...
| Tip |
|---|
This change only affects customers whom are connecting to our Hl7 API over the Public Internet, which is the minority. Majority of connections are made over HSCN. |
New endpoints
We plan to introduce three new endpoints:
Deprecations
my.patientsknowbest.com:7443 is getting deprected.
Motivations/Goals
We want to tighten our security. Efforts we make on this front include:
...
All new endpoints have WAF protection. Two out of the three new only accepts ciphers that are deemded as
| Status | ||||
|---|---|---|---|---|
|
| Status | ||||
|---|---|---|---|---|
|
Better support clients in the clould
We offer mtls.hl7.uk.patientsknowbest.com to those customers who moved to the cloud and can’t use static IPs when accessing our services. It is also our prefered setup for new customers.
Identity is still derived from client credentials and not the client certificate. mTLS in this scenario is only used to replace IP allow listing.
Improve security
Customers, who have
up-to-date client software toosl that support to state of the art cipher suits,
have static IPs that we can allow-list and
can’t allocate budget to implement mTLS in short term
can move to no-mtls.hl7.uk.patientsknowbest.com.
Backward compatibilty
deprecated-ciphers.no-mtls.hl7.uk.patientsknowbest.com is intended for customers whom are on ore out of date software systems hence still using ciphers that are considered to be weak and cannot update their system in short term.
| Note |
|---|
We urge all our customers to get their systems up to date as it is a common best interest to exchange data as safely as possible. |
Standard ports
Using standard ports will allow us to consolidate our server certificate management and fully automate the renewall process for all our endpoints.
Supported ciphers
my.patientsknowbest.com:7443 supports all ciphers in below table. The new endpoints are compared with this - now deprecated - endpoint.
...