Fmbravoglobal/upcare-mediconnect

# 🏥 UpCare MediConnect — 多云医疗保健安全平台 ## 📌 项目概述 UpCare MediConnect 是一个参考架构和实现项目，旨在为支持以下功能的多云医疗平台提供安全保障： - **远程医疗服务** — 安全的医患视频和数据交换 - **预测分析** — 处理加密 PHI 数据的机器学习管道 - **电子健康记录 (EHR)** — 符合 HIPAA 标准的存储、访问控制和审计日志记录 本仓库包含部署和运营安全的医疗云环境所需的所有基础设施即代码 (IaC)、CI/CD 管道配置、IAM 策略、合规自动化脚本和事件响应手册。 ## 🏗️ 架构概览 ``` ┌─────────────────────────────────────────────────────────────────┐ │ UpCare MediConnect Platform │ ├──────────────┬──────────────────┬───────────────────────────────┤ │ AWS │ Azure │ GCP │ │ (Primary) │ (Identity & │ (Analytics & ML) │ │ │ Governance) │ │ ├──────────────┼──────────────────┼───────────────────────────────┤ │ EHR Storage │ Azure AD / PIM │ BigQuery PHI Analytics │ │ GuardDuty │ Sentinel SIEM │ Security Command Center │ │ Macie (PHI) │ Defender for │ VPC Service Controls │ │ Security Hub │ Cloud │ Cloud Armor WAF │ │ KMS (BYOK) │ Key Vault │ Cloud KMS + HSM │ │ Config Rules │ Policy │ Org Policy Constraints │ │ CloudTrail │ Activity Logs │ Cloud Audit Logs │ └──────────────┴──────────────────┴───────────────────────────────┘ │ ┌──────────▼──────────┐ │ Zero Trust Layer │ │ NIST SP 800-207 │ │ - Never trust, │ │ always verify │ │ - Least privilege │ │ - Micro-segment │ └─────────────────────┘ ``` ## 📁 仓库结构 ``` upcare-mediconnect/ ├── .github/ │ └── workflows/ │ ├── devsecops-pipeline.yml # Main CI/CD security pipeline │ ├── compliance-scan.yml # Scheduled compliance checks │ └── incident-response.yml # Automated IR triggers ├── terraform/ │ ├── aws/ │ │ ├── modules/ │ │ │ ├── iam/ # AWS IAM Zero Trust policies │ │ │ ├── network/ # VPC, Security Groups, NACLs │ │ │ ├── logging/ # CloudTrail, Config, Security Hub │ │ │ └── encryption/ # KMS, Macie, Secrets Manager │ │ └── main.tf │ ├── azure/ │ │ ├── modules/ │ │ │ ├── iam/ # Azure AD, PIM, RBAC │ │ │ ├── network/ # VNet, NSG, Private Endpoints │ │ │ ├── logging/ # Sentinel, Log Analytics │ │ │ └── encryption/ # Key Vault, Disk Encryption │ │ └── main.tf │ └── gcp/ │ ├── modules/ │ │ ├── iam/ # GCP IAM, Org Policies │ │ ├── network/ # VPC SC, Cloud Armor │ │ ├── logging/ # Cloud Audit, SIEM export │ │ └── encryption/ # Cloud KMS, CMEK │ └── main.tf ├── cloudformation/ │ ├── ehr/ │ │ └── hipaa-ehr-stack.yaml # HIPAA-compliant EHR infrastructure │ ├── network/ │ │ └── zero-trust-network.yaml # Zero Trust network stack │ └── logging/ │ └── audit-logging-stack.yaml # Centralized audit logging ├── iam/ │ ├── aws/ │ │ ├── ehr-read-only-policy.json # EHR read-only role │ │ ├── ehr-admin-policy.json # EHR admin role │ │ └── zero-trust-scp.json # Service Control Policies │ ├── azure/ │ │ ├── custom-ehr-reader-role.json # Azure custom RBAC role │ │ └── pim-config.json # Privileged Identity Management │ └── gcp/ │ └── org-policy-constraints.yaml # GCP Org Policy definitions ├── compliance/ │ ├── hipaa/ │ │ └── hipaa-audit.py # HIPAA control audit script │ ├── nist/ │ │ └── nist-800-207-validator.py # Zero Trust posture validator │ ├── soc2/ │ │ └── soc2-evidence-collector.py # SOC 2 evidence automation │ └── fedramp/ │ └── fedramp-ato-checklist.py # FedRAMP ATO readiness script ├── incident-response/ │ ├── playbooks/ │ │ ├── phi-breach-playbook.md # PHI data breach response │ │ ├── ransomware-playbook.md # Ransomware response │ │ └── unauthorized-access.md # Unauthorized EHR access │ └── lambda/ │ ├── auto-isolate-ec2.py # Auto-isolate compromised instance │ ├── revoke-iam-keys.py # Auto-revoke leaked IAM credentials │ └── notify-hipaa-officer.py # HIPAA breach notification trigger ├── scripts/ │ ├── bootstrap.sh # Environment bootstrap script │ ├── scan-all.sh # Run all security scans locally │ └── generate-compliance-report.sh # Generate full compliance report └── docs/ ├── architecture.md # Detailed architecture decisions ├── threat-model.md # STRIDE threat model └── compliance-matrix.md # Control mapping matrix ``` ## 🔒 涵盖的合规框架 | 框架 | 覆盖范围 | 已实施控制措施 | |-----------|----------|---------------------| | **HIPAA** | 完整 | PHI 加密、访问控制、审计日志、BAA 强制执行 | | **NIST SP 800-207** | 完整 | 零信任支柱、身份验证、微分段 | | **SOC 2 Type II** | 完整 | 可用性、机密性、安全性、处理完整性 | | **FedRAMP Moderate** | 完整 | 325+ 控制措施、持续监控、ATO 就绪状态 | ## 🚀 快速开始 ### 前置条件 ``` # 安装所需工具 brew install terraform awscli azure-cli google-cloud-sdk checkov tfsec cfn-lint # 安装 cfn-nag gem install cfn-nag # 克隆仓库 git clone https://github.com/fmbravoglobal/upcare-mediconnect.git cd upcare-mediconnect # 引导环境 chmod +x scripts/bootstrap.sh ./scripts/bootstrap.sh ``` ### 部署基础设施 ``` # AWS cd terraform/aws terraform init && terraform plan && terraform apply # Azure cd terraform/azure terraform init && terraform plan && terraform apply # GCP cd terraform/gcp terraform init && terraform plan && terraform apply ``` ### 运行安全扫描 ``` # 在本地运行所有扫描 ./scripts/scan-all.sh # 单独工具 checkov -d terraform/ # IaC security scan tfsec terraform/ # Terraform-specific checks cfn-lint cloudformation/ # CloudFormation linting cfn_nag_scan --input-path cloudformation/ # CFN security rules ``` ### 运行合规审计 ``` # 生成完整合规报告 ./scripts/generate-compliance-report.sh # 单独框架审计 python compliance/hipaa/hipaa-audit.py python compliance/nist/nist-800-207-validator.py python compliance/soc2/soc2-evidence-collector.py python compliance/fedramp/fedramp-ato-checklist.py ``` ## 🔧 CI/CD 安全管道 每个拉取请求都会触发： 1. **静态分析** — cfn-lint、cfn-nag、Checkov、tfsec 2. **密钥检测** — GitLeaks、TruffleHog 3. **SAST** — Semgrep 安全规则 4. **合规性验证** — HIPAA/NIST 控制检查 5. **容器扫描** — Trivy 镜像扫描 6. **SBOM 生成** — 软件物料清单 7. **偏差检测** — Terraform plan diff ## 👤 作者 **Oluwafemi Alabi Okunlola** 云安全工程师 | DevSecOps 专家 | 零信任架构师 [GitHub：fmbravoglobal](https://github.com/fmbravoglobal) ## 📄 许可证 MIT 许可证 — 详情请参见 [许可证](LICENSE)。

标签：AWS, Azure, CI/CD管道, DPI, GCP, HIPAA合规, IAM, Infrastructure-as-Code, PHI数据安全, SOC2合规, Streamlit, WAF, 医疗云安全, 医疗安全, 合规自动化, 多云架构, 审计日志, 数据加密, 漏洞分析, 漏洞利用检测, 电子健康记录, 访问控制, 路径探测, 远程医疗, 逆向工具, 预测分析