The Heartbleed bug is causing some real heart palpitations in the healthcare community (sorry for the pun), regardless of whether your organization is a health plan, a health provider or both.
That’s according to Phil Lerner, chief information security officer at Beth Israel Deaconess Medical Center, who, on a scale from 1 to 10, ranks the bug a solid “high priority” at 7.5.
“It’s a serious threat for any enterprise, quite frankly, that’s using OpenSSL,” said Lerner. When Lerner and his BIDMC security team first saw Heartbleed, they shifted into gear working closely together to ensure compliance and resolutions. The bug continues to be “top of the food chain” and a chief priority for Lerner. From the looks of it, this appears to be the general consensus across all industries.
(Source: “Insurers, providers try to dodge Heartbleed” by Erin McCann, Healthcare Payer News)
The biggest challenge is that Heartbleed is a silent threat to the security of protected healthcare information (PHI) and, as such, a potential exposure for a HIPAA violation.
Kevin Johnson, chief executive officer of security consulting firm Secure Ideas, called the miscreant Heartbleed a “very serious deal,” as the attack against the bug can go undetected. “If your system is being exploited, the logs and such do not show any maliciousness,” he explained. There are, of course, newly-built detection rules that can now aid vulnerable servers, he pointed out.
As a result, Heartbleed reinforces the need for the encryption of healthcare data both in-flight where there is exposure with OpenSSL and at rest in data storage. Building multiple layers of protection for PHI must bubble up to the top of the healthcare IT priority list, and Heartbleed is just a warning.
In a previous blog, my suggestion was to use tokenization of PHI as a security strategy to meet HIPAA security requirements. Tokenization is the process of replacing sensitive data with unique identification symbols that retain all the essential information without compromising its security. Tokenization has become popular as a means of bolstering the security of credit card and e-commerce transactions while minimizing the cost and complexity of compliance with industry standards and government regulations. With increasing regulation of protected healthcare information, tokenization is the right technology to address the transfer of sensitive information over public or private networks. The feedback to the blog points out the challenges of tokenization and the benefits of encryption of the PHI at rest as a more effective best practice.
The Heartbleed forces our hand, and the timing is now to implement the strong encryption of protected healthcare information. Despite encryption superseding the idea of tokenization, the process of segregating the PHI server physically (redundant, of course) is still another layer of protection. The PHI server would contain the 18 or more key protected data elements and their corresponding keys. A web service would retrieve the protected information temporarily for healthcare applications and updates, but would prevent local storage of the information to maintain control. This segregation server process would be implemented in conjunction with an Enterprise Master Patient Index (EMPI) system for a healthcare organization. The centralized server for protected health information would allow stronger security controls within an organization as well, and support a clear means of auditing access to PHI as well.
The rash of recent security breaches in the retail space demonstrates the perseverance of hackers to penetrate even hardened systems. Building layers of security for protected health information including strong encryption, both in flight and at rest, and separate servers where applicable are only a starting point.
Let’s prioritize this cyber fight and get creative in thwarting the criminals in order to protect our patients and their medical identities.