The Heartbleed computer bug is gaining substantial media coverage recently, and for good reason. Organizations, especially those in healthcare, should pay special attention to risks from the bug. Heartbleed is not a computer virus, but is actually a software defect. The defect went unnoticed for a long period of time, and was unfortunately adopted by many websites.
Discovered by Neel Mehta of Google Security, the Heartbleed bug is based on a fault in functionality in the widely used OpenSSL library. This library is used by security vendors’ products to secure web browsing and even mobile banking applications. For example, if you go to a site like Amazon, you may notice a little lock in the browser section of the bar with the letters “https”– that is a sign that the website uses, and is a part of, the OpenSSL library. When the Heartbleed bug is exploited, the attacker can retrieve memory, up to 64KB from the remote system. Such information may contain usernames, passwords, keys or other useful information that enables bigger attacks.
If you have not already investigated your exposure to the effects of Heartbleed, you may wish to start by viewing this list of sites and services that have updated their servers, and those that have not. Those who registered at Healthcare.gov are also being asked to change their passwords as part of a government review of security risks.
If a vulnerability is found, patch the affected servers. Organizations will then have to make a determination on whether to notify individuals to reset their passwords (both customers and employees). Under HIPAA, if a covered entity discovers evidence that the Heartbleed bug was exploited in a manner leading to unauthorized access or acquisition of protected health information, then notification may be required.
Even if the security risk assessment reveals an organization’s system was not affected by the Heartbleed bug, it should consider taking steps to address the potential security risk. For example, an employee’s credentials used to log into a third party’s system with a Heartbleed vulnerability may have been compromised. Such information can then be used to access that third-party service to obtain the organization’s sensitive information. Moreover, if the organization’s employee uses the same information on the third-party site to log into the organization’s system, the organization’s system and information could be at risk.
The implicit message of Heartbleed is that nothing is 100 percent secure. This fact should lead us to the conclusion that we must rely on multiple lines of defense to safeguard ePHI, among them: (1) a comprehensive and periodic security risk assessment, (2) employee training, and (3) continual technology updates and patches.
To learn more about Heartbleed, watch this brief video description.
The Heartbleed bug and the security and legal risks associated with the vulnerability are manageable so long as expeditious steps are taken to identify and mitigate those risks. If you need assistance with a security risk assessment or if you think your organization was the victim of an attack as a result of the Heartbleed vulnerability, we can provide guidance and support.
Be aware, be safe!