New guidance from the Office for Civil Rights (OCR) urges covered entities and business associates to use Secure Hypertext Transport Protocol (HTTPS) to protect communications from vulnerabilities. According to OCR, the vulnerability can be introduced by the use of products that inspect HTTPS traffic. These products are used to detect malware or unsafe connections, which could allow an interception of the communication. These are called man-in-the-middle attacks.
The OCR advises that covered entities and business associates follow US-CERT guidelines and verify that their HTTPS inspection product validates certificate chains and passes warnings to the entity, and is properly installed. According to the OCR, evaluation of an entity’s HTTPS inspection tool should be included in the entity’s risk assessment and analysis to determine whether the products should be used.
OCR further refers covered entities to refer to NIST publications on end-to-end communications and encryption processes to use when transmitting ePHI.
This post is also being shared on our Data Privacy +Security Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.