CYBER RISK ALERT! Just when we thought we were safe online while using websites that display the key security “https” in the URL, we learn that nothing could be further from reality. On April 7, 2014, security researchers at Codenomicon announced the discovery of a flaw in the OpenSSL (security socket layer) that is used in an estimated two-thirds of the servers that support websites displaying the “https” letters that we have come to trust. Based on the back-end technology of OpenSSL, which involves what is called a “heartbeat” extension and a leakage of data from the server, this new cyber liability threat has been dubbed Heartbleed.
Vulnerability of HIT and Compliance with HIPAA. Although the OpenSSL flaw’s name has no direct connection to health information technology (HIT), it ironically could be a pain for health care providers. OpenSSL encryption software is at the heart (excuse the pun) of many virtual private networks (VPNs) and patient website portals such as those used by hospitals and physicians to provide access to information stored in electronic health record (EHR) systems. As a result, HIT may be vulnerable to attack by hackers to the extent that it relies on vulnerable OpenSSL programming. The push to implement “interoperable” electronic health records has increased the ease of access to protected health information stored in an EHR, in a medical device, and to claims and payment information via web-based portals. The security risk presented by Heartbleed must be addressed immediately to ensure compliance with the HIPAA Security Rule.
Check Websites and Network Products for Vulnerability. LastPass created a Heartbleed checker tool for websites that require passwords. Enter the website’s URL in the checker tool and LastPass will return a report on whether the website uses an OpenSSL server that may be vulnerable to Heartbleed, to the extent information is available. The LastPass report also provides the last time the website’s SSL Certificate was updated. Certificates updated before the publication of Heartbleed’s discovery will need to be regenerated. On April 10, 2014, The Wall Street Journal reported that some of the products supplied by Cisco System and Juniper Networks contain the Heartbleed flaw. Cisco issued an on-line customer bulletin to keep its customers apprised of the products under investigation, a list of products that it has confirmed are vulnerable due to Heartbleed, as well as how to obtain updated software to fix the problem. Home wireless routers could be affected as well. Juniper’s customer bulletin are here and here.
Bring Your Own Device (BYOD) and Mobile Apps. Healthcare organizations with BYOD polices or practices that allow employees, physicians and others to connect to the organization’s network or EHR through the use of a personal mobile device, take note! According to a Forbes report by Bob Egan, Android devices are built on OpenSSL. Although a mobile device user can manually download a Heartbleed checker app to scan the device for a vulnerable version of OpenSSL, these tools are not perfect and are still evolving. Moreover, it will be up to the device manufacturer to supply a patch to fix the OpenSSL issue on the device. Mobile apps that are supported by a server running OpenSSL also are vulnerable if the server supporting the app is vulnerable. Trend Micro, an Internet content security and threat management solutions company, scanned about 400,000 mobile apps and, as of April 11, 2014, found 7,000 connected to vulnerable servers, including bank-related, on-line payment, shopping, instant messaging and even mobile payment apps.
Detecting a Data Breach. According to Codenomicon, Heartbleed is not a bug akin to a virus but is a programming flaw in the OpenSSL library that provides cryptographic services to applications and services. It has been in existance for over two years before its recent discovery. The flaw allows hackers to grab passwords and other sensitive information when entered into a website supported by the vulnerable OpenSSL server software without leaving any trail. As a result, attackers can secretly steal the keys that protect communication, user passwords and anything stored in the memory of a vulnerable OpenSSL web server. Whether personal sensitive information has been breached would be difficult, if not nearly impossible, to discover. An unauthorized use of one’s Social Security Number (SSN), credit card information, health insurance benefit plan number, or other identifying information that cannot be tied to a discoverale incident, such as a stolen or lost laptop, smart phone or other mobile device, leaves one wondering whether Heartbleed could have been the culprit.
What must be done to address Heartbleed. Health care providers and suppliers who store sensitive or confidential business, consumer, or patient health information in databases that rely on OpenSSL encryption should take prompt action to investigate whether their websites or networks or vulnerable. Website owners need to immediately assess vulnerability for Heartbleed, implement the available update for websites supported by vulnerable OpenSSL, revoke existing SSL certificates and get a new one, and review the SSL configuration for webmail and email. The researchers who discovered Heartbleed established a detailed webpage at http://heartbleed.com with technical information about how the defect causes content from the server to leak, how to stop the leak, a list of OpenSSL software containing the problem, a list of the known operating systems that were distributed with the potentially vulnerable OpenSSL version, and much more. The Open SSL update is available at https://www.openssl.org/. The information at heartbleed.com is a must read for anyone with responsibility for the security of data supported by OpenSSL and that are used to create, access, maintain or transmit financial information.
Changing log-in and password information. In addition, website owners should consider how to address and communicate any identified potential vulnerability of their OpenSSL website to patients, healthcare professionals and others who use the website so they can protect themselves by changing log-in and password information. According to heartbleed.com, a person should not change his or her log-in password for a webpage supported by a vulnerable OpenSSL server until after receiving notification from the website owner that steps have been taken to address the vulnerability. Changing the log-in and password information while a vulnerable OpenSSL website is still vulnerable may increase the risk of such information being stolen by hackers who have decided to capitalize on the discovery of Heartbleed.
The bright side? I don’t know that we can state it any better than the researchers have at heartbleed.com: “For those service providers who are affected, this is a good opportunity to upgrade security strength of the secret keys used. A lot of software gets updates which otherwise would have not been urgent. Although this is painful for the security community, we can rest assured that infrastructure of the cyber criminals and their secrets have been exposed as well.” While considering how to make lemonaide out of lemons, consider recommendations by security experts to employ a two-step authentication process that goes beyond merely a log-in ID and password, as well as an encryption method called “perfect forward secrecy“.
In addition to heartbleed.com and sources to which links are provided above, information for this post was collected from the following:
“What health orgs need to know about Heartbleed“, by Lauren Still, Health IT Developer, Government HealthIT (April 10, 2014)
“Heartbleed Bug Endangers Medical Data, Internet as a Whole“, by Chris Wiltz, Medical Device & Diagnostics Industry (MDDI) (April 8, 2014).
“Heartbleed Bug: What You Need to Know“, by Jeffrey Roman, Gov Info Security (April 9, 2014).
“Experts Find a Door Ajar in an Internet Security Method Thought Safe“, by Nicole Perlroth, The New York Times (April 8, 2014).