HL7 traffic over Public Internet

Changes

We plan to add three new endpoints and deprecate one.

New endpoints

Introduction of three new endpoints:

• mtls.hl7.uk.patientsknowbest.com,

• no-mtls.hl7.uk.patientsknowbest.com and

• deprecated-ciphers.no-mtls.hl7.uk.patientsknowbest.com.

Deprecations

• my.patientsknowbest.com:7443 is getting deprected.

Motivations/Goals

We want to tighten our security. Efforts we make on this front include:

• deprecate/remove support for WEAK ciphers and

• implement WAF.

We also want to use the standard 443port instead of the cutom 7443 we are currently using.

This is going to allow us to automate the server certificate rotation in a more standard way.

All new endpoints have WAF protection. Two out of the three new only accepts ciphers that are deemded as RECOMMEDED and SECURE by the industry, while the third provides backward compatilibity.

Better support clients in the clould

We offer mtls.hl7.uk.patientsknowbest.com to those customers who moved to the cloud and can’t use static IPs when accessing our services. It is also our prefered setup for new customers.

Improve security

Customers, who have

• up-to-date client software toosl that support to state of the art cipher suits,

• have static IPs that we can allow-list and

• can’t allocate budget to implement mTLS in short term

can move to no-mtls.hl7.uk.patientsknowbest.com.

Backward compatibilty

deprecated-ciphers.no-mtls.hl7.uk.patientsknowbest.com is intended for customers whom are on ore out of date software systems hence still using ciphers that are considered to be weak and cannot update their system in short term.

Supported ciphers

my.patientsknowbest.com:7443 supports all ciphers in below table. The new endpoints are compared with this - now deprecated - endpoint.

Legend

• supported,

• not-supported,

• might be supported, but our stats indicates that nobody is using it in production,

• ‼️some customers are using it, but we cannot support these ciphers on the new endpoints.