Mitigating HeartBleed Risk for Healthcare Data Security

by | Last updated Jun 15, 2023 | Published on Nov 25, 2014 | Healthcare News

Mitigating HeartBleed Risk for Healthcare Data Security
Share this:

The HeartBleed bug, an encryption flaw discovered by Codenomicon Defensics and Google Security in April is regarded as the biggest security threat the internet has ever seen. As per the security experts, this bug affected several popular websites such as Gmail and Facebook and could have exposed sensitive information the past two years. They also opine this could be threatening for the healthcare industry as a number of networks and web applications are used every day and there is greater chance for the exposure of confidential health information. We have recently seen administration officials asking people having accounts on Obamacare enrollment website to change their passwords.

Let’s take a detailed look at how HeartBleed affects healthcare data and what can be done to overcome this risk.

How Does HeartBleed Affect Practice Data?

Technically speaking, HeartBleed is vulnerability in the open source cryptographic software library (OpenSSL), which is typically used to provide communication security and privacy for Internet-based applications including web services, e-mail and private networks. OpenSSL is very common in the healthcare industry. It is used in health software for public-facing web applications such as patient portals, payment gateways for payers and in certain medical devices. OpenSSL is quite common for back-end applications on an EHR system. So, if healthcare organizations do not fix this vulnerability, they will have an open network and provide opportunity for hackers to make administrative changes in the network (for example, changing access requirements). This means all patient data from electronic medical records to medical billing information are at the risk of theft, which does not portend good for healthcare organizations from the point of view of quality patient care as well as reimbursement.

What Physician Practices Can Do

  • Investigate your exposure to HeartBleed and list out all potentially impacted websites and medical devices that you use and communicate sensitive information. There are several online tools available to check for vulnerability. Once you make out the list, patch the affected servers.
  • Immediately change your passwords and notify both consumers and employees to change theirs. According to the HIPAA rule, if a covered entity finds evidence that HeartBleed bug has led to unauthorized access or acquisition of protected health information, a notification is required.
  • Contact the vendors and enquire whether they are affected by the bug and make sure that they have patched their systems. If they are fixing the bug, ensure that they notify you once the task is over so that you can then reset your password.
  • Even if the vulnerability was not found, organizations should take necessary steps to address the security risk and safeguard protected healthcare information. They should conduct a comprehensive and periodic security risk assessment, train their employees properly and perform technology updates and patches.

Physicians should not care about the security of tasks performed in-house, but make sure that the outsourcing companies take proper security measures if their billing and coding tasks are outsourced. Seeking help from a medical billing and coding company that offers HIPAA compliant medical billing services is the right choice to avoid HeartBleed risk.

  • Natalie Tornese
    Natalie Tornese
    CPC: Director of Revenue Cycle Management

    Natalie joined MOS’ Revenue Cycle Management Division in October 2011. She brings twenty five years of hands on management experience to the company.

  • Meghann Drella
    Meghann Drella
    CPC: Senior Solutions Manager: Practice and RCM

    Meghann joined MOS’ Revenue Cycle Management Division in February of 2013. She is CPC certified with the American Academy of Professional Coders (AAPC).

  • Amber Darst
    Amber Darst
    Solutions Manager: Practice and RCM

    Hired for her dental expertise, Amber brings a wealth of knowledge and understanding of the dental revenue cycle management (RCM) services to MOS.

  • Loralee Kapp
    Loralee Kapp
    Solutions Manager: Practice and RCM

    Loralee joined MOS’ Revenue Cycle Management Division in October 2021. She has over five years of experience in medical coding and Health Information Management practices.