29Tem
Encrypting PHI query params
In a bunch of APIs, there are several possible query parameters. Some of these may be PHI. So even if we are using HTTPS, they could go to a logfile or somewhere else and hence violate PHI.
Was thinking of an approach where the parameters would be encrypted in the client and then decrypted by the server. On login, the server would give the client an encryption key and then the client has to use this for query param values. The server than decrypts the query params using the same encryption key.
I am reluctant to solve a security risk in a way that is not commonly known.
So, I am wondering is the approach I am suggesting used at all? The only other approach would be to use POST and instead of query params, the params come up in the BODY?
