5 things physicians need to know about ‘Heartbleed’

April 25, 2014

Lee Kim, JD, FHIMSS, director of privacy and security at HIMSS, answers five questions for physicians facing possible issues now or in the future arising from Heartbleed.

Heartbleed may sound like a medical term, but it is actually a flaw in computer software that has affected web operations for many businesses and consumers. Medical practices are no exception, and should be aware of how to handle this and other Heartbleeds, that could corrupt electronic health record (EHR) systems, patient portals, or networked computers in your practice.

Lee Kim, JD, FHIMSS, director of privacy and security at the Healthcare Information and Management Systems Society, answers five questions for physicians facing possible issues now or in the future arising from Heartbleed.  

Q: Could you explain in laymen's terms what Heartbleed is?

Kim: “Heartbleed” is not a virus but rather a vulnerability in the software. This vulnerability was caused by a software bug. As a result of this vulnerability, Internet communications and transmissions which were intended to be encrypted might actually not be encrypted. A hacker may exploit this vulnerability and steal secret keys and information as a result of the unsecure channel.

 However, not every Internet site is affected-only those that use certain versions of OpenSSL. According to US-CERT (the United States Computer Emergency Readiness Team), many vendors have already issued patches to address this OpenSSL vulnerability – essentially, to plug this vulnerability so that it can no longer be exploited.

Q: Should practice owners with web-based EHRs worry that this could affect their equipment?

Kim: Practice owners need to contact their vendors to determine if the web-based EHR is vulnerable to Heartbleed and, if so, whether that vulnerability has been patched. If it has not been patched, the practice owners may wish to inquire about the plan of action to address the Heartbleed vulnerability.

Q: Are other office computers at risk for the virus?

Kim: If an office computer exchanges encrypted information over a network, then its information and secret keys might be exploitable by an unauthorized third party. A vulnerability scan will help determine whether an office computer is indeed vulnerable to the “Heartbleed” vulnerability.

Q: What can practices do to prevent this or any other virus from affecting their business?

Kim: The best approach is to be proactive by conducting regular risk assessments and remediate and mitigate those risks, which need to be addressed. As part of the risk assessment, a vulnerability scan should be done and vulnerabilities should be addressed by applying patches to address these vulnerabilities. Some resources which can be used to track vulnerabilities include the NIST Vulnerability Database (https://nvd.nist.gov/) and the MITRE CVE® list (http://cve.mitre.org/cve/index.html).

Q: Do practices need to have patients change passwords used for online patient portals?

Kim: It is a good idea, in any event, for patients to regularly change passwords with online patient portals. However, due to the nature of the “Heartbleed” vulnerability, it is possible that passwords may be compromised if the website uses a vulnerable version of OpenSSL. Accordingly, it would behoove the practice to make patients change their passwords, especially if they had been using an affected version of OpenSSL. More information on affected versions and what can be done to proactively address the reported vulnerability can be found here: http://www.kb.cert.org/vuls/id/720951.