For years, cyber security experts have urged us to use encryption to protect sensitive information that we send over the Internet. We assumed that as long as we used a modern security sockets layer, or SSL, that data were safe. That was before we learned about “Heartbleed,” a computer security bug that targets a specific SSL program, OpenSSL, to interfere with the encryption process and reduce cyber security. Security breaches have occurred, and the situation is likely to affect the entire health industry. This is what Health IT professionals need to know about Heartbleed and web security.
1. Encryption Is Not Always Safe.
Before Heartbleed, we thought that a little symbol of a lock to the left of the address bar in the browser indicated a secure site; that is, the data that we entered is safely encrypted so that it could not be intercepted. That is no longer the case. Heartbleed enables hackers to steal online information that senders think is safely encrypted. More than one hundred thousand websites are considered vulnerable, with hackers having the potential to decode 64KB of memory. Heartbleed affects a specific version of OpenSSL, but the discovery of this bug implies the possible existence of similar bugs that target other OpenSSL versions.
2. Electronic Health Systems are Vulnerable.
Credit card data, tax and other personal information, and government communications may come to mind first when we think of sensitive data, but they are not the only categories of data that can be affected. Web-based electronic health record (EHR) systems, such as those used by many hospital and other medical networks, are at risk, as are some state health insurance exchange platforms.
3. Hearts are Breaking over Lost Trust.
Handling sensitive patient data is among the most significant concerns within health IT, and the healthcare industry has fought hard to gain patient trust as records have increasingly become electronic. The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act within American Recovery and Reinvestment Act of 2009 establish guidelines for protecting patient data. In recent years, patients have gradually gained trust that electronic records can be secure as intended by these pieces of legislation. However, Heartbleed can potentially lead to violations of HIPAA and HITECH due to security breaches in Health IT websites responsible for managing and protecting patient data.
4. Be Proactive and Stay Vigilant
Health IT can implement temporary fixes to reduce the impact of security breaches attributed to Heartbleed. We can also inform patients of the possible breaches and what we are doing to prevent future ones. However, the story continues to develop. We now know that the threat affects more sites than originally assumed, with Cisco and Juniper Networks warning of possible breaches and increased investigations.
Last Updated on April 23, 2014