HHS has issued guidance to advise covered entities and business associates about certain risks attendant to using HTTPS inspection products to prevent third-parties from intercepting and altering electronic protected health information (“ePHI”) transmitted over the internet. In particular, HHS’s guidance discusses “man-in-the-middle” attacks (“MITM attacks”) that can result from using HTTPS inspection products and advises covered entities and business associates to take certain action steps to avoid such attacks.
Background. A MITM attack involves a third party intercepting and accessing information contained in a communication between two parties. In addition to accessing the communication, the third party may insert harmful codes or distort the original information.
Many covered entities use HTTPS inspection products to monitor the security of confidential, sensitive internet communications. The use of HTTPS inspection products increases security by allowing covered entities to detect malware and unsafe connections.
HTTPS inspection products operate by intercepting HTTPS communications, decrypting and reviewing them for attacks, and then re-encrypting the communications. To avoid triggering warnings, the HTTPS inspection product must install trusted certificates on clients’ devices. Doing so, however, may result in the covered entity being unable to verify web servers’ certificates, and if the full certification chain is not verified, the covered entity could be exposed to MITM attacks. Therefore, HTTPS inspection products may actually serve to make communication more vulnerable to MITM attacks.
Guidance. To avoid the risk of MITM attacks associated with using HTTPS inspection products, HHS advises covered entities to follow the advice of the United States Computer Emergency Readiness Team and confirm that their HTTPS inspection product accurately validates certificate chains and passes any warnings to clients.
HHS also recommends that covered entities confirm that the HTTPS inspection product has been installed correctly, as improper installation of the product may decrease security and present new vulnerabilities.
Finally, HHS explains that covered entities should weigh the benefits and detriments to using HTTPS inspection products when performing the regular risk analyses required by the HIPAA Security Rule.
The HHS guidance is available at: https://www.hhs.gov/sites/default/files/april-2017-ocr-cyber-awareness-newsletter.pdf