The Heartbleed bug is vulnerability in the OpenSSL software library that allows for the stealing of information that would otherwise be protected by SSL/TLS. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging, and some virtual private networks (VPNs). This flaw in the computer software has affected operations for many businesses and consumers. The healthcare industry is no exception. Medical practices need to be aware of how to handle Heartbleed. If providers aren’t careful, this bug could corrupt EHR systems, patient portals, and networked computers.
What exactly is Heartbleed? Heartbleed isn’t a virus, but rather a flaw in the existing software. As a result of this vulnerability, Internet communications and transmissions that should be encrypted might not actually be secure. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. However, not every Internet site is affected—only those that use certain versions of OpenSSL. According to US-CERT (United States Computer Emergency Readiness Team), many vendors have already issued patches to stop this vulnerability from being exploited.
Should practice owners be worried that this may affect their web-based EHRs? Practice owners should contact their vendors in order to determine if their web-based EHR is susceptible to Heartbleed. If so, they need to determine if the vulnerability has been patched. If it hasn’t been patched, it’s up to the practice to decide how to address the Heartbleed vulnerability.
Are other office computers at risk for the virus? If an office computer exchanges encrypted information over a network, then its information and security keys might be at risk for being exploited by an unauthorized third party. A vulnerability scan can help determine whether an office computer is at risk for the Heartbleed vulnerability.
What can practices do to prevent Heartbleed and other viruses from harming their business? Practices need to be proactive in protecting their business. Conducting regular risk assessments and addressing these risks can help protect them from future viruses. As part of this risk assessment, a vulnerability scan should be done and patches should be applied to these vulnerabilities.
Do patients need to change their passwords for online patient portals? Due to the nature of Heartbleed, it’s possible that passwords may have been compromised. However, it’s always a good idea for patients to regularly change their passwords for online patient portals, regardless of whether or not the software has been affected.
Author: Lauren Daniels