The Heartbleed bug is poised to cause a lot of heartache in healthcare.
The two-year-old software glitch in the OpenSSL web encryption program that was recently made public has the potential to affect every single healthcare provider in the nation, according to Mac McMillan, CEO of CynergisTek.
"Absolutely – this is huge," McMillan told mHealth News. "It's servers, it's appliances, it's devices … nobody is going to miss this one."
"It's probably the worst bug the Internet has ever seen," Matthew Prince, CEO of CloudFlare, told CNNMoney in a story published on April 9.
When news of the bug broke this week, companies like Amazon, Google and Yahoo rushed to patch the problem. But parts of the vulnerable OpenSSL code exist in many other products, ranging from computers and phones to e-mail servers, firewalls and medical devices. Basically, anything that requires an OpenSSL authentication could be affected.
[See also: 3 mHealth startups that might make a difference.]
Through the flaw, hackers can gain access to credentials and log onto sites with those stolen identities. And because they're using legitimate credentials, those hackers won't be detected except through an exhaustive audit process – if at all.
Furthermore, McMillan said, since the bug has been around for roughly two years, no one knows how many breaches have already happened.
"It's going to be a long, long time before they truly understand the scope of this," he said.
A Reuters news story published on April 10 reported that companies and government agencies are rushing to understand what products are vulnerable, while vendors are hurrying to create patches for those products deemed infected. At Cisco, for instance, a bulletin on the company's website said it has identified about a dozen vulnerable products, including the TelePresence video conferencing server used in telemedicine platforms.
Whether Heartbleed has caused any breaches has yet to be determined. But McMillan pointed out that the government is now dealing with higher-than-normal reports of fraudulent tax claims being filed for healthcare providers – and he wonders if the two are linked.
"If a week from now we hear criminals spoofed a massive number of accounts of financial institutions, it won't surprise me," Prince told CNNMoney.
McMillan – who's been busy this week talking to CynergisTek's many clients about the Heartbleed bug – cautioned that healthcare providers must first identify any and all servers and products that may be affected, then change passwords ("you don't want to change the passwords until after you've fixed it," he pointed out). Likewise, providers will have to wait for product vendors to create their own patches.
McMillan said the Heartbleed bug is so rampant because it's attached to an OpenSSL program that's free – so it's being used by countless e-mail, banking, shopping, communications and healthcare networks.
"If you're relying solely on a password for authentication, it's game over," he said.
On the other hand, he pointed out, if someone is using two- or three-factor authentication, they're safe.
Whether that applies to a majority of the nation's healthcare providers or a minority remains to be seen.
Related articles:
Healthcare's four-letter-word? It's 'silo'
