Man-in-the-Middle Attacks

In their April Cybersecurity Newsletter, Office for Civil Rights (OCR) addressed an emerging threat known as “Man-in-the-Middle” (MITM) attacks. A MITM attack occurs when a third party secretly intercepts and relays the message between two parties who believe they are communicating directly with each other.

There are several forms of MITM:

Man in the Browser: Malware installed on a computer, used to modify online transactions and has the ability to bypass encryption and antivirus programs.

Man in the Mobile: Hacker inserts a self-signer certificate which allows them to intercept data from a free mobile app.

Man in the Cloud: Hacker gains access by intercepting a synchronized token, spying on file sharing and storage.

Man in the Internet of Things (IoT): Devices that are compatible with Bluetooth or the internet (security cameras or biomedical devices) without default usernames or passwords.

WiFi Eavesdropping: Hijacking a WiFi connection to spy a user, most likely to occur while using public WiFi.

An MITM attack can be used to achieve various outcomes. Some of these outcomes include: injecting malicious code, intercepting sensitive information like Protected Health Information (PHI), exposing sensitive information or modifying trusted information.

Protection from MITM Attacks

As with all malware and cyber-attacks, being aware of the threats and implementing appropriate safeguards are critical to creating a strong cyber security program and protecting PHI.

Below is a list of safety measures to protect against an MITM attack:

  • Implement firewalls that can provide https filtering / deep packet inspection (SSL and TLS)
  • Utilize web content filtering anti-spam protection devices or applications
  • Avoid using un-encrypted free WiFi hot spots to transmit sensitive data
  • Verify that sensitive data is only entered on websites using https
  • Discontinue use of websites that provide warning about issues with the certificate
  • Maintain your operating system software and verify your hardware is patched and up-to-date
  • Utilize a 2 factor authentication system whenever possible
  • Configure web-filters to deny any “zero-reputation” websites/URLs to reduce chances of compromised banner-ads
  • Training, it is very vital to constantly train and remind users, at the end of the day WE are the front end, top layer of any security device and without training we are not going to know what to watch for
HTTPS Inspection Products

To offset the threat of a MITM attack, many organizations have implemented end-to-end connection security to internet transactions using Secure Hypertext Transport Protocol, or “HTTPS.” Additionally, some organizations use “HTTPS interception products” to detect malware over an https connection. These products are known as “HTTPS / SSL inspection or deep packet inspection” and are designed to intercept the https network traffic then de-crypt, review and finally, re-encrypt it.

One issue organizations utilizing https interceptions products need to be aware of is the potential vulnerabilities due to an inability to verify web servers’ certificates and validate the security of the end-to-end connection. These products do requires users systems to trust the device vendor self-created certificate so there to facilitate communicating with the device which is decrypting and encrypting the inspected data.

PHI and HIPAA Security

The HIPAA Security Rule specifies that PHI must be encrypted stating “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 Definition of Encryption.) PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals if confidential passwords or keys that enable decryption have been breached. Additionally, encryption processes must meet the standards set by the National Institute of Standards and Technology (NIST) and Federal Information Processing Standards (FIPS).

US-CERT Recommendations

In a previous blog post we introduced the United States Computer Emergency Readiness Team (US-CERT), a team designed
to respond to cyber security incidents and analyze data from partners about emerging cyber threats. US-CERT has weighed in on MITM attacks and recommends that organizations verify that their https interception product properly validates certificate chains and passes any warnings to the client.

For the latest recommendations from the US-CERT, visit:

What is HR’s Role in HIPAA Compliance?

In recent years, many healthcare organizations have faced the same question: Which department should be tasked with Health Insurance Portability and Accountability Act (HIPAA) compliance? More times than not, the finger points to IT. However, in … [Continue reading]

OCR Provides Guidance for Reporting and Monitoring Cyber Threats

The U.S. healthcare community has endured a seemingly constant string of data breaches and cyber threats in recent years. Unfortunately, cyber attacks show no indication of slowing down and most likely, will increase in number and severity for the … [Continue reading]

Debunking the Myth: Is Windows 10 HIPAA Compliant?

We’ve collaborated with Microsoft on a new whitepaper and we want you to be one of the first to receive a copy. Our whitepaper, HIPAA Compliance with Microsoft Windows 10 Enterprise, provides guidance on how to leverage Microsoft Windows 10 as … [Continue reading]

2016 Meaningful Use Deadline Extended Again

Calling all procrastinators! If your organization has put off attesting for Modified Stage 2 Meaningful Use (MU), you’re in luck! Initially, the Centers for Medicare & Medicaid Services extended the deadline to February 28, 2017 as the cut … [Continue reading]

Delivering Greater Control: Recent Software Enhancements

What is something all healthcare professionals want more of? If you answered TIME, you’re probably right. In an industry driven by quality service and quick turnarounds, it is easy to find ourselves desperately short on time. As healthcare … [Continue reading]

Recent HIPAA Settlement Warns: Safeguard Your ePHI

In what seems to be customary these days, The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced another HIPAA settlement based on the impermissible disclosure of unsecured electronic protected health … [Continue reading]

A Look into 2017: New Administration and OCR Audits

We are 9 days out from swearing in a new President. How will the administration change impact HIPAA in 2017? Most industry insiders struggle to forecast what President-elect Donald Trump will do upon taking office being that his position on health … [Continue reading]

Meaningful Use Deadline Approaching

With a New Year just days away, it is time to take a look at your latest HIPAA Security Risk Analysis (SRA). If your organization failed to complete an SRA this calendar year, there is still time to do so! As many healthcare providers finalize … [Continue reading]

Worst Month for Healthcare Data Breaches

Will 2016 go down in history as "The Year of the Healthcare Data Breach"? As we collectively wind down into the holiday season, data breaches continue to ramp up. In fact, November saw the highest number of healthcare data breaches of any month in … [Continue reading]