The Heartbleed bug compromises EHRs: Physicians and patients beware

Technology finds its way into our lives not so much in big flashy ways as little ones. Oh, I can do this a little bit faster now, isn’t that cool? Wow, isn’t this convenient? Oh, isn’t this a huge risk to my privacy?

Oftentimes, when I start talking about Linux or scripting or the command line or any number of tech subjects that seem increasingly esoteric, I get blank stares from my colleagues, medical students and practitioners alike. As a lifelong tinkerer, though, I’ve witnessed an increasing convergence of technology and medicine. Not in the gee-whiz look-what-this-new-device-or-drug-can-do-what-a-breakthrough way, but in the oh-you-have-to-log-in-to-the-VPN-what-a-pain way.

So, Heartbleed is what this latest vulnerability is being called. It’s a newly discovered vulnerability in the OpenSSL software package, CVE-2014-0160 if you want to look up the gory details. About two-thirds of the web uses it, including both of the major web servers, Apache and nginx, and lots and lots of other software projects besides. What it means is that anyone who has captured traffic that used this particular version of SSL (the “s” in https) in the last two years can, potentially, decrypt that traffic. All of it. So, those VPN sessions that started with going to a website? Assume they are compromised. Change your passwords. Does your VPN use the same package to log in to your EHR? Do you know?

I don’t want to sound alarmist here, but this is serious. And it speaks to both the best and worst of free and open-source software (FOSS) projects. Best, because it was found, disclosed, and promptly patched for many projects that depend on it. For closed-source or proprietary projects, who knows how long that will take. And it speaks to the worst of FOSS because since everyone uses it for free, thorough audits of the codebase are not done as often as perhaps they should be for software that two-thirds of the web is based on.

How much money have the big EHR vendors contributed to the OpenSSL foundation that writes and debugs the software, if they use it? And if they have written their own versions of SSL or a X.509 certificate validator, how do you know how secure that is?

Now, what does this have to do with medicine? As we become increasingly dependent on EHRs and other technical means for communicating and distributing information, the projects that make up the web (a large proportion of which are FOSS) become de facto public health projects. Don’t get me wrong, I certainly wouldn’t want people to start moving to proprietary software more so than they already have. This is what people in the security world call “security through obscurity” and it’s a bit like approaching a MRSA outbreak by simply not surveilling it, and then saying we don’t have a problem.

Privacy is something we take seriously in medicine, but also a thing that in practice we allow our vendors to do the absolute minimum to address, mainly so we’re not worried about HIPAA fines. That is a terrible way to think about security, and it ensures that when vulnerabilities like Heartbleed are found, we are left questioning whether we’ve just exposed our patients’ medical records to the world.

Rigel Hope is a medical student.

Comments are moderated before they are published. Please read the comment policy.