Office for Civil Rights Issues Notice to Healthcare Suppliers on Use of HTTPS Check Tools

Several healthcare companies utilize HTTPS checkup tools to check HTTPS links for malware. HTTPS checkup tools decrypt safe HTTPS network traffic as well as study content prior to re-encrypting traffic.

HTTPS checkup tools are utilized to increase safety, even though the latest notice from the Division of Health and Human Services’ OCR underscores latest research signifying HTTPS checkup tools might possibly introduce weaknesses which would leave healthcare companies vulnerable to man-in-the-middle attacks.

Man-in-the-middle attacks include 3rd parties interrupting interactions between two companies. During a MITM attack, the assailant might possibly spy on talks, thieve files, run malicious code or manipulate communications.

Although the usage of end-to-end connection safety using HTTPS must safeguard against man-in-the-middle attacks, a few HTTPS checkup tools might actually weaken safety and possibly lead to the revelation of ePHI.

OCR has drawn attention to the latest warning issued by the United States Computer Emergency Readiness Team (US-CERT) alerting companies to verify their HTTPS inspection tackles to find out if they are correctly authenticating certificate chains as well as are passing alerts and mistake messages to customers. A few HTTPS inspection tackles have been found to inappropriately authenticate web servers’ certificates and/or don’t send alerts.

Any healthcare company that uses these tackles must be able to authenticate the link between their company and the interception product, however importantly, not the link between the server and themselves. OCR alerts that poor application of the products might also lead to weaknesses being introduced.

Healthcare companies have been instructed to check their HTTPS examination tackles to decide whether they are susceptible and if they are correctly authenticating certificate chains and are passing on error messages and warnings.

OCR says in the warning that HTTPS inspection must be included in company’s risk analyses as well as the advantages and disadvantages of utilizing the tackles must be cautiously taken into consideration. Healthcare companies are referred to the warning issued by US-CERT as well as have been instructed to read US-CERT’s statement on the dangers of SSL checkup.

Alleviations that can decrease the possibility of man-in-the-middle attacks include:

  • Updating Secure Socket Layer and Transport Layer Security (SSL/TLS) to 1.1 or higher and deactivating TLS 1.0 as well as SSL 1, 2, 3.x are deactivated.
  • Using Certificate Pinning
  • Applying DNS-based Authentication of Named Entities (DANE)
  • Utilizing Network Lawyer Servers

BAs and protected units must also refer the suggestions of National Institute of Standards and Technology (NIST) for getting end-to-end messages and make sure that proper encryption procedures are used to avoid the revelation of ePHI.