Breadcrumbs

HIPAA CWE Coverage

Overview

Health Insurance Portability and Accountability Act (HIPAA), is United States legislation enacted in 1996 that provides data privacy and security provisions for safeguarding medical information.

This article organizes Common Weakness Enumerations (CWEs) relevant to HIPAA.

Each row in the table below outlines a specific compliance standard, categorized by the following columns:

  1. Compliance Standard: The specific category of the standard to which the CWE is mapped.

  2. Languages: Supported programming languages.

  3. CWE-ID: The relevant CWE for this standard, along with a short description.

HIPAA CWE Coverage

Compliance Standard

CWE-ID

164.312 (a)(1): Standard: Access control

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-73: External Control of File Name or Path

  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  • CWE-94: Improper Control of Generation of Code ('Code Injection')

  • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

  • CWE-502: Deserialization of Untrusted Data

  • CWE-611: Improper Restriction of XML External Entity Reference

  • CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

  • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

  • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

  • CWE-918: Server-Side Request Forgery (SSRF)

  • CWE-943: Improper Neutralization of Special Elements in Data Query Logic

  • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

  • CWE-352: Cross-Site Request Forgery (CSRF)

164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • CWE-325: Missing Cryptographic Step

  • CWE-326: Inadequate Encryption Strength

  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm

  • CWE-328: Use of Weak Hash

  • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE-346: Origin Validation Error

  • CWE-347: Improper Verification of Cryptographic Signature

  • CWE-780: Use of RSA Algorithm without OAEP

  • CWE-798: Use of Hard-coded Credentials

  • CWE-916: Use of Password Hash With Insufficient Computational Effort

  • CWE-1204: Generation of Weak Initialization Vector (IV)

  • CWE-256: Plaintext Storage of a Password

164.312 (e)(2)(ii): Transmission Security: Encryption

  • CWE-295: Improper Certificate Validation

  • CWE-319: Cleartext Transmission of Sensitive Information

  • CWE-322: Key Exchange without Entity Authentication