Hospitals’ and providers’ online networks — including email accounts, electronic health records and remote monitoring devices — could be vulnerable to an encryption bug called “Heartbleed,” according to security experts, Modern Healthcare reports (Conn, Modern Healthcare, 4/11).
About the Bug
Last week, a Google engineer and another security team discovered the bug and found that it infiltrates systems through a Web encryption program known as OpenSSL, which is used by hundreds of thousands of websites including Amazon and Google (Finkle, Reuters, 4/10). Experts say that hackers could potentially use the program to get sensitive information from:
- Email servers;
- Laptops;
- Mobile phones; and
- Security firewalls.
Potential Implications
At this point, it is unclear if the nation’s health care providers are especially vulnerable. For example, CynergisTek CEO Mac McMillan said Web networks that rely on two- or three-factor password authentication should be safe (Wicklund, mHealthNews, 4/11).
However, David Harlow, principal of health care law Harlow Group, warned that health groups that do not rely on OpenSSL should be worried about ramifications of the massive breach. He said, “Heartbleed can set back trust in health IT that has been building as it proliferates, and as the protections under HIPAA/HITECH are baked into the policies and procedures of more and more vendors” (Bowman, FierceHealthIT, 4/11).
Further, security vendor Trend Micro in a blog post on Thursday raised concerns about threats to mobile phone applications, such as health care applications that use individuals’ personal and financial data (Vijayan, ComputerWorld, 4/11).
No Threat to Federal Websites, Officials Say
Meanwhile, officials from the Department of Homeland Security noted that the government’s main public websites were not affected by the bug.
Specifically, CMS on Thursday said the vulnerability did not affect consumer accounts on the federal health insurance exchange or the Medicare website, MyMedicare.gov (Sternstein, NextGov, 4/11).
Comments
McMillan said the issue “is huge … it’s servers, it’s appliances, it’s devices,” adding that the bug has been around for about two years and that experts do not know how many breaches may have already happened.
Although government agencies and private companies are rushing to fix vulnerabilities, breaches may not be detected for a long time, if at all.
“It’s going to be a long, long time before they truly understand the scope of this,” McMillan said.
CloudFlare CEO Matthew Prince called Heartbleed “the worst bug the Internet has ever seen,” adding, “If a week from now we hear criminals spoofed a massive number of accounts of financial institutions, it won’t surprise me” (mHealthNews, 4/11). Source
