- Implementing end-to-end connection security on internet transactions using Secure Hypertext Transport Protocol (HTTPS) can help healthcare organizations better protect PHI and even detect malware, according to OCR’s latest cybersecurity newsletter.
However, using HTTPS interception products, or “HTTPS inspection,” can also leave entities vulnerable because they can no longer verify web servers’ certificates, OCR added.
These types of security measures are typically used against man-in-the-middle (MITM) attacks, which are typically used to inject malicious code, intercept or expose sensitive information, and modify trusted information.
“HTTPS interception products…work by intercepting the HTTPS network traffic and decrypting it, reviewing it, then re-encrypting it,” OCR explained. “To do so, HTTPS interception products must install trusted certificates on client devices to perform the HTTPS inspection without presenting warnings.”
Furthermore, utilizing HTTPS interception products can prevent organizations from viewing the protocols and ciphers that an HTTPS interception product negotiates with web servers. OCR also said that this process could keep entities from validating the security of the end-to-end connection.
“Organizations that use these interception products are able to validate only the connection between themselves and the interception product, not between themselves and the server,” the newsletter read. “This is problematic, because many HTTPS interception products do not properly verify the certificate chain before re-encrypting and forwarding information to the organizations, which leaves the connection vulnerable to a malicious MITM attack.”
Citing recommendations from the United States Computer Emergency Readiness Team (US-CERT), OCR stated that entities should “verify that their HTTPS interception product properly validates certificate chains and passes any warnings or errors to the client.”
End-to-end communication security is essential to maintaining HTTPS traffic privacy and in preventing certain MITM attacks, OCR said.
US-CERT recommends the following approaches to help reduce MITM attack vulnerability:
- Update Transport Layer Security and Secure Socket Layer (TLS/SSL)
- Utilize Certificate Pinning
- Implement DNS-based Authentication of Named Entities (DANE)
- Use Network Notary Servers
OCR warned though that poorly implementing HTTPS interception products could in fact have the opposite effect, reducing end-to-end security and even introduce new vulnerabilities.
“Covered entities and business associates using HTTPS interception products or considering their use should consider the risks presented to their electronic PHI transmitted over HTTPS, and intercepted with an HTTPS interception products, as part of their risk analysis, particularly considering the pros and cons discussed by the US-CERT alerts, and the increased vulnerability to malicious third-party MITM attacks,” the agency explained.
Overall, OCR stated that covered entities should also review NIST recommendations in protecting PHI through end-to-end communication security options. Additionally, OCR’s own guide titled Guidance to Render Unsecured PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals discusses how NIST policies can assist in encryption processes.
US-CERT has several publications on how organizations, covered entities included, can ensure that necessary security measures are put in place for malware and other types of cybersecurity attacks.
For example, denial-of-service (DoS) and distributed-denial-of-service (DDoS) attacks could be particularly devastating for healthcare. Covered entities and business associates should continuously monitor and scan for vulnerable and comprised IoT devices on their networks, according to US-CERT.
Entities should also create and implement password management policies and procedures for devices and their users, as well as install and maintain anti-virus software and security patches.
“Unfortunately, there are no effective ways to prevent being the victim of a DoS or DDoS attack, but there are steps you can take to reduce the likelihood that an attacker will use your computer to attack other computers,” US-CERT states on its website.
“Even if you do correctly identify a DoS or DDoS attack, it is unlikely that you will be able to determine the actual target or source of the attack. Contact the appropriate technical professionals for assistance.”