Skip to content
  • About
  • Contact
  • Contribute
  • Book
  • Careers
  • Podcast
  • Recommended
  • Speaking
  • All
  • Physician
  • Practice
  • Policy
  • Finance
  • Conditions
  • .edu
  • Patient
  • Meds
  • Tech
  • Social
  • Video
    • All
    • Physician
    • Practice
    • Policy
    • Finance
    • Conditions
    • .edu
    • Patient
    • Meds
    • Tech
    • Social
    • Video
    • About
    • Contact
    • Contribute
    • Book
    • Careers
    • Podcast
    • Recommended
    • Speaking

The Heartbleed bug compromises EHRs: Physicians and patients beware

Rigel Hope
Tech
April 9, 2014
Share
Tweet
Share

Technology finds its way into our lives not so much in big flashy ways as little ones. Oh, I can do this a little bit faster now, isn’t that cool? Wow, isn’t this convenient? Oh, isn’t this a huge risk to my privacy?

Oftentimes, when I start talking about Linux or scripting or the command line or any number of tech subjects that seem increasingly esoteric, I get blank stares from my colleagues, medical students and practitioners alike. As a lifelong tinkerer, though, I’ve witnessed an increasing convergence of technology and medicine. Not in the gee-whiz look-what-this-new-device-or-drug-can-do-what-a-breakthrough way, but in the oh-you-have-to-log-in-to-the-VPN-what-a-pain way.

So, Heartbleed is what this latest vulnerability is being called. It’s a newly discovered vulnerability in the OpenSSL software package, CVE-2014-0160 if you want to look up the gory details. About two-thirds of the web uses it, including both of the major web servers, Apache and nginx, and lots and lots of other software projects besides. What it means is that anyone who has captured traffic that used this particular version of SSL (the “s” in https) in the last two years can, potentially, decrypt that traffic. All of it. So, those VPN sessions that started with going to a website? Assume they are compromised. Change your passwords. Does your VPN use the same package to log in to your EHR? Do you know?

I don’t want to sound alarmist here, but this is serious. And it speaks to both the best and worst of free and open-source software (FOSS) projects. Best, because it was found, disclosed, and promptly patched for many projects that depend on it. For closed-source or proprietary projects, who knows how long that will take. And it speaks to the worst of FOSS because since everyone uses it for free, thorough audits of the codebase are not done as often as perhaps they should be for software that two-thirds of the web is based on.

How much money have the big EHR vendors contributed to the OpenSSL foundation that writes and debugs the software, if they use it? And if they have written their own versions of SSL or a X.509 certificate validator, how do you know how secure that is?

Now, what does this have to do with medicine? As we become increasingly dependent on EHRs and other technical means for communicating and distributing information, the projects that make up the web (a large proportion of which are FOSS) become de facto public health projects. Don’t get me wrong, I certainly wouldn’t want people to start moving to proprietary software more so than they already have. This is what people in the security world call “security through obscurity” and it’s a bit like approaching a MRSA outbreak by simply not surveilling it, and then saying we don’t have a problem.

Privacy is something we take seriously in medicine, but also a thing that in practice we allow our vendors to do the absolute minimum to address, mainly so we’re not worried about HIPAA fines. That is a terrible way to think about security, and it ensures that when vulnerabilities like Heartbleed are found, we are left questioning whether we’ve just exposed our patients’ medical records to the world.

Rigel Hope is a medical student.

Prev

The alarming decline of internal medicine recertification pass rates

April 9, 2014 Kevin 18
…
Next

What health care can learn from Katz's Delicatessen

April 9, 2014 Kevin 30
…

Tagged as: Health IT

Post navigation

< Previous Post
The alarming decline of internal medicine recertification pass rates
Next Post >
What health care can learn from Katz's Delicatessen

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

More in Tech

  • 9 domains that will define the future of medical education

    Harvey Castro, MD, MBA
  • Key strategies for smooth EHR transitions in health care

    Sandra Johnson
  • Why flashy AI tools won’t fix health care without real infrastructure

    David Carmouche, MD
  • Why innovation in health care starts with bold thinking

    Miguel Villagra, MD
  • How self-improving AI systems are redefining intelligence and what it means for health care

    Harvey Castro, MD, MBA
  • How blockchain could rescue nursing home patients from deadly miscommunication

    Adwait Chafale
  • Most Popular

  • Past Week

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • Why flashy AI tools won’t fix health care without real infrastructure

      David Carmouche, MD | Tech
    • Why Medicaid cuts should alarm every doctor

      Ilan Shapiro, MD | Policy
    • How medical culture hides burnout in plain sight

      Marco Benítez | Conditions
    • How the 10th Apple Effect is stealing your joy in medicine

      Neil Baum, MD | Physician
  • Past 6 Months

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • The broken health care system doesn’t have to break you

      Jessie Mahoney, MD | Physician
    • How dismantling DEI endangers the future of medical care

      Shashank Madhu and Christian Tallo | Education
    • How scales of justice saved a doctor-patient relationship

      Neil Baum, MD | Physician
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • The silent toll of ICE raids on U.S. patient care

      Carlin Lockwood | Policy
  • Recent Posts

    • Essential questions about nurse practitioner liability insurance [PODCAST]

      The Podcast by KevinMD | Podcast
    • Why being a physician mom is harder than anyone admits

      Cynthia Chen-Joea, DO, MPH | Physician
    • 9 domains that will define the future of medical education

      Harvey Castro, MD, MBA | Tech
    • When the diagnosis is personal: What my mother’s Alzheimer’s taught me about healing

      Pearl Jones, MD | Conditions
    • What led me from nurse practitioner to medical school

      Sarah White, APRN | Education
    • Why local cardiac CT scans could save your life

      Benjamin Cohen, MD | Conditions

Subscribe to KevinMD and never miss a story!

Get free updates delivered free to your inbox.


Find jobs at
Careers by KevinMD.com

Search thousands of physician, PA, NP, and CRNA jobs now.

Learn more

Leave a Comment

Founded in 2004 by Kevin Pho, MD, KevinMD.com is the web’s leading platform where physicians, advanced practitioners, nurses, medical students, and patients share their insight and tell their stories.

Social

  • Like on Facebook
  • Follow on Twitter
  • Connect on Linkedin
  • Subscribe on Youtube
  • Instagram

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

  • Most Popular

  • Past Week

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • Why flashy AI tools won’t fix health care without real infrastructure

      David Carmouche, MD | Tech
    • Why Medicaid cuts should alarm every doctor

      Ilan Shapiro, MD | Policy
    • How medical culture hides burnout in plain sight

      Marco Benítez | Conditions
    • How the 10th Apple Effect is stealing your joy in medicine

      Neil Baum, MD | Physician
  • Past 6 Months

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • The broken health care system doesn’t have to break you

      Jessie Mahoney, MD | Physician
    • How dismantling DEI endangers the future of medical care

      Shashank Madhu and Christian Tallo | Education
    • How scales of justice saved a doctor-patient relationship

      Neil Baum, MD | Physician
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • The silent toll of ICE raids on U.S. patient care

      Carlin Lockwood | Policy
  • Recent Posts

    • Essential questions about nurse practitioner liability insurance [PODCAST]

      The Podcast by KevinMD | Podcast
    • Why being a physician mom is harder than anyone admits

      Cynthia Chen-Joea, DO, MPH | Physician
    • 9 domains that will define the future of medical education

      Harvey Castro, MD, MBA | Tech
    • When the diagnosis is personal: What my mother’s Alzheimer’s taught me about healing

      Pearl Jones, MD | Conditions
    • What led me from nurse practitioner to medical school

      Sarah White, APRN | Education
    • Why local cardiac CT scans could save your life

      Benjamin Cohen, MD | Conditions

MedPage Today Professional

An Everyday Health Property Medpage Today
  • Terms of Use | Disclaimer
  • Privacy Policy
  • DMCA Policy
All Content © KevinMD, LLC
Site by Outthink Group

Leave a Comment

Comments are moderated before they are published. Please read the comment policy.

Loading Comments...