Last week, the Office of Civil Rights (OCR) issued guidance on securing end-to-end communications for sensitive information transmitted between parties over the internet. The OCR warns against “man-in-the-middle” (MITM) attacks that can occur during the transmission of information. In a MITM attack, a third party intercepts communications between two parties and, in addition to accessing the information, may alter the communication by injecting malicious codes or modifying trusted information.
If the intercepted information is sensitive in nature, it is likely that the information is protected under one or more state or federal laws that require certain security protocols. OCR states that when electronic protected health information (ePHI) that is protected under the Health Insurance Portability and Accountability Act (HIPAA) is transmitted over the internet, covered entities and business associates should include factors for securing end-to-end communication in their security risk analysis required by the HIPAA Security Rule.
According to OCR, many organizations use HTTPS inspection products in an effort to monitor the security of confidential communications. These products intercept HTTPS communications, decrypt and review them for attacks, and then re-encrypt the communications. OCR cautions that the inspection process can actually make communications more vulnerable to MITM attacks. For example, some interception products do not verify the trust certificate chains between the organization and the server before re-encrypting the communications. Once an HTTPS interception product is in use, an organization is no longer able to validate the certificates in the connection itself. OCR recommends verifying that an HTTPS inspection product properly validates certificate chains and informs the user of any errors prior to using the product. Further, an organization’s poor implementation of inspection products can impair security and introduce new vulnerabilities. OCR states that covered entities and business associates who use an HTTPS inspection product for transmissions of ePHI should consider these risks as part of their HIPAA security risk analysis.
OCR emphasizes its long-standing guidance for covered entities and business associates to encrypt ePHI to ensure that the ePHI is not unsecured. OCR has issued specific guidance on securing ePHI, including encryption. OCR also encourages covered entities and business associate to review recommendations from the National Institute of Standards and Technology for securing end-to-end communications, as well as recommendations from the United States Computer Emergency Readiness Team on protecting internet communications and preventing MITM attacks. All of these resources provide valuable tools for organizations, including covered entities and business associates under HIPAA, to ensure the security of end-to-end communications and reduce the risk of associated liability.