How are DDOS protection mechanisms setup when confidential data is involved?


A hospital has the records of all patients. There is an online portal where patients can Login to see their personal medical data.

Since a hospital is an obvious target for any type of hack, the hospital decides to implement DDoS protection. Using providers like Cloudflare, would have this personal data flow unencrypted over at least part of the path from the hospital and the patient. This is undesirable considering the nature of the data being transported.

Question: How would a hospital (or a similar institute which is likely a target and holds personal data on scale) implement a DDoS which would make sure the data is encrypted from the hospital to the patient and back?

Without going into details, Cloudflare only decrypts the packet during a minimal lapse of time. Even then, some parts are inaccessible (such as the form data/body) to prevent unwanted analysis/storage of sensible data.

Besides that, if your setup is adequate, both ends of the connection will be encrypted.

(I am not a lawyer)

Most of Cloudflares services rely on inspecting the payload of the HTTPS traffic. As a result, they must decrypt the data on their server. In a proper setup, the hospital would configure their Cloudflare account to use Full (Strict), which means that all traffic from Cloudflare to the hospitals Origin server is encrypted. They would also ensure that data from the Client to Cloudflare is appropriately secured by setting “Always Use HTTPS” and setting the minimum SSL version to TLS v1.2.

I would argue that there is nothing in law or best practice that says you cannot use a service to inspect HTTPS traffic, provided appropriate contractual or other controls are in place. Best practice would say that all data should be encrypted in transit and that all data should be encrypted at rest. In the case of Cloudflare, all data is encrypted at rest by default, and it is trivial to encrypt all data in transit.

Cloudflare offer a range of additional solutions such as Keyless SSL which may be appropriate depending on your legal obligations. This blog post gives a good overview:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.