Thousands of security breaches may be undetectable, experts say
Hospitals and providers’ online networks—including email accounts, electronic health records (EHRs), and remote monitoring devices—may be vulnerable to a destructive “Heartbleed” computer bug, according to security experts.
A Google engineer and another security team last week discovered the bug and found that it infiltrates systems through a widely used Web encryption program known as OpenSSL; websites such as Amazon and Google use the program. After a breach, hackers may be able to get sensitive information from email servers, laptops, mobile phones, and security firewalls, experts say.
“[T]his is huge…it’s servers, it’s appliances, it’s devices,” says CynergisTek CEO Mac McMillan, adding that the bug has been around for about two years and experts do not know how many breaches may have already happened. Government agencies and private companies are rushing to fix any vulnerabilities, but breaches may not be detected for a long time, if at all.
“It’s going to be a long, long time before they truly understand the scope of this,” says McMillan.
CEO of CloudFlare Matthew Prince called Heartbleed “the worst bug the Internet has ever seen,” adding “[i]f a week from now we hear criminals spoofed a massive number of accounts of financial institutions, it won’t surprise me.”
At this point, it is also unclear if the nation’s health care providers are especially vulnerable. For example, Web networks that rely on two- or three-factor password authentication should be safe, McMillan says.
But even health groups that do not rely on OpenSSL should be worried about ramifications of the massive breach, according to David Harlow, principal of health care law Harlow Group.