The trusted source for
healthcare information and
Protected health information can be compromised by attacks on the data while it is in transit from one point to another. This is a security threat that can be underestimated by healthcare providers.
The Department of Health and Human Services Office for Civil Rights (OCR) is warning healthcare providers about the risks from “man-in-the-middle” (MITM) hacking, in which someone hijacks communications between two parties and alters or copies the data without either party knowing. In addition to theft of data, MITM attacks can be used to insert malicious code or alter sensitive information like patient records.
Unfortunately, MITM attacks sometimes are made possible by a strategy intended to improve data security, OCR says. Healthcare providers, like many other organizations, implemented end-to-end connection security on their internet transactions using Secure Hypertext Transport Protocol, known as HTTPS, including software designed to detect malware over an HTTPS connection. This “HTTPS inspection” process intercepts the HTTPS network traffic and decrypts it, reviews it, then re-encrypts it before delivering the data.
This requires the installation of trusted certificates on client devices so the HTTPS inspection can be performed without presenting warnings.
“However, this process may leave organizations using HTTPS interception products vulnerable because the organizations can no longer verify web servers’ certificates, view the protocols and ciphers that an HTTPS interception product negotiates with web servers, and, most importantly, independently validate the security of the end-to-end connection,” OCR explains.
Organizations using this process can validate only the connection between themselves and the interception product, not between themselves and the server.
“This is problematic, because many HTTPS interception products do not properly verify the certificate chain before re-encrypting and forwarding information to the organizations, which leaves the connection vulnerable to a malicious MITM attack,” the OCR report says. (The full OCR report, including resources for addressing the problem, is available online at: http://bit.ly/2pd2yjJ.)
OCR advises healthcare providers verify their HTTPS interception product properly validates certificate chains and passes any warnings or errors to the client.
MITM attacks differ from other types of hacking because the threat occurs in the middle of an otherwise secure connection between two parties, says Lauren M. Ramos, JD, an attorney with McGuire Woods in Richmond, VA. The hacker effectively takes over the communication process and can intercept data, either copying it or altering it, before it is sent along to the recipient, she says.
“This can affect different industries, but in the healthcare community this is a threat to protected health information under HIPAA,” Ramos says. “Once hackers intercept the information in this way and unencrypt it, they can either use it to harm the subject of the information or they might not be interested in the communication itself. Their real interest may be in using this communication as a vehicle for sending malicious code, getting it into the healthcare provider’s system through this message that will pass through the security settings without a problem.”
MITM attacks pose a substantial risk of HIPAA breaches, Ramos says. The OCR warning is the latest indication that the office is focusing more on the security of data in motion rather than just protecting stored data from theft or loss, she notes.
“We get focused a lot on administrative and physical safeguards because they are more intuitive and easier to grasp, particularly when it is something concrete like a laptop with PHI or a server that has to be protected,” she says. “OCR is emphasizing that, while that kind of protection is essential, there is a growing threat of cyberattacks that require more technical safeguards for protecting PHI in transit. It is clear that OCR has its eye on this, and an organization’s risk analysis will be under the microscope.”
Risk managers may want to confirm that the organization’s data security adequately addresses this type of risk, Ramos suggests. Healthcare leaders have become more adept with understanding the security necessary to prevent data theft, but may still find it difficult to understand the technical aspects of MITM attacks and how to prevent them, she says.
“When it comes to cybersecurity threats of this type, knowledge can be lacking just because it is so complex and not something that is easily grasped by someone outside of the IT department,” she says. “Whether you do it with someone in-house who is very knowledgeable and can keep up with these developments, or you use an outside vendor, this is something that should be addressed before you realize it’s too late. This is not something that providers are thinking about on a day-to-day basis, so it’s important to make a point of assessing your vulnerability and acting proactively.”
Financial Disclosure: Author Greg Freeman, Editor Jill Drachenberg, Editor Jonathan Springston, and Nurse Planner Maureen Archambault report no consultant, stockholder, speaker’s bureau, research, or other financial relationships with companies having ties to this field of study. Physician Editor Arnold Mackles, MD, MBA, LHRM, discloses that he is an author and advisory board member for The Sullivan Group and that he is owner, stockholder, presenter, author, and consultant for Innovative Healthcare Compliance Group.