Numerous healthcare organization employ HTTPS inspection tools in order to monitor HTTPS connections for any malware which may be present. HTTPS inspection tools are used to decrypt secure HTTPS network traffic and verify content prior to re-encrypting traffic.
The purpose of HTTPS inspection tools is to enhance security, however the Department of Health and Human Services’ Office for Civil Rights has recently issued a warning which highlights research indicating that HTTPS inspection tools in fact have the potential to introduce vulnerabilities that could leave organizations open to “man-in-the-middle” attacks.
Man-in-the-middle (MITM) attacks are those in which 3rd parties intercept the communications of another two organisations or individuals. In a MITM attack, the attacker can potentially spy on conversations, steal private or classified data, manipulate or modify communications or even run malicious code.
Although using end-to-end connection security via HTTPS should theoretically serve to protect against man-in-the-middle attacks, some HTTPS inspection tools might actually damage security and ultimately result in the exposure of ePHI.
OCR drew attention to a recent warning from the United States Computer Emergency Readiness Team (US-CERT) which warned organizations to verify their HTTPS inspection tools to discover if they are correcty validating certificate chains and are communicating alerts and error messages to clients. A number of HTTPS inspection tools have been revealed to incorrectly validate web servers’ certificates and fail to send warnings.
A healthcare organization using these tools should be able to verify the connection between it and the interception product, but significantly, not the connection between themselves and their server. OCR has warned that incorrect implementation of the products might also result in the introduction of vulnerabilities.
Healthcare organizations are urged to check HTTPS inspection tools so as to determine whether they have any weaknesses and if they are correctly validating certificate chains and are passing on alerts and error notifications.
In its alert, OCR states that HTTPS inspection should be a standard part of any organization’s risk analysis and the pros and cons of the usage of the tools should be considered at length. Healthcare organizations are specifically referred in the US-CERT alert and they are further advised to consult US-CERT’s report regarding the risks of SSL inspection.
Actions which can serve to mitigate the risk for man-in-the-middle attacks include:
Applying updates to Transport Layer Security and Secure Socket Layer (TLS/SSL) to 1.1 or higher plus disabling TLS 1.0 and ensuring SSL 1, 2, 3.x are disabled.
The use of Certificate Pinning
The implementation of DNS-based Authentication of Named Entities (DANE)
The use of Network Notary Servers
Covered entities and business associates are also advised to refer to the advice of the National Institute of Standards and Technology (NIST) regarding the security of end-to-end communications and make sure that suitable encryption processes are being used to avoid the exposure of ePHI.