By Alex Ruoff
April 18 --The software encryption bug known as Heartbleed could be especially damaging for hospitals and health-care organizations, which use a number of networks and public-facing web applications, security consultants told Bloomberg BNA.
The Heartbleed bug is a vulnerability in the open source OpenSSL cryptographic software library, which is commonly used by software programmers to provide communication security and privacy for Internet-based applications that include web services, e-mail and some private networks, Mark Hickman, chief operating officer for WinMagic Inc., a data security company in Ontario, Canada, told Bloomberg BNA.
OpenSSL is commonly used in health software for public-facing web applications, including patient portals and payment gateways for health payers as well as in some medical devices, Greg Foss, a senior security research engineer for LogRhythm Inc., a security intelligence company in Boulder, Colo., told Bloomberg BNA.
The likelihood that the Heartbleed bug has been used to gain access to a health-care organization's health or financial records is high, Foss said. Health-care organizations should examine their information technology systems and medical devices for possible vulnerabilities and install patches immediately, he said.
“If a hospital doesn't fix this, they have a network that is essentially open and could be exploited,” Foss said. “Especially with how widely known it is, this is something they should be looking out for.”
Hackers can use the Heartbleed bug to obtain usernames, passwords and other sensitive information from a network, Mac McMillan, current chairman of the Healthcare Information and Management Systems Society (HIMSS) privacy and security taskforce and chief executive officer of the security group CynergisTek Inc., told Bloomberg BNA April 18.
Health-care organizations need to examine their servers to discover where they may have OpenSSL deployed and carefully examine any IT tools that have direct access to patient information, McMillan said. Hospitals and health-care organizations should contact the vendors of their health IT products to ask if their products use OpenSSL and, if so, how to repair the vulnerability, he said.
Because the Heartbleed vulnerability can be exploited to allow hackers to make administrative changes in a network, such as changing access requirements, the bug opens the possibility that a network has been compromised unbeknownst to the organization, McMillan said.
“This is an open door to run wild in a network,” he said. “When you have a health system that is not monitoring its network closely and not paying attention to what its firewall logs are telling it, then you may not even know someone is there.”
To contact the reporter on this story: Alex Ruoff in Washington at email@example.com
To contact the editor responsible for this story: Kendra Casey Plank at firstname.lastname@example.org
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).