Skip to content
  • About
  • Contact
  • Contribute
  • Book
  • Careers
  • Podcast
  • Recommended
  • Speaking
  • All
  • Physician
  • Practice
  • Policy
  • Finance
  • Conditions
  • .edu
  • Patient
  • Meds
  • Tech
  • Social
  • Video
    • All
    • Physician
    • Practice
    • Policy
    • Finance
    • Conditions
    • .edu
    • Patient
    • Meds
    • Tech
    • Social
    • Video
    • About
    • Contact
    • Contribute
    • Book
    • Careers
    • Podcast
    • Recommended
    • Speaking

The Heartbleed bug compromises EHRs: Physicians and patients beware

Rigel Hope
Tech
April 9, 2014
Share
Tweet
Share

Technology finds its way into our lives not so much in big flashy ways as little ones. Oh, I can do this a little bit faster now, isn’t that cool? Wow, isn’t this convenient? Oh, isn’t this a huge risk to my privacy?

Oftentimes, when I start talking about Linux or scripting or the command line or any number of tech subjects that seem increasingly esoteric, I get blank stares from my colleagues, medical students and practitioners alike. As a lifelong tinkerer, though, I’ve witnessed an increasing convergence of technology and medicine. Not in the gee-whiz look-what-this-new-device-or-drug-can-do-what-a-breakthrough way, but in the oh-you-have-to-log-in-to-the-VPN-what-a-pain way.

So, Heartbleed is what this latest vulnerability is being called. It’s a newly discovered vulnerability in the OpenSSL software package, CVE-2014-0160 if you want to look up the gory details. About two-thirds of the web uses it, including both of the major web servers, Apache and nginx, and lots and lots of other software projects besides. What it means is that anyone who has captured traffic that used this particular version of SSL (the “s” in https) in the last two years can, potentially, decrypt that traffic. All of it. So, those VPN sessions that started with going to a website? Assume they are compromised. Change your passwords. Does your VPN use the same package to log in to your EHR? Do you know?

I don’t want to sound alarmist here, but this is serious. And it speaks to both the best and worst of free and open-source software (FOSS) projects. Best, because it was found, disclosed, and promptly patched for many projects that depend on it. For closed-source or proprietary projects, who knows how long that will take. And it speaks to the worst of FOSS because since everyone uses it for free, thorough audits of the codebase are not done as often as perhaps they should be for software that two-thirds of the web is based on.

How much money have the big EHR vendors contributed to the OpenSSL foundation that writes and debugs the software, if they use it? And if they have written their own versions of SSL or a X.509 certificate validator, how do you know how secure that is?

Now, what does this have to do with medicine? As we become increasingly dependent on EHRs and other technical means for communicating and distributing information, the projects that make up the web (a large proportion of which are FOSS) become de facto public health projects. Don’t get me wrong, I certainly wouldn’t want people to start moving to proprietary software more so than they already have. This is what people in the security world call “security through obscurity” and it’s a bit like approaching a MRSA outbreak by simply not surveilling it, and then saying we don’t have a problem.

Privacy is something we take seriously in medicine, but also a thing that in practice we allow our vendors to do the absolute minimum to address, mainly so we’re not worried about HIPAA fines. That is a terrible way to think about security, and it ensures that when vulnerabilities like Heartbleed are found, we are left questioning whether we’ve just exposed our patients’ medical records to the world.

Rigel Hope is a medical student.

Prev

The alarming decline of internal medicine recertification pass rates

April 9, 2014 Kevin 18
…
Next

What health care can learn from Katz's Delicatessen

April 9, 2014 Kevin 30
…

Tagged as: Health IT

Post navigation

< Previous Post
The alarming decline of internal medicine recertification pass rates
Next Post >
What health care can learn from Katz's Delicatessen

ADVERTISEMENT

More in Tech

  • AI is already replacing doctors—just not how you think

    Bhargav Raman, MD, MBA
  • A mind to guide the machine: Why physicians must help shape artificial intelligence in medicine

    Shanice Spence-Miller, MD
  • How digital tools are reshaping the doctor-patient relationship

    Vineet Vishwanath
  • The promise and perils of AI in health care: Why we need better testing standards

    Max Rollwage, PhD
  • 3 tips for using AI medical scribes to save time charting

    Erica Dorn, FNP
  • Would The Pitts’ Dr. Robby Robinavitch welcome a new colleague? Yes. Especially if their initials were AI.

    Gabe Jones, MBA
  • Most Popular

  • Past Week

    • Forced voicemail and diagnosis codes are endangering patient access to medications

      Arthur Lazarus, MD, MBA | Meds
    • How President Biden’s cognitive health shapes political and legal trust

      Muhamad Aly Rifai, MD | Conditions
    • The One Big Beautiful Bill and the fragile heart of rural health care

      Holland Haynie, MD | Policy
    • America’s ER crisis: Why the system is collapsing from within

      Kristen Cline, BSN, RN | Conditions
    • Why timing, not surgery, determines patient survival

      Michael Karch, MD | Conditions
    • How early meetings and after-hours events penalize physician-mothers

      Samira Jeimy, MD, PhD and Menaka Pai, MD | Physician
  • Past 6 Months

    • Forced voicemail and diagnosis codes are endangering patient access to medications

      Arthur Lazarus, MD, MBA | Meds
    • How President Biden’s cognitive health shapes political and legal trust

      Muhamad Aly Rifai, MD | Conditions
    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • The One Big Beautiful Bill and the fragile heart of rural health care

      Holland Haynie, MD | Policy
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • The hidden health risks in the One Big Beautiful Bill Act

      Trevor Lyford, MPH | Policy
  • Recent Posts

    • Beyond burnout: Understanding the triangle of exhaustion [PODCAST]

      The Podcast by KevinMD | Podcast
    • Facing terminal cancer as a doctor and mother

      Kelly Curtin-Hallinan, DO | Conditions
    • Online eye exams spark legal battle over health care access

      Joshua Windham, JD and Daryl James | Policy
    • FDA delays could end vital treatment for rare disease patients

      G. van Londen, MD | Meds
    • Pharmacists are key to expanding Medicaid access to digital therapeutics

      Amanda Matter | Meds
    • Why ADHD in women requires a new approach [PODCAST]

      The Podcast by KevinMD | Podcast

Subscribe to KevinMD and never miss a story!

Get free updates delivered free to your inbox.


Find jobs at
Careers by KevinMD.com

Search thousands of physician, PA, NP, and CRNA jobs now.

Learn more

Leave a Comment

Founded in 2004 by Kevin Pho, MD, KevinMD.com is the web’s leading platform where physicians, advanced practitioners, nurses, medical students, and patients share their insight and tell their stories.

Social

  • Like on Facebook
  • Follow on Twitter
  • Connect on Linkedin
  • Subscribe on Youtube
  • Instagram

ADVERTISEMENT

  • Most Popular

  • Past Week

    • Forced voicemail and diagnosis codes are endangering patient access to medications

      Arthur Lazarus, MD, MBA | Meds
    • How President Biden’s cognitive health shapes political and legal trust

      Muhamad Aly Rifai, MD | Conditions
    • The One Big Beautiful Bill and the fragile heart of rural health care

      Holland Haynie, MD | Policy
    • America’s ER crisis: Why the system is collapsing from within

      Kristen Cline, BSN, RN | Conditions
    • Why timing, not surgery, determines patient survival

      Michael Karch, MD | Conditions
    • How early meetings and after-hours events penalize physician-mothers

      Samira Jeimy, MD, PhD and Menaka Pai, MD | Physician
  • Past 6 Months

    • Forced voicemail and diagnosis codes are endangering patient access to medications

      Arthur Lazarus, MD, MBA | Meds
    • How President Biden’s cognitive health shapes political and legal trust

      Muhamad Aly Rifai, MD | Conditions
    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • The One Big Beautiful Bill and the fragile heart of rural health care

      Holland Haynie, MD | Policy
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • The hidden health risks in the One Big Beautiful Bill Act

      Trevor Lyford, MPH | Policy
  • Recent Posts

    • Beyond burnout: Understanding the triangle of exhaustion [PODCAST]

      The Podcast by KevinMD | Podcast
    • Facing terminal cancer as a doctor and mother

      Kelly Curtin-Hallinan, DO | Conditions
    • Online eye exams spark legal battle over health care access

      Joshua Windham, JD and Daryl James | Policy
    • FDA delays could end vital treatment for rare disease patients

      G. van Londen, MD | Meds
    • Pharmacists are key to expanding Medicaid access to digital therapeutics

      Amanda Matter | Meds
    • Why ADHD in women requires a new approach [PODCAST]

      The Podcast by KevinMD | Podcast

MedPage Today Professional

An Everyday Health Property Medpage Today
  • Terms of Use | Disclaimer
  • Privacy Policy
  • DMCA Policy
All Content © KevinMD, LLC
Site by Outthink Group

Leave a Comment

Comments are moderated before they are published. Please read the comment policy.

Loading Comments...