TLS 1.0/1.1 Deprecation
In accordance with the online security standards and industry best practices, NRC Health Transparency will no longer support connections using TLSv1.0 or 1.1 as of June 27, 2018.
This change will affect:
What is affected?
- Outdated browsers accessing Transparency site
- All server-side API Calls utilizing TLS 1.0 or 1.1 using the Transparency/DocScores API, including calls displaying star ratings & comments and the "/widget/api/export/live-profiles/" endpoint (full Transparency API file)
What is not affected?
- Server-side API Calls utilizing TLS 1.2 using the Transparency/DocScores API
Who should I notify?
- Website administrator
- Content Management System Administrator
- IT Department
What will happen if I do nothing?
On June 27th websites making out of compliance API calls will not properly function and API requests will result in an error. If code for your website does not properly handle errors, effected webpages may not load properly.
Am I affected?
NRC Health Transparency is currently monitoring all incoming API calls to help identify organizations who are making API calls that will be out of compliance at the end of June.
Please reach out to your Transparency Implementation Manager or reply to this email if you want to inquire about the status of your website.
What should I do if my site is affected?
If your site is effected, your Content Management System or Website Administrator needs to update the existing software to utilize TLS 1.2.
If you cannot access the Transparency website after the change, please switch to a modern browser. (Chrome 30, Firefox, IE 11, Microsoft Edge, Safari 7)
Why is NRC Health making this change?
Sensitive data – patient health information – needs protection when transmitted across an insecure network. As such, administrators employ protocols that reduce the risk of that data being intercepted and used maliciously. TLS, a standard specified by the Internet Engineering Task Force, defines the method by which client and server computers establish a secure connection with one another to protect data that is passed back and forth. TLS is used by a wide variety of everyday applications, including email, secure web browsing, instant messaging, and voice-over-IP (VOIP).
The Internet Engineering Task Force found vulnerabilities in TLS 1.0, one of the most widely used protocols, and updated it to TLS 1.1 and then TLS 1.2 to resolve many of these security issues. In order to mitigate these vulnerabilities and conform to our own recommendations, NRC Health will disable the use of TLS 1.0 and 1.1 for connections to our public websites.