Heartbleed Update

Everyone who follows the news is aware of the now-notorious Heartbleed bug, which is thought to have affected up to two-thirds of all websites. Users received notices from websites like Gmail and Pinterest advising them to change their passwords, and an estimated 39% of us actually took the step of updating our login credentials. But why was it an issue in the first place? Was EpiCenter affected?

Typically, when a user logs into any given website, their username and password are submitted securely to the site in question via Secure Sockets Layer (SSL) protocol. SSL uses unique certificates to confirm a party’s identity to a user’s web browser (i.e. it confirms that the site that the user is attempting to access is who it says it is). One of the most commonly used SSL products used is OpenSSL, an open-source SSL program. The Heartbleed bug existed undiscovered in OpenSSL for nearly two years before being discovered in April of 2014. This bug could allow passwords or other sensitive information to be exposed to individuals who were aware of and inclined to exploit the bug.

The cause of the Heartbleed bug is a missing bounds check in the “heartbeat” portion of an SSL connection that has the potential to allow an individual to obtain more data than should be allowed. When computers are “talking” to each other, heartbeats are used to confirm that the other computer is still “alive.” If one of the computers does not respond to the other unit’s heartbeat, the other computer knows that the connection is broken. They do this by exchanging a piece of data, and in OpenSSL you have to specify the amount of data that is to be exchanged. Individuals intending to exploit the bug could read supposedly encrypted data from a web server by falsifying the size of the payload that they were requesting during the heartbeat process. Websites were able to fix the issue by installing a fix from OpenSSL and many asked users to change their passwords in case they had been compromised.

Health Monitoring Systems uses OpenSSL to facilitate a secure connection for logging into EpiCenter. Upon discovery of the Heartbleed bug, we were able to apply the OpenSSL fix and also replace any relevant certificates. We advised users to change their passwords as a precaution, but Protected Health Information (PHI) was not vulnerable to Heartbleed exploitation. EpiCenter stores encrypted raw data on a server that is not connected to the internet and that EpiCenter does not have direct access to, so our master database of millions of health records, from which EpiCenter draws its data, was in no way compromised. As always, HMS will continue to prioritize keeping data safe in the ever-changing world of healthcare information technology.