Healthcare News & Insights

Hospitals not safe from Heartbleed virus, other cyber threats

Securing health information technology is a top priority in the healthcare industry — but are we still leagues away from being fully protected from cyberthreats? 

467511751That seems to be the takeaway from FierceHealthIT’s report on the recent panic over Heartbleed.

Catching the cyber bug

Heartbleed is the name of a computer virus that’s compromised the data security of hundreds of thousands of websites across a variety of industries. For two years, the virus went unnoticed and exposed websites and services using an OpenSSL encryption to data theft.

According to Government Health IT, Heartbleeds’ implications for the healthcare industry are especially serious. Many web-based electronic health record (EHR) systems are vulnerable to unauthorized access through Heartbleed. Not only can the virus allow a hacker to read 64KB of data, it can also provide pathways for hackers to access private emails, as well as steal passwords, decryption keys, usernames, financial info and other protected health data.

To test the Heartbleed threat, Cloudfare, an IT security firm in California, challenged hackers to use Heartbleed to try stealing fake encryption keys that would unlock secured data, Modern Healthcare reportedIn a matter of hours, four different hackers had stolen the encryption key from the test servers.

Heartbleed’s damage goes beyond just data vulnerabilities. The virus hurts the trust the healthcare industry has built.

In short, the worst effect of Heartbleed is that it shows just how unprepared many hospitals are when it comes to facing new and ongoing cyber threats.

Not safe enough

However, the Department of Health & Human services (HHS) has shown that Heartbleed isn’t the only IT threat hospitals may not be ready for, says a Healthcare Info Security article.

HHS recently conducted cybersecurity drills involving 13 healthcare sector companies including hospitals, health insurers and a nationwide retail pharmacy chain. It addressed possible threats, like a compromised medical device and other hacker-related attacks.

Getting back to basics on security is one recommendation from Kevin Charest, HHS’ chief information security officer.

Though full results from the drills will be released later this month, early findings have already shown problems with some facilities’ basic security precautions and procedures, such as knowing who to call when a breach or incident occurs.

Another suggestion from Charest encourages healthcare facilities to actually share information about possible data threats and security measures despite apprehension about liability issues.

“It is clear that one of the conundrums is ‘what do I share, and how can I share’ so it doesn’t cause me liability,” Charest says. “If you’ve got a breach or other problem, and you share that [information], what liability have you introduced into your environment? Not liability from a cybersecurity standpoint, but liability from a company standpoint.”

An ounce of protection

As facilities hopefully begin resolving that conundrum and sharing security info, there’s still the issue of what hospitals and administrators can do to keep their health information protected from ongoing threats like Heartbleed.

Hospitals can still benefit from making sure they’ve met all of HIPAA’s regulations for data security through risk assessments.

Additionally, both Charest and Government Health IT recommend using two-factor authentication to add extra security to existing systems. Government Health IT also recommends facilities back up important web data files, deleting any outdated or unused financial or credit card info.

Now may also be a good time for healthcare facilities to contact their EHR and IT vendors to better understand what damage Heartbleed can do to their systems, as well as see what steps they’ve taken to prevent further data exposure.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.