Choose your language:
Early in April, researchers announced the discovery of the Heartbleed security bug, a vulnerability in the widely used OpenSSL encryption program. Organizations in every industry use this free open source software to secure a wide range of sensitive consumer and corporate information and IT services. The discovery of such a pervasive flaw caused many firms to take immediate action. The Department of Health and Human Services, for example, alerted all users of HealthCare.gov that their passwords had been reset as a security precaution.
Considering the scope and seriousness of Heartbleed, one may assume that organizations that handle sensitive data regularly may be inclined to rethink their use of open source software. Yet as Modern Healthcare contributor Joseph Conn recently highlighted, this does not appear to be the case in the healthcare sector. From IT security experts to software developers, open source solutions continue to enjoy widespread support.
Open source in healthcare
Speaking to the news source, Steve Pate, chief architect for a cloud-based virtual security services provider in the healthcare sector, argued that despite this recent and major cybersecurity lapse, open source solutions remain "a great way of building solid software."
Furthermore, Pate offered his continued support for OpenSSL specifically. "The encryption methods in there are rock solid. It's the whole mechanism we've been basing online commerce on for a long time. It has had a lot more eyes on it than a lot of the commercial security products today."
The news source noted that among open source software developers, many believe that so long as enough people examine a given piece of code, no serious issues will emerge. While the Heartbleed bug demonstrated that this is not always the case—after all, OpenSSL was one of the most popular open source solutions in the world—Pate and others see this as an anomaly, one that is unlikely to repeat.
As the news source highlighted, the full extent of Heartbleed's impact on the healthcare industry remains unknown as of now. Without a doubt, though, its effects are wide-ranging.
"Across the healthcare industry, Heartbleed made vulnerable not only provider web sites, but also browsers, medical devices, patient records, passwords and other information on their computer systems," Conn wrote.
The writer noted that according to industry expert Michael McMillan, no Heartbleed-related security breaches have yet been discovered in the healthcare sector. However, this does not mean that the industry has avoided damage from this flaw. McMillan pointed out that a cyberattacker leveraging Heartbleed could successfully infiltrate an organization's network without drawing any attention to him or herself.
Considering the fact that, as The Economist reported, Heartbleed has been present in certain versions of OpenSSL since March 2012, numerous healthcare providers and related firms were exposed for more than two years. Accurately assessing whether any breaches occurred during this period will take time and effort.
A greater commitment to security
As Conn suggested, healthcare providers are unlikely to abandon OpenSSL or other open source software solutions in the near future. Yet as this incident revealed, reliance on such assets may put organizations at significant risk.
To mitigate these threats, healthcare-related organizations should consider increasing their commitment to data security. Increasing the size of software development and cybersecurity teams can deliver greater oversight, enabling firms to catch potential vulnerabilities before they become serious problems.