HL7 Public Internet endpoint and port changes

We plan to add three new endpoints and deprecate the current one for Hl7.

New endpoints

We plan to introduce three new endpoints on Port 443:

• mtls.hl7.uk.patientsknowbest.com,

• no-mtls.hl7.uk.patientsknowbest.com and

• deprecated-ciphers.no-mtls.hl7.uk.patientsknowbest.com.

Deprecations

• my.patientsknowbest.com:7443 is getting deprected.

Motivations/Goals

We want to tighten our security. Efforts we make on this front include:

• deprecate/remove support for weak ciphers,

• get a WAF in place and

• use standard ports.

All new endpoints have WAF protection. Two out of the three new only accepts ciphers that are deemded as recommeded and secure by the industry, while the third provides backward compatilibity.

Better support clients in the clould

We offer mtls.hl7.uk.patientsknowbest.com to those customers who moved to the cloud and can’t use static IPs when accessing our services. It is also our prefered setup for new customers.

Improve security

Customers, who have

• up-to-date client software tools that support the state of the art cipher suites,

• have static IPs that we can allow-list and

• can’t allocate budget to implement mTLS in short term

can move to no-mtls.hl7.uk.patientsknowbest.com.

Backward compatibilty

deprecated-ciphers.no-mtls.hl7.uk.patientsknowbest.com is intended as a short term solution for customers who are not as yet up to date with their software systems and still require support for using ciphers that are considered to be weak.

Standard ports

Using standard ports (443) will allow us to consolidate our server certificate management and fully automate the renewall process for all our endpoints.

Supported ciphers

my.patientsknowbest.com:7443 supports all ciphers in below table. The new endpoints are compared with this - now deprecated - endpoint.

Legend

• supported,

• not-supported,

• *: not supported (for technical reasons)