Widespread Internet Security Flaw Affects Web Users Worldwide

 Details about the Heartbleed bug, a serious vulnerability in the popular OpenSSL cryptographic software library, were published earlier this week. This vulnerability has the potential to affect web users worldwide. The bug, caused by a programming error, allows the theft of information that is normally protected by the SSL/TLS encryption used to secure the Internet. Hospitals, physician practices and other HIPAA covered entities should take immediate steps to address this vulnerability.

A widely used implementation of SSL – the core technology used to secure Internet communications – is flawed in approximately 2/3 of the Internet’s servers worldwide. This technology is used in web servers, operating systems, email and instant messaging systems. More specifically, this flaw is included in most versions of Linux operating systems, which is the most commonly used operating system for web servers. The Heartbleed Bug is a vulnerability that allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. Visit heartbleed.com for a technical description the Heartbleed bug and a list of affected Linux systems.

Eagle Consulting Partners considers this threat to be serious for several reasons. The bug was introduced to OpenSSL back in December 2011 and is in all versions of OpenSSL since the first release (Open SSL 1.0.1 on March 14, 2012.) A new version released on April 7, 2014 fixes the bug.  Until vulnerable systems that contain your PHI are patched, they remain vulnerable to any nefarious individual with an internet connection.  Our experience is that the security posture of many health organizations is immature and that patching cycles are frequently longer than desirable.  Secondly, the long exposure prior to this publication, combined with the ease of the exploitation and the untraceable nature of the exploits means that systems worldwide may have been previously compromised. Finally, SSL is a core technology used across the internet so the impact will be pervasive and widespread.

This is a serious vulnerability and it is our recommendation that hospitals, physician practices and other HIPAA-covered entities take the following steps to ensure the vulnerability is eliminated:

For Hospitals/Larger Covered Entities and Business Associates:

Internal Systems:

1. Patch any vulnerable Linux servers immediately. (This site allows a quick test to check your server’s vulnerability.  If this test identifies any other vulnerabilities, implement remediation for those vulnerabilities as well.) As an alternative, you could update to the latest OpenSSL version (which contains a fix).
2. If you use SSL Certificate(s), consider revoking them and installing new ones on affected systems, as the old ones may have leaked. Also, create new private keys, as the old keys may have also leaked.
3. While making changes to your server configuration and creating new SSL certificates, this post suggests that you review your certificate settings and implement further technical options to ensure full protection from other common implementation problems.

External Systems:

1. Communicate with each vendor that provides a hosted system containing Protected Health Information to determine whether or not your system is vulnerable and if so, inquire when the vulnerability will be patched. Follow up, as necessary to ensure vulnerability is addressed by the vendor.
2. For important systems that do NOT use PHI (i.e. banking, payroll services, and other vendors) also contact the vendor and follow the above step.
3. After the dust settles and affected internal and external systems have been patched, consider changing your passwords (especially for systems containing ePHI, bank account numbers or other sensitive information).   If you use a patient portal which was affected, consider forcing a password change or advising patients to change their passwords after the portal’s server is secured.

For Physician Practices/Smaller Covered entities and Business Associates:

Internal Systems:

1. If you maintain any internal systems using PHI that run the Linux operating system, contact your vendor and request that this system be patched (or request they upgrade to the latest OpenSSL version which contains a fix).  You may be vulnerable if there is external access to your system. (This site allows a quick test to check your server’s vulnerability.  If this test identifies any other vulnerabilities, notify your vendor about those as well.)

External Systems:

1. Communicate with each vendor that provides a hosted system that contains Protected Health Information to determine whether or not your system is vulnerable and if so, inquire when the vulnerability will be patched. Follow up, as necessary to ensure vulnerability is addressed by the vendor.
2. For other important systems that do NOT use PHI (i.e. banking, payroll services, and other vendors) contact the vendor and follow the above step.
3. After the dust settles and affected internal and external systems have been patched, consider changing your passwords (especially for systems containing ePHI, bank account numbers or other sensitive information). If you use a patient portal which was affected, consider forcing a password change or advising patients to change their passwords.

Healthcare organizations may be wondering whether or not this constitutes a data breach. The Heartbleed bug does create a serious vulnerability for affected systems. However, unless you have specific knowledge that this bug was exploited and resulted in the loss of protected ePHI, our advice is that this does not meet the HHS test to constitute a data breach.  For healthcare organizations that promptly (within a few days) mitigate this vulnerability, our estimate regarding the risk of breach is very low (under 1% chance).  We say this because during this short window, we judge that those likely to perpetrate attacks will focus on targets that provide the highest return on investment – and these will likely be in banking, government, military, retail and other sectors of the economy.

Some key takeaways healthcare organizations of any size should learn from this situation:

1. Create and maintain an up-to-date inventory of all systems used at your organization (including those containing ePHI and those not containing ePHI).  An inventory has multiple purposes and one of them is to insure fast and complete response to incidents such as this.  Having comprehensive information regarding which systems are in use will increase your speed in contacting vendors and subsequently monitoring their performance.
2. Vendor management, especially of Software-as-a-Service vendors, is an essential component of an effective security management process.  Small organizations such as physician practices should not assume that their Software-as-a-Service vendor will handle everything.
3. In your security management process, identify a reliable source for up-to-date threat intelligence and create ongoing process for identifying and fixing data security vulnerabilities.

Eagle Consulting Partners is available to answer questions for any clients or other interested parties regarding best practices for responding to this problem or other matters in HIPAA compliance.