Many healthcare organization use HTTPS inspection tools to monitor HTTPS connections for malware. HTTPS inspection tools decrypt secure HTTPS network traffic and review content before re-encrypting traffic.
HTTPS inspection tools are used to enhance security, although a recent warning from the Department of Health and Human Services’ Office for Civil Rights highlights recent research indicating HTTPS inspection tools could potentially introduce vulnerabilities which would leave healthcare organizations susceptible to man-in-the-middle attacks.
Man-in-the-middle attacks involve third parties intercepting communications between two parties. During a MITM attack, the attacker could potentially eavesdrop on conversations, steal data, manipulate communications or run malicious code.
While the use of end-to-end connection security using HTTPS should protect against man-in-the-middle attacks, some HTTPS inspection tools could actually weaken security and potentially result in the exposure of ePHI.
OCR has drawn attention to a recent alert issued by the United States Computer Emergency Readiness Team (US-CERT) warning organizations to check their HTTPS inspection tools to find out if they are properly validating certificate chains and are passing warnings and error messages to clients. Some HTTPS inspection tools have been discovered to improperly validate web servers’ certificates and/or do not send warnings.
Any healthcare organization that uses these tools should be able to validate the connection between their organization and the interception product, but crucially, not the connection between themselves and the server. OCR warns that poor implementation of the products could also result in vulnerabilities being introduced.
Healthcare organizations have been advised to check their HTTPS inspection tools to determine whether they are vulnerable and if they are properly validating certificate chains and are passing on warnings and error messages.
OCR says in the alert that HTTPS inspection should be included in organizations’ risk analyses and the benefits and disadvantages of using the tools should be carefully considered. Healthcare organizations are referred to the alert issued by US-CERT and have been advised to read US-CERT’s report on the risks of SSL inspection.
Mitigations that can reduce the potential for man-in-the-middle attacks include:
- Updating Transport Layer Security and Secure Socket Layer (TLS/SSL) to 1.1 or higher and disabling TLS 1.0 and SSL 1, 2, 3.x are disabled.
- Utilizing Certificate Pinning
- Implementing DNS-based Authentication of Named Entities (DANE)
- Using Network Notary Servers
Covered entities and business associates should also consult the recommendations of National Institute of Standards and Technology (NIST) for securing end-to-end communications and ensure that appropriate encryption processes are used to prevent the exposure of ePHI.