The Heartbleed security bug poses a very serious threat for the healthcare industry and those responsible for managing the security of IT systems.
That is the view of Greg Michaels, associate managing director for corporate investigations and risk consulting firm Kroll.
He said that Heartbleed vulnerability can be found in any type of system or device which uses OpenSSL for encrypted connections.
For healthcare organizations, this may include servers, network devices, phones, email, electronic health record (EHR) systems, health information exchange (HIE) portals, insurance portals and medical devices.
In addition to this, he noted that healthcare organizations are typically managing numerous systems and devices internally as well as external systems hosted by business associates or other third parties.
“Lastly, it is often challenging to be able to patch all systems and devices within recommended timeframes due to the fact that these systems are used for 24x7 patient care and not all updates are supported by vendors,” he said.
The Heartbleed vulnerability is a weakness in the way the OpenSSL code (versions 1.0.1 – 1.0.1f) performs boundary checks for variables. This weakness can be exploited by an attacker to reveal confidential information, passwords and encryption keys. The vulnerability has existed for more than two years but recently its exploit code has been made public, increasing the number of people who can use the bug.
“That’s what has caused the ripple in the water,” said Michaels. “Now that it’s public, this vulnerability needs to be addressed immediately since even an inexperienced attacker can fairly easily run this code to initiate an attack.”
He said the most important step in protecting healthcare systems from this vulnerability is to work with the various stakeholders (i.e. IT, clinical departments, business associates, third parties, etc.) to determine what systems and devices may be vulnerable.
“This will require a great deal of collaboration to ensure that all potentially affected systems and devices are accounted for and assessed to determine if they are running OpenSSL and if they are running the vulnerable versions,” he said. “Once the scope has been determined, it is necessary to incorporate updates for these systems and devices into the organization’s change and patch management programs.”
He said that systems and devices with the highest risk of being attacked (for example, externally facing systems, third party hosted systems) need to be updated immediately. Lower priority systems (for example, internally facing systems protected by the organization’s firewall) will need to have a plan in place to apply patches as soon as possible.
“For healthcare IT leaders, it will be vital to communicate the critical nature of this vulnerability to ensure these risks and solutions are documented accordingly and that system downtime can be planned,” he added.
Heartbleed, Greg Michaels, Kroll, IT Security, US
