Heartbleed Bug Vulnerabilities Pervasive In Health-Care Industry, Security Experts Say

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By Alex Ruoff  

April 18 --The software encryption bug known as Heartbleed could be especially damaging for hospitals and health-care organizations, which use a number of networks and public-facing web applications, security consultants told Bloomberg BNA.

The Heartbleed bug is a vulnerability in the open source OpenSSL cryptographic software library, which is commonly used by software programmers to provide communication security and privacy for Internet-based applications that include web services, e-mail and some private networks, Mark Hickman, chief operating officer for WinMagic Inc., a data security company in Ontario, Canada, told Bloomberg BNA.

OpenSSL is commonly used in health software for public-facing web applications, including patient portals and payment gateways for health payers as well as in some medical devices, Greg Foss, a senior security research engineer for LogRhythm Inc., a security intelligence company in Boulder, Colo., told Bloomberg BNA.

The likelihood that the Heartbleed bug has been used to gain access to a health-care organization's systems is high.  


--Greg Foss, LogRhythm Inc.

The likelihood that the Heartbleed bug has been used to gain access to a health-care organization's health or financial records is high, Foss said. Health-care organizations should examine their information technology systems and medical devices for possible vulnerabilities and install patches immediately, he said.

“If a hospital doesn't fix this, they have a network that is essentially open and could be exploited,” Foss said. “Especially with how widely known it is, this is something they should be looking out for.”

Open Networks

Hackers can use the Heartbleed bug to obtain usernames, passwords and other sensitive information from a network, Mac McMillan, current chairman of the Healthcare Information and Management Systems Society (HIMSS) privacy and security taskforce and chief executive officer of the security group CynergisTek Inc., told Bloomberg BNA April 18.

Health-care organizations need to examine their servers to discover where they may have OpenSSL deployed and carefully examine any IT tools that have direct access to patient information, McMillan said. Hospitals and health-care organizations should contact the vendors of their health IT products to ask if their products use OpenSSL and, if so, how to repair the vulnerability, he said.

Because the Heartbleed vulnerability can be exploited to allow hackers to make administrative changes in a network, such as changing access requirements, the bug opens the possibility that a network has been compromised unbeknownst to the organization, McMillan said.

“This is an open door to run wild in a network,” he said. “When you have a health system that is not monitoring its network closely and not paying attention to what its firewall logs are telling it, then you may not even know someone is there.”


To contact the reporter on this story: Alex Ruoff in Washington at aruoff@bna.com

To contact the editor responsible for this story: Kendra Casey Plank at kcasey@bna.com

Request Health Care on Bloomberg Law