There are numerous causes of breaches of protected health information (PHI), ranging from human oversights to “high-tech” errors. In April, the Office for Civil Rights (OCR) within the Department of Health and Human Services focused on the high-tech aspect of the equation, and warned against “man-in-the-middle” (MITM) attacks.[1] MITM attacks involve interception and infiltration of an online transmission by a third party, who may then infect, manipulate, or steal the transmitted data.
Secure Hypertext Transport Protocol (HTTPS) is a common security tool to protect communications sent via the internet. For example, you frequently may see the “https” designation when accessing websites that allow you to make financial transactions. The security of HTTPS can be evaluated using an “interception product,” which reviews and assesses internet traffic after decrypting it, and then re-encrypting it before sending it to its intended destination. Although these products are designed to root out malware, OCR identifies several key issues resulting from weaknesses in the products themselves or with their implementation. Such issues include failures to properly validate security certificates and failures to issue correct security warnings, which could negatively affect security of data transmission and lead to MITM attacks.