I keep going back to this resource, as it has a good set of examples for privacy risks.
But it also has a long catalog of technical and organizational measures (TOM).
is a public, free, research servcie that is analyzing user tracking in the context of newsletters.
On the HHS web site, HHS links to the NIST SP 800 -52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
is linking to an OUTDATED (local copy) version of NIST 800-52 from back in 2005. The effective version (from 2014) is at https://csrc.nist.gov/publications/detail/sp/800-52/rev-1/final
Changes are a little bit explained here: https://www.nist.gov/news-events/news/2014/04/nist-revises-guide-use-transport-layer-security-tls-networks
However, there is also a new draft version – with IMPORTANT COMMENTS at
” Covered entities and business associates using HTTPS interception products or considering their use should consider the risks presented to their electronic PHI transmitted over HTTPS, and intercepted with an HTTPS interception products, as part of their risk analysis, particularly considering the pros and cons discussed by the US-CERT alerts, and the increased vulnerability to malicious third-party MITM attacks.
In addition to reviewing recommendations from US-CERT, covered entities and business associates should also review recommendations from the National Institute of Standards and Technology (NIST) for securing end-to-end communications, especially regarding the configuration, use and updating of TLS/SSL implementations. OCR’s Guidance to Render Unsecured PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals references NIST SP-800 series publications to describe the valid encryption processes to use to ensure that electronically transmitted PHI is not unsecured. “
Risk Management Framework for
Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy