by: Adam Kehler, PA REACH Privacy & Security Specialist
What is Heartbleed?
You may have read about a new vulnerability that has been released called Heartbleed. You may have already changed all of your personal banking passwords, your social networking passwords, and your email password. There is a wealth of information out there that describes what Heartbleed is and so this article does not intend to reiterate what has already been written. You can find information from the source at www.heartbleed.com.
For the purposes of this article, I will simply explain that Heartbleed is not a virus. Rather it is a vulnerability that can be exploited to gain access or "hack" into or retrieve sensitive information such as passwords from systems that use a program called OpenSSL which, for most people, means "https". It is extremely difficult to detect if this vulnerability has been exploited, so the best we can do is patch our servers, change our passwords, and review our audit logs a little more closely.
How does it affect my practice?
The consequences to a medical practice of an attacker taking advantage of Heartbleed in your vulnerable systems can be enormous. First, you must understand that your patients' Protected Health Information (PHI) is a target. It is worth money on the black market and there are people attempting to steal it every day, even from small practices.
In light of the fact that you are a target, consider this scenario: an attacker retrieves your password to your web-based EHR by using the Heartbleed vulnerability. With this password, the attacker downloads records of every patient in your database. You now have a breach of thousands of patient records and have to go through breach notification as required by most States and the HITECH Act. In addition to administrative and legal costs of breach notification, OCR has the right to levy large fines as a result of the breach. The total cost can easily be in the hundreds of thousands of dollars.
The HIPAA Security Rule requires that you take steps to identify and address vulnerabilities to your system. Therefore, an absence of due diligence in regards to this issue could actually be determined to violate the HIPAA Security Rule and, especially if it leads to a breach, could be assessed as willful neglect and result in large fines.
5 Steps to Addressing Heartbleed
While it can be extremely difficult to determine if your systems have been compromised through this vulnerability, there are things you can do to mitigate the risk.
1. Identify all sites you use, both internal and external. Consider Web sites such as EHR, patient portal, billing, insurance, payroll, accounting, collections, transcription, hospital systems, HIE, state agencies, Web-based e-mail, and banking. For internal systems, having a vulnerability test performed can identify other areas where you may be vulnerable such as management consoles for network appliances, Web-based VPN systems, application servers, or Web-based e-mail systems.
2. For each of those sites, determine if they were and/or are vulnerable to Heartbleed. This may involve visiting their Web site or contacting them directly. You may also need to contact your IT vendor. If they don't know or you can't find information, you can actually check yourself. By using the tool at https://lastpass.com/heartbleed, you can enter the Web site address and it may be able to tell you not only if the site is vulnerable, but also if it was in the past.
3. Change ALL passwords after the site has been patched. For any site you do find that was or is vulnerable, confirm that the site has been patched. Again, this can be done by confirming with the vendor or using third party tools such as LastPass. After you confirm the site has been patched and your vendor has implemented new security certificates, change all passwords using best practices for strong passwords. This is important because it is impossible to know if an attacker was able to compromise your password by using this vulnerability.
4. Check your audit logs. Because it is impossible to know if your system was compromised, check your audit logs. For EHR systems, you should be doing this anyway (it's required by HIPAA), but you should especially focus on login events that have taken place since this vulnerability was announced which was April 3, 2014. The vulnerability has actually been in place since the end of 2012; however it is believed/hoped that it was not known about until April 3, 2104.
Look for anomalous events such as an abnormally high number of logins, logins from unknown or new locations, off-hour logins, etc. If you detect any anomalies, conduct your due diligence to determine if a breach has, in fact, occurred.
5. Consider two-factor authentication. Two-factor authentication is a term used to describe a system that requires two of the following three items in order to gain access to a system: something you know, something you have, and something you are. For Web-based systems, it's generally the first two. Many popular Web-based companies such as Google and Yahoo are implementing a system that requires a password and entering a code that is texted to your phone. So there you have something you know (your password) and something you have (your phone). To make it more seamless and convenient, many of these systems only require the second factor when logging in from a new or “untrusted” location. Systems with this type of authentication are much less vulnerable when something like Heartbleed comes along.
Security experts have long recommended two-factor authentication as a means to strengthen the security of systems because it is well-known that passwords alone are weak. In fact, way back in 2006, the Office for Civil Rights (OCR) issued a guidance document for remote access to PHI in which it recommended, among other things, the use of two-factor authentication.
The health care industry has been reluctant to adopt this security control because:
- It costs money
- It can be inconvenient for users
- It's not mandated
However, incidents such as Heartbleed underscore that passwords alone are not strong enough and two-factor authentication should be considered as part of an organizations Security Risk Management strategy.
So while you have your EHR or IT vendor on the phone to determine if you are vulnerable, ask them about two-factor authentication. Better yet, demand it!
Conclusion
It is important that your practice take proactive steps to address this vulnerability and the consequences of not doing can be enormous. This is not the only vulnerability out there and organizations should be continuously taking steps to identify and address vulnerabilities; however this is one of those that comes along only once every few years and should be addressed immediately.
If you have further questions or need help, feel free to contact at PA REACH.