Healthcare Organizations Warned of Risk of Man-In-The-Middle Attacks

In its April cybersecurity newsletter, the Department of Health and Human Services’ Office for Civil Rights advised covered entities and their business associates to use the Secure Hypertext Transport Protocol (HTTPS) to ensure protected health information is not left unsecured.

While HTTPS has been adopted by many covered entities to protect communications from man-in-the-middle attacks, OCR has relayed a recent warning from the United States Computer Emergency Readiness Team (US-CERT) about vulnerabilities that may be introduced by the use of products that inspect HTTPS traffic.

The use of HTTPS inspection products increases security as it allows healthcare providers to detect malware and unsafe connections. Unsafe connections could potentially result in communications being intercepted, data being accessed or manipulated, or malicious code being run. However, OCR warns that certain HTTPS inspection products fail to correctly verify web servers’ certificates or do not pass on error messages and warnings to clients.

In order for HTTPS inspection to occur, network traffic must be decrypted, inspected, and then re-encrypted. To do that the HTTPS inspection product must install trusted certificates on clients’ devices to avoid triggering warnings. However, this could potentially mean the healthcare organization would be unable to verify web servers’ certificates. It would be possible to verify the connection between the healthcare organization and its inspection tool, but not between the healthcare organization and the web server. Some HTTPS inspection products do not allow verification of the entire certificate chain.

If the full certification chain is not properly verified, an organization could be exposed to man-in-the-middle attacks. OCR advises covered entities to follow the advice of US-CERT and verify that their HTTPS inspection product properly validates certificate chains and passes any warnings on to clients. They should also ensure that any HTTPS inspection product is properly installed, otherwise it may decrease security and introduce new vulnerabilities.

The HIPAA Security Rule requires covered entities to conduct regular risk analyses. OCR points out that HTTPS inspection tools should be included in those risk analyses and covered entities should weigh up the advantages and disadvantages of using those products.

Covered entities are advised to refer to NIST publications on securing end-to-end communications, in particular with regards to the configuration and use of TSL/SSL implementations and encryption processes to secure electronically transmitted PHI.

US-CERT offers advice to healthcare organizations on how they can reduce the risk of man-in-the-middle attacks and suggests organizations should:

  • Update Transport Layer Security and Secure Socket Layer (TLS/SSL) to TLS 1.1 or higher and ensure SSL 1,2 and 3.x are disabled.
  • Utilize Certificate Pinning
  • Implement DNS-based Authentication of Named Entities (DANE)
  • Use Network Notary Servers

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.