Even if you’ve already changed your Facebook and bank account passwords, don’t think you’re done with Heartbleed. ModernHealthcare spoke with the CEO of an HIT security firm who said insurers, hospitals, and physician practices should all be addressing the security hole:
Possibly vulnerable healthcare sites include provider websites, physician and patient portals, secure e-mail services, medical monitoring devices, remote-access PACS/RIS systems. Basically, “anything that has built-in encryption capability across the Internet,” said Michael Mathews, president, chief operating officer and chief technical officer of CynergisTek, an Austin, Texas-based systems security firm that specializes in healthcare IT.
Heartbleed is a security flaw in technology used to secure data transmitted over the Internet. Bruce Schneier, a security expert and the Chief Technology Officer of Co3 Systems, explained the bug:
Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory — SSL private keys, user keys, anything — is vulnerable. And you have to assume that it is all compromised. All of it.
“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.
This has been a problem for two years, and Bloomberg is reporting that the National Security Agency has been exploiting it for at least that long. Anything critical is already in hacker hands, Schneier said, “The probability is close to one that every target has had its private keys extracted by multiple intelligence agencies.” So much for HIPAA protections:
“Anything you logged into and assumed was confidential could possibly have been eavesdropped on for the past two years,” Mathews said. “If it was exploited by the right people for nefarious reasons, it could be haunting us for years to come.”
The one saving grace, Mathews said, is that while a hacker outside an organization could have used Heartbleed to access encrypted data, “You have to know where you want to go and you have to wait for the data to come to you,” he said.
“Let’s say you wanted to exploit Amazon,” he said. “First, you have to know if Amazon is vulnerable. Then, you have to exploit the vulnerability. Then, you have to sit there and wait for the data to move. Someone has to have enough umph and motivation to target your site.”
Use this web tool to test your own site to see if it was affected.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
Best part of all this? The programmer who has claimed responsibility for the flaw said it was a mistake, not intentional sabotage.
