Having an SSL Certificate is only the first step, you should also check the SSL Cipher Strength

Having an SSL Certificate is only the first step, you should also check the SSL Cipher Strength

Having an SSL certificate installed on your server is must if you are going to send data between a web browser and your application server and is one of the easiest first steps in ensuring HIPAA compliance. But adding an SSL certificate doesn’t simply mean uploading and installation a valid SSL certificate to the server, it also is about choosing best block cipher mode of operation to have the highest possible security strength.

To quickly and easily check the overall quality of your SSL configuration (including the cipher strength) we recommend to use SSL Labs’ free SSL Server Test utility located here -  https://www.ssllabs.com/ssltest/analyze.html?d=genb.com

post image

It analyzes your configuration and displays a summary, complete with potential SSL security problems you may need to address.

In the context of HIPAA compliance, you must have a SHA256withRSA 2048 bits SSL algorithm supporting TLS 1.2. We recommend the following cipher order obtain a minimum security grade of A (which will further enhance your HIPAA bona fides):

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA

If you have any question about SSL Certificate configuration or other aspects of technological HIPAA compliance, get in touch with us at us_office@genb.com or +1 (202) 657-4362, we are happy to help you ;)

Post on