April 17, 2014

By Jeff Mongelli

Did you lock your house when you left this morning? How about your car when you came into the building? What if I told you two-thirds or more of the locks in the world can now be opened by a single key, and that key is available to anyone that wants it? As of last week, that is the situation the World Wide Web finds itself in thanks to the Heartbleed Bug.

Why you need to care

This IT security threat, known as the Heartbleed Bug, is estimated to impact two-thirds of all websites. Essentially, if any of your practice work flow involves working with web-based applications, there’s a high probability that website is, or has used, OpenSSL for its security. What’s ominous about the threat is how widespread OpenSSL is. For example, hospitals, labs, clearinghouses, web-enabled medical devices, mobile apps, web-based EHRs, billing and scheduling programs, and patient portals could all be on the list. Additionally, Cisco and Juniper (common in the most secure data centers), have announced many of their devices are vulnerable. To put it bluntly, this is a serious concern and it could have already caused an immense amount of HIPAA breaches going back several years. Here’s is what you need to know and here is what you can do about it.

What is the Heartbleed Bug

Briefly, Secure Socket Layer (SSL) is the code behind a web site URL that starts with HTTPS — where the “S” signifies it’s secure by use of encryption. OpenSSL is the open source version of SSL, and because it is a less expensive alternative, most websites use it. HTTPS is far from perfect, but it’s better than HTTP, which uses no encryption and all traffic is “in the open,” Recently, a vulnerability in OpenSSL was discovered, and it happened to be in the part of the code that is referred to as the heartbeat, or the process by which the website checks to see if the connection is still active. The main threat involves a flaw that allows someone to capture small snippets of data in transit. Small snippets means at one time, but programs can be written to repeat endlessly, ultimately yielding vast amounts of sensitive data.

What you can do

The reality is you will likely never discover if your information or your patient’s information has been exposed through this bug. Simply having the vulnerability does not mean it’s been exploited. What you can do is focus on protecting yourself. Here’s what we’re telling our clients to do. First, create a list of potentially impacted websites and devices you use where sensitive data is communicated, including your networking gear. Second, immediately change your passwords since your credentials are included in the data that could have been exposed. Third, contact those vendors and confirm if they were impacted, and if so, if they patched their systems. If they tell you they’re working on it, and thousands of companies still are, be sure they notify you when they have completed the task so you can then change your password again.

Revelations are still coming out about the potential depth of this vulnerability. New fears are that the Internet itself could be brought to a crawl as companies struggle to remediate the threat. As for the data that’s been exposed, if you become aware that you were not only impacted by the Heartbleed Bug but that your protected health information was exploited, you need to follow the new breach notification laws, contact your HIPAA vendor, or your attorney to determine what steps need to be taken.