Heartbleed’s biggest healthcare threats
The longer I work in healthcare communications and technology, the more parallels I see between medicine and computers. When news broke about the Heartbleed bug on the Internet, it was clearly deja vu all over again.
Dealing with online security threats is much like treating rapidly mutating bacteria and viruses – new ones will always appear to defy conventional safeguards, leaving no one 100-percent protected. Whether in hospitals or on servers, risks are ever-present; the most we can hope for is to reduce them to small odds.
In the face of both deadly diseases and pernicious computer bugs, small odds of disaster can look pretty attractive. In the spirt of giving bad news first, let’s look at some hard realities and then quickly move to signs of hope, as well as some safeguarding methods.
- We can’t work and live without computers. In the 21st century, these machines are as essential to healthcare as syringes and latex gloves. It’s not just electronic health records that could be affected by Heartbleed and other bugs but also life-saving healthcare devices, appliances and remote monitoring systems. Even phones and security cameras in hospitals might be compromised.
- The Heartbleed vulnerability is everywhere. Approximately two-thirds of websites on the Internet use the OpenSSL software targeted by Heartbleed, presenting unlimited opportunity to sabotage almost every conceivable sort of information system.
- Although discovered and widely reported only this month, Heartbleed’s been around for two years. That means that any website that the average Internet user has logged into for the past 24 months and believed was confidential could be at risk.
- Public trust in health IT systems, which has never been particularly strong, could fall to new lows. For many healthcare providers, patients’ discomfort over electronically stored health data has been the biggest challenge in meeting meaningful-use standards under the Affordable Care Act. Massive news coverage of Heartbleed hardly overcomes such fears.
Hopeful signs of progress
- Now onto the optimistic point of view. As soon as the Heartbleed news hit, software developers moved at lightning speed to devise a fix, commonly known as a “patch.” Within days, some of the world’s largest tech companies scrambled to install the patch and subsequently thwart hackers.
- Heartbleed affects only websites that use encryption code. Internet security firm Sucuri estimates that as of mid-April, only about 2 percent of the 1 million most popular websites are still vulnerable. While that’s still 20,000 websites, it’s still a comparatively small portion of all sites on the Internet.
- We at Vanguard Communications have seen no evidence to believe any of the data we oversee in management of our clients’ websites has been affected. Moreover, we received assurances from the developers of software generally used on and by clients’ website that the newest anti-Heartbleed patches were in place.
- Frequent and reliable data backups have become the absolute standards of modern IT management. Notwithstanding the patch, our clients’ websites are backed up several times a week. In the unlikely event of a website crash for ANY reason, we have a back-up copy of each no more than a few days old.
- Successfully deploying Heartbleed to snag valuable data isn’t necessarily a slam dunk. “You have to know where you want to go, and you have to wait for the data to come to you,” said Michael Mathews, president, chief operating officer and chief technical officer of CynergisTek, an Austin, Texas-based systems security firm specializing in healthcare IT. That takes time, patience and determination.
Five tips for guarding against Heartbleed
- Take the highest precautions. An ounce of cyber prevention can spare heartbreak. Heartbleed’s risks go well beyond a hospital or medical practice website into the realm of its entire IT structure, which is likely at greater risk, given the vast amount of sensitive data stored in practice management and EHR systems.
- Don’t assume the worst. Most or all of your online assets could actually be safe. You can check a website’s vulnerability to Heartbleed by entering its address on this webpage: http://safeweb.norton.com/heartbleed
- A change of passwords is probably not essential in most cases but a good idea nonetheless as an abundance of caution. We recommend updating business and personal passwords immediately. The only cost is the time to make the changes, and the only risk is temporary confusion over passwords – small prices to pay for peace of mind.
- Beware of phishers and other scam artists trying to take advantage of uncertainly. Avoid responding to any emails containing links for you to reset your password. Instead visit the website directly where you have always been able change your settings.
- Practice the gentle art of acceptance. Nothing is constant except for change. Advancements in healthcare comes in larger steps every year. With the gains always come tradeoffs. The same is true in healthcare information. Millions of Americans have unprecedented online access to the body of medical knowledge and, more saliently, to information about their individual health. In five years or three or maybe even in one, Heartbleed will likely be a distant memory.
Vanguard considers our client’s security our #1 priority
Protect your website and protect your patients’ information with Vanguard’s suite of security features for websites and online forms. Our PHI Security Suite offers the highest meaningful level of Internet security, satisfying and surpassing HIPAA standards.