The HeartBleed bug, an encryption flaw discovered by Codenomicon Defensics and Google Security in April is regarded as the biggest security threat the internet has ever seen. As per the security experts, this bug affected several popular websites such as Gmail and Facebook and could have exposed sensitive information the past two years. They also opine this could be threatening for the healthcare industry as a number of networks and web applications are used every day and there is greater chance for the exposure of confidential health information. We have recently seen administration officials asking people having accounts on Obamacare enrollment website to change their passwords.
Let’s take a detailed look at how HeartBleed affects healthcare data and what can be done to overcome this risk.
How Does HeartBleed Affect Practice Data?
Technically speaking, HeartBleed is vulnerability in the open source cryptographic software library (OpenSSL), which is typically used to provide communication security and privacy for Internet-based applications including web services, e-mail and private networks. OpenSSL is very common in the healthcare industry. It is used in health software for public-facing web applications such as patient portals, payment gateways for payers and in certain medical devices. OpenSSL is quite common for back-end applications on an EHR system. So, if healthcare organizations do not fix this vulnerability, they will have an open network and provide opportunity for hackers to make administrative changes in the network (for example, changing access requirements). This means all patient data from electronic medical records to medical billing information are at the risk of theft, which does not portend good for healthcare organizations from the point of view of quality patient care as well as reimbursement.
What Physician Practices Can Do
- Investigate your exposure to HeartBleed and list out all potentially impacted websites and medical devices that you use and communicate sensitive information. There are several online tools available to check for vulnerability. Once you make out the list, patch the affected servers.
- Immediately change your passwords and notify both consumers and employees to change theirs. According to the HIPAA rule, if a covered entity finds evidence that HeartBleed bug has led to unauthorized access or acquisition of protected health information, a notification is required.
- Contact the vendors and enquire whether they are affected by the bug and make sure that they have patched their systems. If they are fixing the bug, ensure that they notify you once the task is over so that you can then reset your password.
- Even if the vulnerability was not found, organizations should take necessary steps to address the security risk and safeguard protected healthcare information. They should conduct a comprehensive and periodic security risk assessment, train their employees properly and perform technology updates and patches.
Physicians should not care about the security of tasks performed in-house, but make sure that the outsourcing companies take proper security measures if their billing and coding tasks are outsourced. Seeking help from a medical billing and coding company that offers HIPAA compliant medical billing services is the right choice to avoid HeartBleed risk.