Heartbleed Bug may present a new vulnerability for medical practices
April 16th, 2014
The “Heartbleed Bug,” a new and particularly widespread online security vulnerability, could put the most sensitive information on your home or work computers at risk, including emails, usernames, passwords, and credit or debit card information.
Heartbleed targets an open-source technology called OpenSSL, which is the encryption code used by many secure (“HTTP”) sites. It is estimated that almost two-thirds of Web servers use OpenSSL to securely transmit payments or personal information online. Sites using OpenSSL are typically indicated by a padlock icon in the browser to let users know the information they submit on that page is protected from cyber crime or theft.
Market Watch reports that the Heartbleed Bug exploits a flaw in the OpenSSL code that “could allow an attacker to gain access to system memory, which potentially could contain sensitive information or communications. To protect themselves, consumers should determine which sites that they use are affected and then change those account passwords when the affected sites are patched.”1
According to Modern Healthcare, “Possibly vulnerable healthcare sites include provider websites, physician and patient portals, secure e-mail services, medical monitoring devices, remote-access PACS/RIS systems.”2
The HIPAA Security Rule requires that a covered entity–and now their business associates–must implement sufficient security measures to reduce risks and vulnerabilities to a reasonable and appropriate level. The National Institute for Standards and Technology defines a vulnerability as a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (either accidently triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy. Vulnerabilities can lead to the inappropriate use or disclosure of electronic protected health information (ePHI) and result in a medical practice having to report a breach to the patient and federal Health and Human Services.
Practices should assess any possible vulnerabilities due to the Heartbleed Bug as soon as possible.
Step 1 – How To Determine if you have been affected by the Heartbleed Bug
McAfee has released a free tool to help consumers easily gauge their susceptibility to the potentially dangerous effects of the Heartbleed Bug. By entering website domain names into the Heartbleed Checker tool, consumers can immediately determine if the websites they frequent have been affected by Heartbleed by checking whether or not the sites have been upgraded to the version of OpenSSL that is unsusceptible to the bug.1
To access McAfee’s free Heartbleed Checker visit: http://www.mcafee.com/heartbleed
Step 2 – Determine if your Hosted Systems have been Affected
This vulnerability affects the practices’ hosted systems (Websites, EHR, payment, scheduling sites). Practices should verify with their vendor or hosting services that those systems have been updated or are not affected.
Step 3 – Document your Assessment for Heartbleed Bug
Document what you have done to assess your vulnerability for the Heartbleed bug (i.e. screenshots, emails or documents from your IT specialist). Document any additional actions you need to take.
Step 4 – Assess Your Virus and Malware Software
Make sure your virus and malware software is up-to-date and the latest security patches are deployed in a timely manner.
Step 5 – Assess your computers for up-to-date web browsers
For end users (desktops), make sure their web browsers are up-to-date.
Step 6 – Best Practice for Passwords
Dashlane has advised that the most important thing to do is to make sure each person uses different passwords on each and every website, because if your password is stolen on one site, it may impact your security on other sites. By having different passwords on different sites, you’re better protected if one of the passwords is compromised. Using multiple passwords was a good practice before Heartbleed and is even more important today.
You might consider downloading the Dashlane password security app to your mobile phone and PC.
Step 7 – Get additional help from TMLT with Risk Assessments or Medical Privacy and Security Resources
If you have further questions or concerns, please contact TMLT. Our Product Development and Consulting Team is available to assist you. Call or email Stephanie Downing at email@example.com or 512-485-4884.