When it comes to maintaining the safety of health information technology and patient data, encryption is almost always one of the first recommendations made by security experts. That's why news this week about the "Heartbleed"computer bug--which compromised Web encryption program OpenSSL, opening "hundreds of thousands of websites to data theft," according to Reuters--is so disturbing for the industry.
Even health entities that don't rely on the version of OpenSSL compromised by the bug should be worried about the ramifications, according to Boston-based health attorney and FierceHealthIT Editorial Advisory Board member David Harlow.
"Heartbleed can set back trust in health IT that has been building as it proliferates, and as the protections under HIPAA/HITECH are baked into the policies and procedures of more and more vendors," Harlow, principal of The Harlow Group LLC healthcare law and consulting firm, told FierceHealthIT. "Some of my clients have already informed their customers about the steps they are taking, and explaining why they are taking them--even if they are not directly affected by this exploit."
Heartbleed, according to health IT developer Lauren Still, posting on Government Health IT, enables an attacker to read as much as 64KB of memory.
"Even a cursory review in the health IT sector showed a number of Web-based [electronic health record] platforms vulnerable, as are some state health insurance exchange platforms and other possible health information exchange platforms," Still said.
While all responsible companies now are reviewing their use of OpenSSL and implementing fixes, according to Harlow, he said that he's heard some concern about delying such fixes until they are fully tested.
"Frankly, given the enormity of the OpenSSL exploit, it seems that full testing could be deferred until after the fixes are put in place, as they are almost certainly going to represent an improvement over the current state of affairs," Harlow said. "I know some folks will cringe at the thought, but I think there is value to speeding up the fix."
The bug, according to Time, is much more widespread than initially thought. Cisco, on Thursday, confirmed to Time that it's looking into its routers, video teleconferencing devices and software for vulnerabilities, while Juniper Networks said that it's warned some of its clients that some equipment has been compromised.