Heartbleed Bug Threatens to Leak Sensitive Personal Health Information

The recently discovered Heartbleed security bug may give hackers unfettered access to sensitive personal health data stored in servers and websites unless measures are undertaken to address the issue, experts warn.

Like many industries who are dependent on supposedly secure Internet infrastructure, the healthcare sector is concerned with the discovery of the Heartbleed bug which can affect Web-based health applications such as:

• Patient portals
• Physician websites
• Insurance exchanges
• Remote patient monitoring systems
• Medical devices
• Health and wellness apps
• Telemedicine applications
• Cloud-based electronic health records

Health IT experts are worried that the bug may leak sensitive personal health information to cybercriminals that could hack into computer systems used by health organizations.

Patients and health consumers meanwhile may have little choice to trust the experts maintaining the servers in hospitals and physician offices that contain their health data to eventually fix the issue. 

However, they may have second thoughts about using an Internet-based health app, for example, that they installed which allows them to share information online using a server made vulnerable by Heartbleed.

The bug allows anyone to get up to 64KB of memory and information like usernames, passwords, credit card numbers and other personal data contained in email, instant messaging, virtual private networks and web applications. Hackers can then steal and use the information for nefarious purposes.

Security experts are not sure if and how many attacks exploiting Heartbleed have taken place in the two years it had been hidden since a potential hacking job exploiting the glitch can leave no trace.

Publicly disclosed on April 7, Heartbleed is a vulnerability in the OpenSSL cryptographic software library according to the security company which first uncovered it.

OpenSSL is an open-source computer security standard and encryption system used by half a million to a billion websites as well as operating systems and mobile applications.

A programmer working for the team that developed the standard has come forward to admit that he inadvertently inserted the flaw. Somehow it passed the scrutiny of other programmers working on the project and the bug has remained undetected for two years.

Government agencies, companies and vendors are scrambling to determine the extent to which Heartbleed has affected computers but a patch has been released to fix the bug.

The main U.S. insurance exchange marketplace HealthCare.gov as well as MyMedicare.gov are not one of those affected according to the Centers for Medicare and Medicaid Services.

“We are continuing to coordinate across agencies to ensure that all federal government websites are protected from this threat,”

Larry Zelvin, director of the Department of Homeland Security National Cybersecurity and Communications Integration Center, wrote in a blog post.

“We are continuing to coordinate across agencies to ensure that all federal government websites are protected from this threat.”

This comes after a report saying that there has been a sharp increase in recent months of malicious emails posing as legitimate messages from health insurance companies. Cybercriminals try to trick consumers into giving personal health data or make dubious payments online. In the same manner, scammers can also use Heartbleed to eavesdrop on private communication or commit identity theft.

In an industry where data security and privacy are paramount, health organizations are now reviewing their health IT security measures with the announcement of the Heartbleed vulnerability, which could stifle any gains the industry has accrued over the last few years in building trust from health consumers.

"Heartbleed can set back trust in health IT that has been building as it proliferates, and as the protections under HIPAA/HITECH are baked into the policies and procedures of more and more vendors,"

Said FierceHealthIT Editorial Advisory Board member David Harlow.

"Some of my clients have already informed their customers about the steps they are taking, and explaining why they are taking them--even if they are not directly affected by this exploit."

Hospitals and clinics who maintain health IT systems will not only be the ones worried about potential security attacks because of Heartbleed.

Health consumers and patients, who are only beginning to be open about sharing personal data using wearables, smartphones and health apps, likewise may want to step back and be cautious about using any application that connects to the Web at least until security patches are deployed.

Computer security experts are encouraging users to change passwords and to provide personal health information carefully. So far, IT industry observers have not determined any widespread leaks in consumer health data due specifically to Heartbleed.