients)")
        if not self.technical_assessment_complete:
            steps.append("Conduct technical security assessment")
        if not self.legal_review_complete:
            steps.append("Legal review of BAA and contract")
        if not self.risk_acceptance_signed:
            steps.append("Obtain risk acceptance from appropriate authority")
        
        return steps

from dataclasses import dataclass, field
from typing import List, Dict, Set
from enum import Enum

class AWSHIPAAService(Enum):
    """AWS services eligible for HIPAA workloads"""
    # Compute
    EC2 = ("Amazon EC2", True)
    LAMBDA = ("AWS Lambda", True)
    ECS = ("Amazon ECS", True)
    EKS = ("Amazon EKS", True)
    FARGATE = ("AWS Fargate", True)
    
    # Storage
    S3 = ("Amazon S3", True)
    EBS = ("Amazon EBS", True)
    EFS = ("Amazon EFS", True)
    GLACIER = ("Amazon S3 Glacier", True)
    
    # Database
    RDS = ("Amazon RDS", True)
    DYNAMODB = ("Amazon DynamoDB", True)
    AURORA = ("Amazon Aurora", True)
    DOCUMENTDB = ("Amazon DocumentDB", True)
    ELASTICACHE = ("Amazon ElastiCache", True)
    
    # Networking
    VPC = ("Amazon VPC", True)
    CLOUDFRONT = ("Amazon CloudFront", True)
    API_GATEWAY = ("Amazon API Gateway", True)
    ROUTE53 = ("Amazon Route 53", True)
    
    # Security
    KMS = ("AWS KMS", True)
    SECRETS_MANAGER = ("AWS Secrets Manager", True)
    WAF = ("AWS WAF", True)
    SHIELD = ("AWS Shield", True)
    
    # Management
    CLOUDWATCH = ("Amazon CloudWatch", True)
    CLOUDTRAIL = ("AWS CloudTrail", True)
    CONFIG = ("AWS Config", True)
    
    def __init__(self, display_name: str, hipaa_eligible: bool):
        self.display_name = display_name
        self.hipaa_eligible = hipaa_eligible

@dataclass
class AWSHIPAAConfiguration:
    """AWS HIPAA compliance configuration checker"""
    
    account_id: str
    region: str
    services_in_use: Set[AWSHIPAAService] = field(default_factory=set)
    
    # Required configurations
    baa_signed: bool = False
    cloudtrail_enabled: bool = False
    cloudtrail_log_validation: bool = False
    cloudtrail_encrypted: bool = False
    config_enabled: bool = False
    guardduty_enabled: bool = False
    
    # Encryption settings
    default_ebs_encryption: bool = False
    s3_default_encryption: bool = False
    rds_encryption_enabled: bool = False
    
    # Network settings
    vpc_flow_logs_enabled: bool = False
    public_access_blocked: bool = False
    
    # IAM settings
    mfa_on_root: bool = False
    mfa_on_iam_users: bool = False
    password_policy_strong: bool = False
    
    def check_compliance(self) -> Dict[str, any]:
        """Check HIPAA compliance status"""
        issues = []
        warnings = []
        
        # Critical checks
        if not self.baa_signed:
            issues.append("CRITICAL: BAA not signed with AWS")
        
        if not self.cloudtrail_enabled:
            issues.append("CRITICAL: CloudTrail not enabled")
        elif not self.cloudtrail_encrypted:
            issues.append("CloudTrail logs not encrypted")
        
        if not self.default_ebs_encryption:
            issues.append("Default EBS encryption not enabled")
        
        if not self.s3_default_encryption:
            issues.append("S3 default encryption not enabled")
        
        if not self.mfa_on_root:
            issues.append("CRITICAL: MFA not enabled on root account")
        
        if not self.vpc_flow_logs_enabled:
            warnings.append("VPC Flow Logs not enabled")
        
        if not self.guardduty_enabled:
            warnings.append("GuardDuty not enabled")
        
        # Check service eligibility
        ineligible_services = [
            s for s in self.services_in_use 
            if not s.hipaa_eligible
        ]
        
        if ineligible_services:
            issues.append(
                f"Non-HIPAA eligible services in use: "
                f"{[s.display_name for s in ineligible_services]}"
            )
        
        is_compliant = len(issues) == 0
        
        return {
            "compliant": is_compliant,
            "issues": issues,
            "warnings": warnings,
            "services_checked": len(self.services_in_use),
            "eligible_services": [
                s.display_name for s in self.services_in_use 
                if s.hipaa_eligible
            ]
        }
    
    def generate_terraform_baseline(self) -> str:
        """Generate Terraform for HIPAA baseline"""
        return '''
# HIPAA Baseline Configuration for AWS

# Enable CloudTrail with encryption
resource "aws_cloudtrail" "hipaa_trail" {
  name                          = "hipaa-audit-trail"
  s3_bucket_name               = aws_s3_bucket.cloudtrail_logs.id
  include_global_service_events = true
  is_multi_region_trail        = true
  enable_log_file_validation   = true
  kms_key_id                   = aws_kms_key.cloudtrail.arn
  
  event_selector {
    read_write_type           = "All"
    include_management_events = true
    
    data_resource {
      type   = "AWS::S3::Object"
      values = ["arn:aws:s3:::"]
    }
  }
}

# Enable AWS Config
resource "aws_config_configuration_recorder" "hipaa" {
  name     = "hipaa-config-recorder"
  role_arn = aws_iam_role.config.arn
  
  recording_group {
    all_supported = true
    include_global_resource_types = true
  }
}

# Enable GuardDuty
resource "aws_guardduty_detector" "hipaa" {
  enable = true
  
  datasources {
    s3_logs {
      enable = true
    }
  }
}

# VPC Flow Logs
resource "aws_flow_log" "hipaa" {
  iam_role_arn    = aws_iam_role.flow_logs.arn
  log_destination = aws_cloudwatch_log_group.flow_logs.arn
  traffic_type    = "ALL"
  vpc_id          = aws_vpc.main.id
}

# Default EBS Encryption
resource "aws_ebs_encryption_by_default" "hipaa" {
  enabled = true
}

# S3 Public Access Block (Account Level)
resource "aws_s3_account_public_access_block" "hipaa" {
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

# Strong Password Policy
resource "aws_iam_account_password_policy" "hipaa" {
  minimum_password_length        = 14
  require_lowercase_characters   = true
  require_numbers               = true
  require_uppercase_characters   = true
  require_symbols               = true
  allow_users_to_change_password = true
  max_password_age              = 90
  password_reuse_prevention     = 24
}
'''

┌─────────────────────────────────────────────────────────────────┐
│                    HIPAA COMPLIANCE                              │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  YOUR RESPONSIBILITY (Customer)                                  │
│  ═══════════════════════════════                                │
│  ┌───────────────────────────────────────────────────────────┐  │
│  │ • Customer Data (PHI) classification and encryption       │  │
│  │ • Application-level security and access controls          │  │
│  │ • Identity and access management configuration            │  │
│  │ • Network configuration (Security Groups, NACLs)          │  │
│  │ • Operating system patches and updates                    │  │
│  │ • Data encryption configuration (KMS, SSL/TLS)            │  │
│  │ • Audit logging and monitoring configuration              │  │
│  │ • Incident response procedures                            │  │
│  │ • Business Associate Agreements with cloud provider       │  │
│  │ • Workforce training and policies                         │  │
│  └───────────────────────────────────────────────────────────┘  │
│                                                                  │
│  SHARED RESPONSIBILITY                                           │
│  ═════════════════════                                          │
│  ┌───────────────────────────────────────────────────────────┐  │
│  │ • Patch management (OS vs Infrastructure)                 │  │
│  │ • Configuration management                                 │  │
│  │ • Awareness and training                                   │  │
│  └───────────────────────────────────────────────────────────┘  │
│                                                                  │
│  CLOUD PROVIDER RESPONSIBILITY                                   │
│  ═════════════════════════════                                  │
│  ┌───────────────────────────────────────────────────────────┐  │
│  │ • Physical security of data centers                       │  │
│  │ • Hardware infrastructure                                  │  │
│  │ • Network infrastructure                                   │  │
│  │ • Hypervisor security                                      │  │
│  │ • Storage infrastructure                                   │  │
│  │ • Compliance certifications (SOC 2, HITRUST)              │  │
│  └───────────────────────────────────────────────────────────┘  │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

from dataclasses import dataclass, field
from typing import List, Dict, Optional
from datetime import datetime, date, timedelta
from enum import Enum
import json

class MonitoringFrequency(Enum):
    CONTINUOUS = "continuous"
    WEEKLY = "weekly"
    MONTHLY = "monthly"
    QUARTERLY = "quarterly"
    ANNUAL = "annual"

class AlertSeverity(Enum):
    CRITICAL = "critical"
    HIGH = "high"
    MEDIUM = "medium"
    LOW = "low"
    INFO = "info"

@dataclass
class VendorAlert:
    """Alert for vendor risk issues"""
    
    vendor_id: str
    vendor_name: str
    severity: AlertSeverity
    title: str
    description: str
    created_at: datetime = field(default_factory=datetime.utcnow)
    acknowledged: bool = False
    resolved: bool = False
    resolution_notes: str = ""

@dataclass
class VendorMonitoringDashboard:
    """Continuous vendor monitoring system"""
    
    organization_name: str
    vendors: Dict[str, dict] = field(default_factory=dict)
    alerts: List[VendorAlert] = field(default_factory=list)
    
    def add_vendor(
        self,
        vendor_id: str,
        name: str,
        category: VendorCategory,
        risk_level: RiskLevel,
        baa_expiration: date,
        review_frequency: MonitoringFrequency
    ):
        """Add vendor to monitoring"""
        self.vendors[vendor_id] = {
            "name": name,
            "category": category,
            "risk_level": risk_level,
            "baa_expiration": baa_expiration,
            "review_frequency": review_frequency,
            "last_review": None,
            "next_review": date.today(),
            "soc2_expiration": None,
            "active": True,
            "incidents": []
        }
    
    def check_baa_expirations(self) -> List[VendorAlert]:
        """Check for BAAs expiring soon"""
        alerts = []
        today = date.today()
        
        for vendor_id, vendor in self.vendors.items():
            if not vendor["active"]:
                continue
                
            baa_exp = vendor["baa_expiration"]
            days_until = (baa_exp - today).days
            
            if days_until < 0:
                alerts.append(VendorAlert(
                    vendor_id=vendor_id,
                    vendor_name=vendor["name"],
                    severity=AlertSeverity.CRITICAL,
                    title="BAA EXPIRED",
                    description=f"BAA expired {abs(days_until)} days ago. "
                               f"PHI handling may not be authorized."
                ))
            elif days_until <= 30:
                alerts.append(VendorAlert(
                    vendor_id=vendor_id,
                    vendor_name=vendor["name"],
                    severity=AlertSeverity.HIGH,
                    title="BAA Expiring Soon",
                    description=f"BAA expires in {days_until} days. "
                               f"Initiate renewal process."
                ))
            elif days_until <= 90:
                alerts.append(VendorAlert(
                    vendor_id=vendor_id,
                    vendor_name=vendor["name"],
                    severity=AlertSeverity.MEDIUM,
                    title="BAA Renewal Needed",
                    description=f"BAA expires in {days_until} days. "
                               f"Schedule renewal discussions."
                ))
        
        return alerts
    
    def check_review_schedule(self) -> List[VendorAlert]:
        """Check for overdue vendor reviews"""
        alerts = []
        today = date.today()
        
        for vendor_id, vendor in self.vendors.items():
            if not vendor["active"]:
                continue
            
            next_review = vendor["next_review"]
            if next_review and next_review < today:
                days_overdue = (today - next_review).days
                
                severity = AlertSeverity.LOW
                if days_overdue > 30:
                    severity = AlertSeverity.MEDIUM
                if days_overdue > 90:
                    severity = AlertSeverity.HIGH
                if vendor["risk_level"] == RiskLevel.CRITICAL:
                    severity = AlertSeverity.CRITICAL
                
                alerts.append(VendorAlert(
                    vendor_id=vendor_id,
                    vendor_name=vendor["name"],
                    severity=severity,
                    title="Vendor Review Overdue",
                    description=f"Vendor review is {days_overdue} days overdue. "
                               f"Risk level: {vendor['risk_level'].value}"
                ))
        
        return alerts
    
    def record_incident(
        self,
        vendor_id: str,
        incident_date: date,
        description: str,
        severity: AlertSeverity,
        phi_involved: bool
    ):
        """Record a security incident involving a vendor"""
        if vendor_id not in self.vendors:
            raise ValueError(f"Unknown vendor: {vendor_id}")
        
        incident = {
            "date": incident_date,
            "description": description,
            "severity": severity,
            "phi_involved": phi_involved,
            "resolution": None,
            "root_cause": None
        }
        
        self.vendors[vendor_id]["incidents"].append(incident)
        
        # Escalate risk level if PHI involved
        if phi_involved:
            current_risk = self.vendors[vendor_id]["risk_level"]
            if current_risk == RiskLevel.LOW:
                self.vendors[vendor_id]["risk_level"] = RiskLevel.MEDIUM
            elif current_risk == RiskLevel.MEDIUM:
                self.vendors[vendor_id]["risk_level"] = RiskLevel.HIGH
        
        # Create alert
        self.alerts.append(VendorAlert(
            vendor_id=vendor_id,
            vendor_name=self.vendors[vendor_id]["name"],
            severity=AlertSeverity.CRITICAL if phi_involved else severity,
            title="Vendor Security Incident",
            description=description
        ))
    
    def generate_dashboard_report(self) -> str:
        """Generate vendor monitoring dashboard report"""
        all_alerts = self.check_baa_expirations() + self.check_review_schedule()
        self.alerts.extend(all_alerts)
        
        # Categorize vendors by risk
        risk_counts = {level: 0 for level in RiskLevel}
        for vendor in self.vendors.values():
            if vendor["active"]:
                risk_counts[vendor["risk_level"]] += 1
        
        # Count alerts by severity
        alert_counts = {sev: 0 for sev in AlertSeverity}
        for alert in self.alerts:
            if not alert.resolved:
                alert_counts[alert.severity] += 1
        
        report = f"""
VENDOR RISK MANAGEMENT DASHBOARD
=================================
Organization: {self.organization_name}
Report Date: {date.today()}

VENDOR PORTFOLIO SUMMARY
------------------------
Total Active Vendors: {sum(1 for v in self.vendors.values() if v['active'])}

By Risk Level:
  Critical: {risk_counts[RiskLevel.CRITICAL]}
  High:     {risk_counts[RiskLevel.HIGH]}
  Medium:   {risk_counts[RiskLevel.MEDIUM]}
  Low:      {risk_counts[RiskLevel.LOW]}

OPEN ALERTS
-----------
  Critical: {alert_counts[AlertSeverity.CRITICAL]}
  High:     {alert_counts[AlertSeverity.HIGH]}
  Medium:   {alert_counts[AlertSeverity.MEDIUM]}
  Low:      {alert_counts[AlertSeverity.LOW]}

CRITICAL ALERTS DETAIL
----------------------
"""
        for alert in self.alerts:
            if alert.severity == AlertSeverity.CRITICAL and not alert.resolved:
                report += f"""
[{alert.created_at.strftime('%Y-%m-%d')}] {alert.vendor_name}
  {alert.title}: {alert.description}
"""
        
        report += """
ACTION ITEMS
------------
"""
        # BAA renewals needed
        for vendor_id, vendor in self.vendors.items():
            days_until_baa = (vendor["baa_expiration"] - date.today()).days
            if 0 < days_until_baa <= 90:
                report += f"  • Renew BAA with {vendor['name']} ({days_until_baa} days)\n"
        
        # Reviews needed
        for vendor_id, vendor in self.vendors.items():
            if vendor["next_review"] and vendor["next_review"] <= date.today():
                report += f"  • Complete review of {vendor['name']}\n"
        
        return report

# Example usage
def demonstrate_vendor_monitoring():
    """Show vendor monitoring in action"""
    
    dashboard = VendorMonitoringDashboard(
        organization_name="Example Health System"
    )
    
    # Add some vendors
    dashboard.add_vendor(
        vendor_id="V001",
        name="CloudEHR Solutions",
        category=VendorCategory.EHR_EMR,
        risk_level=RiskLevel.HIGH,
        baa_expiration=date.today() + timedelta(days=45),
        review_frequency=MonitoringFrequency.QUARTERLY
    )
    
    dashboard.add_vendor(
        vendor_id="V002",
        name="SecureBilling Inc",
        category=VendorCategory.BILLING_REVENUE,
        risk_level=RiskLevel.MEDIUM,
        baa_expiration=date.today() + timedelta(days=200),
        review_frequency=MonitoringFrequency.ANNUAL
    )
    
    dashboard.add_vendor(
        vendor_id="V003",
        name="AnalyticsPlus",
        category=VendorCategory.DATA_ANALYTICS,
        risk_level=RiskLevel.LOW,
        baa_expiration=date.today() - timedelta(days=5),  # Expired!
        review_frequency=MonitoringFrequency.ANNUAL
    )
    
    # Record an incident
    dashboard.record_incident(
        vendor_id="V001",
        incident_date=date.today() - timedelta(days=3),
        description="Unauthorized employee accessed patient records",
        severity=AlertSeverity.HIGH,
        phi_involved=True
    )
    
    print(dashboard.generate_dashboard_report())

if __name__ == "__main__":
    demonstrate_vendor_monitoring()