Are electronic health records safe from the next heartbleed?
by Alisha Wyman, California Health Report
A widely-used version of an Internet encryption program has a vulnerability that may have exposed volumes of online patient medical records to cyber-criminals.
Heartbleed is a bug in Open SSL, an open-source programming protocol used to add layers of security to websites as they communicate with servers and computers.
The bug allows hackers to gain access to servers and expose data such as usernames and passwords, encryption keys or information a consumer enters on a web form.
It has been called one of the Internet’s biggest security threats, and poses security risks across industries.
As more and more health-related services use the web to interact with patients, consumers are increasingly vulnerable to health care fraud, identity theft and financial loss.
The discovery of the bug in early April coincided with the end of the sign-up period for the Affordable Care Act, which has relied heavily on web interaction with millions of consumers.
Users of healthcare.gov have been instructed to change their passwords on their accounts.
“That’s really the perfect storm in terms of a target that someone would want to go after,” said Rob Sadowski, director of technology solutions for RSA, which offers security and fraud detection services for businesses and organizations seeking to protect online information. RSA is the security division of EMC, a Massachusetts based IT company.
Health care organizations are both desirable targets for cyber-criminals and less prepared than other sectors to protect against an attack, Internet security experts agree.
On April 8, the FBI released a private industry notification to medical organizations that health care systems and medical devices are at risk.
The mandated deadline to transfer medical records from paper to electronic records is January 2015, which opens up these records to the risk of being exploited, the FBI notification says.
“The health care industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” the FBI writes.
It cites a Ponemon Institute report from March 2013 that found 63 percent of health care organizations surveyed reported a data breach within the past two years. Those breaches cost an average of $2.4 million each.
About 45 percent of health care organizations admitted they have not implemented security measures to protect patient information.
The notice urges organizations to report suspicious activity to the local FBI office.
Heartbleed’s danger comes because Open SSL is so widely used, said David Harlow, principal of The Harlow Group, a health care law and consulting firm in Boston, Mass., and author of HealthBlawg.
In recent history, breaches in health care information came after isolated incidents such as the theft of a laptop containing millions of health care records out of a rental car, Harlow said.
But Heartbleed opened up breaches across the web to the degree at which Open SSL is used, he said. Experts can’t yet evaluate the extent of the vulnerability of the web to Heartbleed.
As more health-related services migrate online, including insurance sign ups, information submitted for insurance claims and interaction with doctors on web-based systems, the risk grows, Sadowski said.
The bug has been in existence for about two years, however, it was discovered in early April. Attempts to exploit the bug began only recently, Sadowski said.
“Medical information is one of the most valuable commodities in the criminal underground,” he said.
Cyber-criminals are interested in the biggest players and ways they can cash out on information collected. Large-scale systems housing huge numbers of medical records are cash cows to criminals if they can access them, Sadowski said.
Sensitive information such as social security numbers, personal IDs and mother’s maiden names are often stored in medical records.
Thieves can use insurance information to impersonate a victim and acquire thousands of dollars of medical services, which is then billed to the victim. They can use the information collected for identity theft. Or they can hijack prescriptions for certain drugs.
A 2013 RSA White Paper found that even partial electronic health records are sold for $50 each on the black market, compared to $1 for a stolen social security number or credit card number.
Electronic health record theft takes twice as long to detect as normal identity theft and is more difficult to clean up, the white paper said. While a credit card can be cancelled, data found in medical records doesn’t change, according to the document.
“There’s all kind of fraud that goes on, and the more information that’s in the cloud, the more information that is available to bad actors,” Harlow said.
Organizations must report breaches affecting 500 individuals or more within 60 days, he said. If the breach is less than 500, the business must report it by 60 days from the end of the year.
Given that time frame, the public may not hear of breaches due to Heartbleed until June, he said.
The best way to protect against the bug is to change passwords for user accounts and make sure that passwords are different for each online portal, Sadowski said.
However, if a user changes a password before the patch is implemented, the new password could also be compromised, Harlow said.
Covered California is not requiring users to change their passwords, spokeswoman Ann Gonzales said. She wouldn’t say whether the California exchange for the Affordable Care Act is using Open SSL.
“We monitor 24/7 for any system irregularities and take all necessary precautions to protect consumer privacy,” she said.
Anthem Blue Cross, one of the state’s largest health insurance providers, has conducted an internal review of its systems and is currently putting solutions in place to further defend against threats, California Spokesman Darrel Ng said.
“Anthem Blue Cross is committed to safeguarding its data, the personal health information of its members and the information of its customers,” he said.
Most companies using Open SSL have already implemented security patches, Sadowski said. The notoriety and threat of Heartbleed prompted organizations to act fast.
But the danger isn’t over, he said. RSA has a product that can detect when cyber criminals are trying to enter a system, he said.
“We are still seeing many attempts by attackers to exploit that,” he said.
Even after security risks from Heartbleed die down, other threats will crop up, Harlow said.
Internet security is something everyone should be diligent about on an ongoing basis, he said.
“I think the main point in all of this is that it maybe should be a wakeup call to folks that this is the kind of thing that can happen, and it almost definitely is going to happen again,” he said.