Software Vulnerability Endangers EHR, Devices; HHS Websites Unaffected

The “Heartbleed” bug, discovered last week by two information technology (IT) security teams, caused a vulnerability in a popular encryption software used by many medical professionals to protect patient data. Electronic health record (EHR) systems often use OpenSSL’s encryption software to secure protected health information (PHI). Heartbleed can reveal the contents of a server’s memory to hackers, including private data such as usernames, passwords, and credit card numbers. Attackers are also able to obtain copies of a server’s digital keys, and use those keys to impersonate servers or to decrypt communications. Security experts estimate that 66 percent of all devices connected to the internet, including internet-capable medical devices, could be attacked using Heartbleed.

Heartbleed Danger

According to members of the security team that discovered Heartbleed, the bug allows anyone on the internet to access and read the memory of systems protected by the vulnerable versions of the OpenSSL software. Affected information includes secret keys used to identify service providers and to encrypt data, as well as user names, passwords, and actual saved content, allowing attackers to steal data directly from the services and users and to impersonate services and users. A fixed version of OpenSSL has been released, but the vendors of operating systems, appliances, and independent software all must adopt the fix for each program that uses OpenSSL. Further, users and administrators should change their passwords to prevent use of their accounts by anyone who has accessed their private account information. Passwords changed before the fixed version is installed are not secure.

The security team that discovered Heartbleed said, “We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”

Impact on Health Industry

OpenSSL is an open source protocol. Open source means users are universally granted free license to the product, which is not copyrighted. As a result, many health IT-related programs and devices use the protocol, including those that use Apache servers. A “cursory review” conducted by health IT developer Lauren Still found many web-based EHR platforms were vulnerable to the bug. Additionally, some Health Insurance Exchanges operated by states under the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) were exposed. Medical Device and Diagnostic Industry says that the bug could be used to attack systems used to communicate with insulin pumps, home health care networks, and medical devices such as MRI machines.

Safety of HealthCare.gov, MyMedicare.gov

When the discovery of Heartbleed was announced, the Department of Homeland Security’s (DHS) U.S.-Computer Emergency Readiness Team (US-CERT) issued an immediate alert. Other DHS teams have reached out to vendors and asset owners to notify and assist them in determining vulnerabilities and protecting their data. DHS announced that “the Federal government’s core citizen-facing websites are not exposed to risks from this cybersecurity threat.” Building on DHS’s announcement, a CMS spokesperson stated “Due to CMS’s security protections, HealthCare.gov consumer accounts are not affected by this vulnerability. Additionally, other CMS consumer accounts, including MyMedicare.gov, were not affected by this vulnerability. Per standard practice, CMS continues to work with the states to monitor this issue and ensure that appropriate security measures continue to be in place.”

Developer and cryptography consultant Filippo Valsorda published a tool that allows users to check websites for Heartbleed vulnerability. For websites that require passwords, Last Pass created a similar checker tool. Wolters Kluwer tested a number of HHS websites, and confirmed that in addition to HealthCare.gov, Medicare.gov and the FDA’s online Drug Registration and Listing system were not vulnerable to Heartbleed; tests revealed that MyMedicare.gov and CMS’s EHR Incentive Program Registration & Attestation system may possibly be affected.