Imagine this: Dr. Primary is treating Patty Patient for substance abuse and emails Patty Patient’s protected health information (PHI) to a treatment clinic. Before the email arrives at the clinic, it is intercepted by a third party, Evan Eavesdropper, who publishes the PHI on the internet.  Evan Eavesdropper also decides to alter the PHI in the email before sending the email on to the clinic.  When the clinic receives the email with the altered PHI, the clinic thinks that Patty Patient is not a good candidate for its treatment program and emails its conclusions back to Dr. Primary.  Evan Eavesdropper gleefully changes this email and accepts Patty Patient into the clinic’s treatment program.  Patty Patient arrives at the clinic and finds there is no place for her in the treatment program.

Dr. Primary, Patty Patient, and the clinic are victims of a “Man-in-the-Middle Attack,” also known as an “MITM Attack.”  An MITM Attack is a cyberattack where a bad actor or “eavesdropper” inserts himself into a conversation between two or more people and, unbeknownst to them, steals, alters, interferes with, or exposes their sensitive information.  The attacker intercepts the information before it reaches the server (and after it goes through the server in a responsive email).

The types of interactions that may be vulnerable to MITM Attacks are those that require logins and/or authentications to protect sensitive information, e.g., any site that is protected by Secure Hypertext Transport Protocol or HTTPS.  The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has issued guidance on MITM attacks in its April cybersecurity newsletter which warns that entities using HTTPS interception products can weaken the security of information sent over the internet because the entities “can validate only the connection between themselves and the interception product, not between themselves and the server.” Hence, an MITM Attack can occur and sensitive data can be transmitted to a third (bad) party because many interception products do not verify the certificate chain before re-encrypting and forwarding information.

OCR recommends that covered entities and business associates using interception products, or considering their use, determine the risks of transmitting PHI using such products as part of their risk analysis. OCR directs these entities to consider the pros and cons discussed by the United States Computer Emergency Readiness Team (US-CERT) as part of that analysis.  OCR also urges review of the National Institute of Standards and Technology (NIST) recommendations “for securing end-to-end communications.”  OCR cites to NIST SP-800 in its “Guidance to Render Unsecured PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals” when describing encryption that secures PHI.

In addition, OCR lists the following US-CERT recommendations to entities to protect against MITM Attacks:

  1. Verify that your interception product properly validates certificate chains and passes any warnings or errors to the client.
  2. Use sites such as badssl.com to test whether your interception product is properly verifying the certificate chains of the servers and prevents connections to sites using weak cryptography.
  3. Consider using the following mitigations:
    1. Update Transport Layer Security (TLS) and Secure Socket Layer (SSL): entities should upgrade TLS to 1.1 or higher and disable TLS 1.0 and SSL 1, 2, and 3.x.
    2. Utilize HTTP Public Key Pinning (HPKP), often referred to as certificate pinning. This allows HTTPS websites to resist MITM Attacks using fraudulent certificates.
    3. Implement DNS (Domain Name Security)-based Authentication of Named Entities (DANE).
    4. Use Network Notary Servers.

To read OCR’s April cybersecurity newsletter, click here.

To read OCR’s “Guidance to Render Unsecured PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,” click here.

To learn more about emerging cybersecurity threats, continue to follow the Health Law Gurus.