By Nadia ElKaissi, CHTM
The increase in networked medical technology has made it more of a necessity that healthcare technology management (HTM) professionals protect sensitive information. With the transfer of patient information across the network, there are several ways to secure sensitive data. One option is the utilization of the Transport Layer Security (TLS). TLS is a protocol that enables privacy between communicating applications and users on the Internet. TLS can be thought of as a layer of protection, building a tunnel over the communication between the two endpoints. The tunnel encrypts the data to ensure that the integrity of the communication is maintained. This becomes extremely useful when focusing on data related to PII/PHI. Although TLS, in general, is beneficial for the protection of data, it is imperative that systems are always upgraded to the latest TLS version approved by the OEM to minimize vulnerabilities.
TLS is considered a fundamental element in ensuring secure communication over a network. It focuses on three key areas: confidentiality, authentication and integrity. Over the years, TLS has significantly improved its features since its original form as a Secure Socket Layer (SSL), one of the original names for secret handshake communications between two endpoints. From SSL, it slowly transitioned to TLS 1.0 to increase the protection of communications from SSL vulnerabilities. Now, TLS has gone from versions 1.0 to 1.3, each time improving the features and performance capabilities and reducing the potential for vulnerabilities.
TLS 1.3 contains some key improvements from TLS 1.2, to include the upgrade of the cryptographic algorithms, the addition of forward secrecy and the improvement on the speed of connections. In TLS 1.2, there were some known cyberattacks such as FREAK and LogJam, due to weaknesses in the cryptography. Therefore, one of the changes made in TLS 1.3 was the use of a simple cipher suite instead of the complex cipher suite TLS 1.2 utilized. With this change, several of the legacy algorithms with known vulnerabilities were eliminated. Forward Secrecy was made mandatory, which ensured unique keys were generated for current sessions. This removes the potential for keys to be compromised as a new key is generated for every session. Lastly, TLS 1.3 reduced the time required to secure a connection which improved the performance. There are multiple additional feature changes that were made in TLS 1.3, however the above mentioned are some of the more noticeable changes to keep an eye out for.
While planning to transition to TLS 1.3, some may question if it would be wise to upgrade all systems with TLS to TLS 1.3. While ideally the answer would like to be “YES! Upgrade them all!”, we must understand the critical implications if the system was not verified that it can support TLS 1.3. Although it would be prudent to upgrade a system to 1.3, to enhance security, it may disrupt critical health care devices if the system is not ready for the upgrade. Before any upgrade should take place, it is always recommended to perform a few proactive steps to reduce the potential for downtime. Some of these steps could include something as simple as communicating with the device manufacturer about the device compatibility with the upgrade and/or testing on a sample device. Communication with the manufacturer is always a key step before upgrading, because it allows one to understand the specific requirements for upgrading to TLS 1.3. For example, the OEM can review the algorithms that the system requires and confirm that there is no dependency on older cryptographic modules. Once it has confirmed that the device is compatible with the upgrade, it is a good idea to test the new protocol on an individual device before implementing an entire system. Although sometimes tedious, following a more proactive approach will ensure a successful upgrade to TLS 1.3.
TLS has made great progress from its start, and the enhancements have only improved security with the removal of vulnerable features and upgrade of the algorithms. Despite a few challenges, TLS 1.3 is significant in the process towards a more secure Internet. By upgrading systems in a health care environment to TLS 1.3, you are building a safer, quicker and more reliable system that fosters a better health care environment for providers and patients.
Nadia ElKaissi, CHTM, biomedical engineer in the Healthcare Technology Management VA Central Office (19HTM).
