Many healthcare organizations remain unaware that the Heartbleed bug can affect more than just websites and web servers. The bug, discovered separately by Neel Mehta and his team from Google Security in late March and later by Finnish security firm Codenomicon in early April, is a vulnerability caused by a coding error in the popular encryption software, OpenSSL, that allows hackers to access up to 64K of a computer’s RAM. We blogged about it here.
Half a million websites were known to have the vulnerability, including Facebook, Google and Amazon, among others. Thirty-nine percent of the world’s web users protected themselves by either disabling accounts or changing passwords.
Today, many organizations think they are ok. But Heartbleed’s affect goes way beyond websites and web servers.
According to Mike Ahmadi, global director of medical security at Codenomicon, “Anything that has the affected versions of OpenSSL/TLS installed on it – that means any medical device, and medical system, MRI, server, any handheld devices that are on a healthcare network – is affected (by Heartbleed).” Therefore, it still presents ongoing concerns for healthcare organizations. Another widespread concern is that once the vulnerability is detected as still being present on a medical device, installing a patch isn’t easy as these devices are heavily relied upon to monitor and care for patients 24/7.
So what can your organization do to make sure that you are mitigating any lingering risks of Heartbleed accordingly?
Ahmadi, in a recent interview with Information Security Media Group (transcript here), suggests the following steps be taken:
- Identify any medical devices that may be at risk with Heartbleed. Anything that is running any sort of communications stack should be checked. These devices communicate over WiFi networks using Open SSL and need to be tested for the vulnerabilty. Codenomicon has provided a free tool here — AppCheck – where you can upload a binary or firmware image, if you have that available to you, and it will tell you whether or not it’s infected.
- If the vulnerability is detected, ask the device manufacturer for a fix. If no fix is available, do your best to mitigate the situation. Some possible mitigation steps include segmenting your network to avoid widespread attacks, adding rules to firewalls to avoid attacks or contacting vendors to make changes/provide workarounds so an attack can no longer affect you.
- Update your computer security risk analysis (required for Meaningful Use) on an annual basis. Make sure it includes a thorough inventory of all networked devices and adequate. Eagle Consulting Partners can assist with the risk analysis process and would be happy to discuss our methodology with any healthcare organizations.
Eagle Consulting Partners concurs with Ahmadi’s recommendations and encourages covered entities to be diligent with this significant security exposure.