NIST Transitioning Away from SHA-1 for All Applications

NIST is introducing a plan to transition away from the current limited use of the Secure Hash Algorithm 1 (SHA-1) hash function. Other approved hash functions are already available. The transition will be completed by December 31, 2030.

NIST responded in 2006 with an announcement encouraging a rapid transition to the use of the SHA-2 family of hash functions for digital signature applications, which were initially specified in FIPS 180-2. NIST began a competitive process to develop an additional hash function, which resulted in the SHA-3 family of hash functions published in 2015 as FIPS 202. In 2011, NIST released SP 800-131A, which announced the deprecation of SHA-1 when generating new digital signatures and restricted further use of SHA-1 to only where allowed in NIST protocol-specific guidance.

Cryptanalytic attacks on the SHA-1 hash function as used in other applications have become increasingly severe in recent years (“SHA-1 is a Shambles” by Leurent and Peyrin, 2020 As a result, NIST will transition away from the use of SHA-1 for applying cryptographic protection to all applications by December 31, 2030.

Updated FTC-HHS online tool helps developers understand which federal laws apply

The Federal Trade Commission (FTC) in conjunction with the HHS Office for Civil Rights (OCR), the HHS Office of the National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA) have updated the Mobile Health App Interactive Tool. This tool is designed to help developers of health-related mobile apps understand what federal laws and regulations might apply to them.

HHS Bulletin: Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

– mentions Google Analytics and Meta Pixel by name..

“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

This Bulletin provides a general overview of how the HIPAA Rules apply to regulated entities’ use of tracking technologies. This Bulletin addresses:

  • What is a tracking technology?
  • How do the HIPAA Rules apply to regulated entities’ use of tracking technologies?
    • Tracking on user-authenticated webpages
    • Tracking on unauthenticated webpages
    • Tracking within mobile apps
    • HIPAA compliance obligations for regulated entities when using tracking technologies