Back in early April of this year (2014) there was a new security vulnerability discovered known as the “Heartbleed Bug.” This software bug has had an impact on the overall global internet community which uses Secure Socket Layer (SSL) certificates to provide secure websites to the public.
As a result, this security issue has had a direct effect on HIPAA Compliance. When viewing medical information from a public webpage, the encryption used to secure the website is incorporated into the SSL certificate.
The first priority in dealing with this bug is to identify whether the vulnerability actually exists and if systems are prone to an attack. In other words:
Question 1 – Is the system using software that generates SSL keys, and does the website use an SSL certificate?
Question 2 – Is the affected version running, or is the version not vulnerable?
If these questions can be answered with a “no”, then there is no concern of data breach or non-compliance for HIPAA.
However, if the answer is “yes” or “maybe,” then systems should immediately be reviewed for remediation. Once systems have been identified as vulnerable to this bug, implement the appropriate vendor patch to close the open security hole that exists.
Based on the application, system, device, or appliance, organizations can quickly distribute vendor patches to resolve this problem. Keep in mind, once the system has been patched, security scanners may still see this as an open vulnerability until further steps are taken.
After the system has been patched, it needs to restart the appropriate application-level services. Until this process has been completed, Heartbleed Bug tools and utilities used to scan for this issue may still identify the system as vulnerable. In some cases, there may only be one service to restart but there could be other dependencies that also require a refresh.
Now that the security issue has been resolved and systems are no longer susceptible to Heartbleed, SSL certificates need to be rekeyed, reissued, then reinstalled. This process will be used to implement new certificates with new keys that have not been potentially broken into or have data retrieved from.
After new certificates have been generated and put into place, the old ones should be revoked and removed entirely from the system never to be used again. This will eliminate a possible hacker from gaining access back to these old certificates.
Even though password resets are part of the standard corporate security policy to be changed every X days, it is advised that a password reset be performed to remove any chance of an unwanted intruder using a previous password to gain access.
As an additional precautionary measure in securing messages, IT professionals can incorporate hash message authentication code (HMAC) signing. This process involves combining hash functions with a secret key to produce a cryptographic message. By incorporating this method for secure message traffic, it will be much more difficult for a hacker to steal information coming across the wire in this highly-encrypted fashion.