Heartbleed Bug Endangers Medical Data, Internet as a Whole

A bug has been discovered by security solutions provider Codenomicon Defensics and Google Security that would allow hackers to access a variety of personal information without being detected. It's been dubbed “Heartbleed” and its medical-sounding name isn't the only reason that device makers and healthcare IT should be concerned.

The vulnerability lies in the OpenSSL encryption software at the heart of many of the Internet's most popular Web sites in addition to email, instant messaging, and virtual private networks (VPNs) such as those used by hospitals. Basically, a hacker can exploit the bug to intercept and decrypt data being sent to and from network and Web site users. Imagine finding out that every house in your neighborhood had a key left under the welcome mat that no one knew about.

The bug was discovered via testing and there haven't been any reported breaches or thefts that have exploited the bug thus far. But it is worth noting that the exploit leaves no trace of any abnormal activity on server logs. Reports are also saying the Heartbleed bug may have been active for as long as two years, meaning that many sites that have since fixed the issue may have been compromised in the past.

If sites should fail to work to fix the bug it could mean that all manner of patient data from electronic medical records and health biometrics to billing information could be vulnerable to theft. Mike Ahmadi, global director of medical security at Codenomicon, is calling Heartbleed “probably the most significant bug to affect the Internet in five years.”

“Someone could very easily mount this attack using essentially any implementation of OpenSSL that's vulnerable,” Ahmadi says. “ OpenSSL is used for Apache servers and Apache is very,very common in many industries including healthcare. It's very common for back-end applications on a EHR [electronic health record] system, for example, to use OpenSSL.”

Codenomicon estimates that about 66% of all devices connected to the Internet could be attacked using Heartbleed. Other systems such as home healthcare systems used to communicate with insulin pumps and back-end systems, home healthcare networks, and even medical devices such as MRI machines could all be attacked through this bug.

Given reports of the already shoddy state of healthcare cybersecurity, events like this should further highlight the importance of having healthcare IT maintain the highest possible standards. A list of potentially vulnerable sites published by GitHub includes some big names like Yahoo, Flickr, Eventbrite, and WeTransfer. Even if a major healthcare or insurance site isn't listed directly, information sent to these sites through another vulnerable entity could still have been targeted. There is also an online tool available where you can test to see if certain sites are vulnerable to Heartbleed.

For patients and consumers, the nature of the Heartbleed bug also means that simply going in and changing your password isn't enough. Users will have to wait for sites to plug the hole before they can take any action on their own part. Security experts are recommending that users change their passwords after receiving an all-okay from a site. It is also worth changing your password if the site doesn't send confirmation but may have been vulnerable in the past.

When Codenomicon first discovered the bug it chose to discretely alert CERT and OpenSSL, however after Google also discovered the bug OpenSSL decided to go public with the information – a move that may have not been the best idea since it now leaves a lot of sites vulnerable with the information now widely available.

With news of the exploit breaking wide, most Web sites are expected to hastily begin to fix the bug. OpenSSL.org says that those affected should upgrade to OpenSSL version 1.0.1g. However regulations and requirements mean that healthcare may be particularly slow in implementing fixes.

“The device industry doesn't quickly issue patches,” Ahmadi says. “The problem with the healthcare space is there are a lot of systems that are connected that rely on real-time information, but you'll also have to validate it to make sure there are no regressive issues when you apply the patch. The problem is [applying the patch] could create additional risk.”

Codenomicon is currently working with a company where Ahmadi says another security professional gave him the best summation of how the many industries currently tackle cybersecurity, “We're not even going after low hanging fruit, we're going after fruit that has fallen on the ground."

For more information Codenomicon Defensics has set up a FAQ about Heartbleed at www.heartbleed.com.

-Chris Wiltz, Associate Editor, MD+DI
[email protected]