HHS and HIPAA – Caveats on HHS web site content!

On the HHS web site, HHS links to the NIST SP 800 -52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations

But https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html?language=es

is linking to an OUTDATED (local copy) version of NIST 800-52 from back in 2005. The effective version (from 2014) is at https://csrc.nist.gov/publications/detail/sp/800-52/rev-1/final

Changes are a little bit explained here: https://www.nist.gov/news-events/news/2014/04/nist-revises-guide-use-transport-layer-security-tls-networks

However, there is also a new draft version – with IMPORTANT COMMENTS at 

https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft

HHS (HIPAA): Man-in-the-Middle Attacks and “HTTPS Inspection Products” (April 2017)

https://www.hhs.gov/sites/default/files/april-2017-ocr-cyber-awareness-newsletter.pdf

” Covered entities and business associates using HTTPS interception products or considering their use should consider the risks presented to their electronic PHI transmitted over HTTPS, and intercepted with an HTTPS interception products, as part of their risk analysis, particularly considering the pros and cons discussed by the US-CERT alerts, and the increased vulnerability to malicious third-party MITM attacks.

In addition to reviewing recommendations from US-CERT, covered entities and business associates should also review recommendations from the National Institute of Standards and Technology (NIST) for securing end-to-end communications, especially regarding the configuration, use and updating of TLS/SSL implementations. OCR’s Guidance to Render Unsecured PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals references NIST SP-800 series publications to describe the valid encryption processes to use to ensure that electronically transmitted PHI is not unsecured. “