Wagner Header

The Wagner Law Group

The Wagner Law Group is a nationally recognized practice in the areas of ERISA and employee benefits, estate planning, employment, labor and human resources, investment management and real estate. 

 

Established in 1996, The Wagner Law Group has 27 attorneys engaged exclusively in employee benefits, estate planning and employment law. Seven of our attorneys are AV rated by Martindale-Hubbell as having very high to preeminent legal abilities and ethical standards. The firm is among the largest ERISA boutiques in the country. Our practice is national in scope, with clients in more than 40 states and several foreign countries.

 

 

 

 

Contact Info

The Wagner Law Group

 

  Integrity | Excellence

  

Boston 

Tel: (617) 357-5200 

Fax: (617) 357-5250 

99 Summer Street 

13th Floor

Boston, MA 02110

 

Washington, D.C.

Tel: (202) 969-2800

  Fax: (202) 969-2568

800 Connecticut Ave., N.W.

Suite 810

Washington, D.C. 20006

 


Palm Beach Gardens 

Tel: (561) 293-3590
Fax: (561) 293-3591
7108 Fairway Drive
Suite 125
Palm Beach Gardens, FL 33418

   

Tampa

Tel: (813) 603-2959

Fax: (813) 603-2961

101 East Kennedy Boulevard

Suite 2140
Tampa, FL  33602 

 

San Francisco

Tel: (415) 625-0002

Fax: (415) 358-8300

300 Montgomery Street

Suite 600

San Francisco, CA 94104

 

St. Louis

Tel: (314) 236-0065

Fax: (314) 236-5743
100 South 4th Street, Suite 550
St. Louis, MO  63102 

 

 

www.wagnerlawgroup.com

 

 

 

April 13, 2017

 

 Health and Welfare Law Alert

 

 

 

    HHS Releases HIPAA Guidance on

"Man-in-the-Middle" Attacks

 

 

 

 

 

HHS has issued guidance to advise covered entities and business associates about certain risks attendant to using HTTPS inspection products to prevent third-parties from intercepting and altering electronic protected health information ("ePHI") transmitted over the internet.  In particular, HHS's guidance discusses "man-in-the-middle" attacks ("MITM attacks") that can result from using HTTPS inspection products and advises covered entities and business associates to take certain action steps to avoid such attacks.


Background.  A MITM attack involves a third party intercepting and accessing information contained in a communication between two parties.  In addition to accessing the communication, the third party may insert harmful codes or distort the original information.


Many covered entities use HTTPS inspection products to monitor the security of confidential, sensitive internet communications.  The use of HTTPS inspection products increases security by allowing covered entities to detect malware and unsafe connections.

  
HTTPS inspection products operate by intercepting HTTPS communications, decrypting and reviewing them for attacks, and then re-encrypting the communications.  To avoid triggering warnings, the HTTPS inspection product must install trusted certificates on clients' devices.  Doing so, however, may result in the covered entity being unable to verify web servers' certificates, and if the full certification chain is not verified, the covered entity could be exposed to MITM attacks.   Therefore, HTTPS inspection products may actually serve to make communication more vulnerable to MITM attacks.


Guidance.  To avoid the risk of MITM attacks associated with using HTTPS inspection products, HHS advises covered entities to follow the advice of the United States Computer Emergency Readiness Team and confirm that their HTTPS inspection product accurately validates certificate chains and passes any warnings to clients.

  
HHS also recommends that covered entities confirm that the HTTPS inspection product has been installed correctly, as improper installation of the product may decrease security and present new vulnerabilities.


Finally, HHS explains that covered entities should weigh the benefits and detriments to using HTTPS inspection products when performing the regular risk analyses required by the HIPAA Security Rule. 

 

 

 

This Newsletter is protected by copyright. Material appearing herein may be reproduced with appropriate credit.

 

This Newsletter is provided for information purposes by The Wagner Law Group to clients and others who may be interested in the subject matter, and may not be relied upon as specific legal advice.  This material is not to be construed as legal advice or legal opinions on specific facts. Under the Rules of the Supreme Judicial Court of Massachusetts, this material may be considered advertising.