What Health Orgs Need To Know About Heartbleed

Lauren Still | Government HealthIT | April 10, 2014

As the greater health IT collective was preparing for the Windows XP end of life date, and accompanying zero-day attacks, another major security exploit hit the market without warning. CVE-2014-0160, or Heartbleed (due to it exploiting a feature called heartbeat) nicknamed by the security firm that first publicly disclosed it, is a serious vulnerability in OpenSSL cryptographic software library.

Even a cursory review in the health IT sector showed a number of Web-based EHR platforms vulnerable, as are some state health insurance exchange platforms and other possible health information exchange platforms. SSL/TLS provides communication security and privacy over the Internet for Web applications and some virtual private networks. The vulnerability can be exploited to intercept private keys, usernames, passwords and other sensitive information such as financial and health information...