Healthcare's Continuing Heartbleed

It has been nearly two weeks since the Heartbleed vulnerability shook the global e-commerce industry with the realization that Web servers around the world were open to a vulnerability in OpenSSL’s heartbeat feature — and they’d been that way for the past two years. Fortunately, a large number of vulnerable systems have been fixed by now, and most healthcare websites across North America and Europe have been patched and use new server certificates and keys.

It’s still unknown at this stage just how many sites and systems were exploited and what data was compromised, but at least a few large organizations appear to have suffered breaches and, as investigations continue, more will likely join the list. It also remains to be seen whether any significant breaches of personal health information have occurred as a result of Heartbleed and whether regulatory agencies will conduct (expensive) onsite investigations of entities unfortunate enough to be hit.

Healthcare providers have reviewed and patched most of their primary systems, portals and websites that rely on OpenSSL. However, most providers have not considered the vulnerabilities that may exist still in secondary and tertiary systems, many of which include embedded versions of OpenSSL.

Secondary systems, such as hospital VPNs that provide remote access to patients, visitors, partners and business associates, use OpenSSL. Most enterprise routers, firewalls, switches and other key networking components contain a Web server for setup and management. Smaller networking devices, such as cable modems, DSL routers, etc., that provide network access from branch clinics and physician offices to their local hospitals, also contain embedded Web servers, and most also leverage OpenSSL.

If a hacker can use Heartbleed to compromise the router in a small clinic, for example, he or she can obtain the encryption keys or certificates used to secure remote access to hospital networks and information systems. Those keys and certificates may not be unique to that particular clinic and could be common to all VPNs of a particular hospital supporting literally hundreds of other clinics and physician offices.

A multimillion-dollar hospital operation is only as secure as its weakest link and, in this case, could be compromised easily by a $30 consumer router left forgotten and unpatched in a remote clinic. Of course, keys and certificates should be unique to each connection, but best security practices are not always followed in healthcare.

Lesser-known industrial control systems (ICS) used to manage hospital infrastructure —HVAC, power, water and a heap of other services vital to the successful delivery of healthcare — are now managed by offsite, third-party service providers. Most of these remotely access systems via the devices’ Web interface, often secured only by an SSL connection.

Most hospital security and IT leaders have little or no understanding of these potentially vulnerable ICS devices scattered around various sites, nor do they have access to or an inventory of most of them. Many have been in place for years and may have been installed by outside electrical or HVAC contractors and never documented. Only the facilities department would have the slightest idea of their whereabouts or functionality.

All of these ancillary systems will need to be discovered, documented, carefully investigated and patched if vulnerable. This gargantuan task will take weeks of investigative work and examination, and require security staff to visit all kinds of locations to verify that their core network is not likely to be compromised.

Any devices or services — and the systems accessed by them — that are found to be vulnerable and accessible will need further investigation for unauthorized data access.

Unfortunately, as much as we would like to think that Heartbleed is behind us now, the fact is that for most of us in the healthcare industry, it has only just begun.