The tech world is still reeling from the April 7th revelation of a security vulnerability affecting hundreds of thousands of secure servers. The source of the vulnerability, known as Heartbleed, is a bug in OpenSSL, an open-source encryption software. The bug makes it possible for information to be stolen from secure servers and creates the potential for decryption of encrypted data. For the healthcare industry, the potential for catastrophic compromise of private information is alarming.
Heartbleed allows an attacker to extract random packets of up to 64 kilobytes of information from websites. The attack can be repeated to access large quantities of data. Codenomicon, the company that named the bug and announced it to the public, describes testing the bug: “We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.” If keys were stolen by malicious hackers they could be used to read vast amounts of information from secure servers at much higher rates and with greater precision than can be attained by using Heartbleed directly.
The bug is located within the code for Heartbeat, an optional feature of OpenSSL that keeps a connection open when no data is being transmitted by sending “heartbeats.” An error in the code allows a nonstandard heartbeat to elicit a response including more data than should be sent, best illustrated by the webcomic XKCD.
OpenSSL is incorporated into web servers including Apache and nginx, which collectively have a market share of over 66% of all websites. However, not all of these sites used OpenSSL or had Heartbeat enabled, bringing down the total to roughly 500,000 websites, or 17% of all secure servers, according the analysis by Netcraft. Affected sites include Yahoo, Amazon, Wikipedia, Tumblr, and countless other household names.
No electronic health record (EHR) or telehealth companies have publicly announced privacy breaches, but it is improbable that none of these companies were vulnerable. There is currently no consensus on whether exploitation of Heartbleed leaves a trace, meaning that for now there is no way to know if vulnerable systems were attacked. Most servers have already fixed the faulty code with a patch, but the code containing Heartbleed has been widely used since March 14, 2012.
Even if a server does not use OpenSSL for front-end security, it could still be vulnerable if OpenSSL is used elsewhere in its structure or by an external system that delivers its data. As illustrated by consulting firm Vonlay, though Epic (an EHR software giant) does not use OpenSSL, Epic’s data may still be vulnerable if OpenSSL is used anywhere between Epic’s servers and the user—a patient or a health care professional.
As more information comes to light about the fallout and potential past exploitation of the bug, health information companies will be forced to reevaluate the security of their entire systems. On the positive side, the Heartbleed bug and the public attention it has received will most likely make health information systems more secure in the long run.