By Gil Vidals, , HIPAA Blog, Resources


Beginning in July of 2018, Chrome will mark all HTTP sites as “Not Secure” as announced via the Google Security Blog.

Chrome Security Product Manager Emily Schechter cited the desire for increasing consumer understanding of the risks of unencrypted sites as a primary driver for the change. This shouldn’t come as a huge surprise, as Google has been moving in this direction for a few years now.

Most Chrome users are familiar with the green lock and “Secure” icon that pops up in the address bar for secure sites. You might have also seen Chrome’s “Certificate Expired” warning for the past couple of years.

Now, all sites without HTTPS will have a red “Not Secure” logo in the address bar and users will be warned of the status of the site.

The major difference between HTTPS and HTTP is connection security between your computer and the website you’re viewing. HTTPS utilizes an SSL Certificate to verify and begin a secure, encrypted session. HTTP on the other hand uses unsecured connections. While this is probably the easiest HIPAA violation to spot, it’s usually one of the easiest to correct.

In the past few years, there have been a number of sites offering free SSL Certificates, like LetEncrypt. Managed Service Providers often include SSL certificate management as part of their services; however, this varies between different organizations.

Making this seemingly insignificant move from HTTP to HTTPS can shut down perhaps one of the largest vulnerabilities in your environment – and help you avoid some painful HIPAA fines ($50k per violation up to $1.5M per year.) The potential costs of not utilizing HTTPS and the ease of transition make the answer clear.