by medicaltechont | Jan 17, 2015 | Security
When the Heartbleed vulnerability made headlines last spring, Internet companies went into a frenzy: Creating patches, moving away from OpenSSL, and warning users to reset their passwords.
But while we haven’t heard much about it lately — and many servers have been updated to avoid it — Heartbleed is still very much a problem.
The problem is that OpenSSL is in everything.
“It’s an infrastructure hack, and it’s deep … it puts into question everything that we use on the Internet,” said Sami Nassar, CEO of secure element chip maker NXP.
He calls Heartbleed the death knell for SSL. While some will argue that SSL became obsolete a long time ago, its use is still pervasive. So what’s scary to Nassar is that though the news cycle around Heartbleed ended long ago, the damages are still ravaging on.
Read more at VB News
by medicaltechont | May 24, 2014 | Cloud, EHR, Ontario, Privacy, Software, Technology, The Internet
Is your cloud (online web-based) application vulnerable to hackers? Do you even know if the OpenSSL security flaw and bug affected your important data? Are you paying attention to your investment? Or do you even care?
With many moving full steam ahead with cloud-based solutions, recent developments have casted a slight shadow on the security of patient data and how much risk a medical practitioner is willing to take with personal medical information in the cloud.
When you visit the doctor, nurse practitioner or other health professionals there is a trust developed; whereby your confidentiality is respected and observed. As a patient you assume that all efforts are taken to uphold that trust. You assume that your personal medical data is secure from the prying eyes of others. However do you really know if your personal information is safe? It’s amazing to know that so many regular individuals assume, in Canada, that their personal information, located within a Doctor’s office, is 100% safe and secure. But what happens if they find out that there was a breach in security? What happens if a patient came to view results of something extremely important, only available within your EMR or medical software, and your “Internet” connection is down? What do you tell the patient? Are you certain that your medical information is safe?
Read: Cisco and Heartbleed, A Class Action Lawsuit In The Making (Seeking Alpha)
Although the term “online web based billing software” is the new buzz word, not all solutions have to be cloud-based. Many use terms like “bill from anywhere“, or “use any web-browser“, yet there are alternatives, which still allow you to be in control or your data. Many companies will never tell you how often their networks are down. Fear is used scare individuals into thinking that their equipment is safe with their company. “ 99% up-time“, is the standard default line for most online and cloud providers. However, as a medical professional, you assume the risk to your reputation and medical license. Patients believe that “you” and your medical practice are in trust of their personal medical and critical information. We all know, once trust is broken it is often difficult to repair.
Good luck trying to blame your technical problems on others when your cloud application is down (offline), your web-based provider was hacked (losing personal patient information) or even have disappeared with your data (bankrupted). Some comments from online vendors are shown below.
” Sorry about that folks, someone literally drove over our Internet connection this morning and ripped it from the pole. Everything restored.”
“The six-hour outage of Cerner’s network late last month has raised fresh concerns about cloud hosting of patient records.”
“ Target ignored its own alarms—and turned its customers into victims of an epic hack“(Bloomberg Businessweek)
“EBay initially believed user data safe after cyberattack“(Toronto Sun)
If your medical patient records are in the cloud ask yourself the following questions.
- Who actually has your data?
- Where, on planet Earth literally, is your data located?
- Are their cloud servers in Canada? The U.S.? Overseas? Or in an undesirable location in another country?
- If your patient data is in a foreign country what laws govern access to that information?
- Who is actually looking at your entrusted patient data?
- What is the risk and liability to your medical practice?
When choosing a vendor, for your medical software, never assume that the data within their office. Ask questions, first and never assume. Servers could be anywhere.
“If the cloud that hosts your data has servers in a foreign country, the laws of that foreign country may govern your data when stored in that server.”
Think of a more balanced approach to medical file management and health records. There are options to mobility that will not compromise your medical data. Just because it looks cheap, bleeding edge and downright “cool”, does it make it the best solution for you?
You can survive without your Facebook page, even Microsoft Word online for a while, but what about your medical records, lab reports and more; in relation to your office, or hospital? Under some certifications and requirements today EMR is considered a medical device; which must operate and function in a specific manner. If medical records and software were like a pace-maker, how much risk would you take?
by medicaltechont | Apr 21, 2014 | Canada, Security, Technology, United States
Thousands of security breaches may be undetectable, experts say
Hospitals and providers’ online networks—including email accounts, electronic health records (EHRs), and remote monitoring devices—may be vulnerable to a destructive “Heartbleed” computer bug, according to security experts.
Breaches have compromised at least 21M patients’ records since 2009
A Google engineer and another security team last week discovered the bug and found that it infiltrates systems through a widely used Web encryption program known as OpenSSL; websites such as Amazon and Google use the program. After a breach, hackers may be able to get sensitive information from email servers, laptops, mobile phones, and security firewalls, experts say.
“[T]his is huge…it’s servers, it’s appliances, it’s devices,” says CynergisTek CEO Mac McMillan, adding that the bug has been around for about two years and experts do not know how many breaches may have already happened. Government agencies and private companies are rushing to fix any vulnerabilities, but breaches may not be detected for a long time, if at all.
“It’s going to be a long, long time before they truly understand the scope of this,” says McMillan.
CEO of CloudFlare Matthew Prince called Heartbleed “the worst bug the Internet has ever seen,” adding “[i]f a week from now we hear criminals spoofed a massive number of accounts of financial institutions, it won’t surprise me.”
At this point, it is also unclear if the nation’s health care providers are especially vulnerable. For example, Web networks that rely on two- or three-factor password authentication should be safe, McMillan says.
But even health groups that do not rely on OpenSSL should be worried about ramifications of the massive breach, according to David Harlow, principal of health care law Harlow Group.
by medicaltechont | Apr 19, 2014 | Cloud, e-Health, eHealth, Security, Software
By Nicole Perlroth
The Heartbleed bug that made news last week drew attention to one of the least understood elements of the Internet: Much of the invisible backbone of websites from Google to Amazon to the FBI built by volunteer programmers in what is known as the open-source community. Heartbleed originated in this community, in which these volunteers, connected over the Internet, work together to build free software, to maintain.
wasWhat makes Heartbleed so dangerous, security experts say, is the so-called OpenSSL code it compromised. That code is just one of many maintained by the open-source community. But it plays a critical role in making our computers and mobile devices safe to use.
“This bug was introduced two years ago, and yet nobody took the time to notice it,” said Steven M. Bellovin, a computer science professor at Columbia University. “Everybody’s job is not anybody’s job.”
Read more at:
http://economictimes.indiatimes.com/articleshow/33958360.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst
by medicaltechont | Apr 12, 2014 | Cloud, Healthcare, Software, Technology
The vast majority of those taking advantage of free, open-source software such as OpenSSL do nothing to contribute to its development—and that’s part of the problem.
Every day brings new reports of the threats posed by the Heartbleed bug. But the discovery of Heartbleed has also unearthed a scandal that’s plagued the open-source community for years. The scandal is that giant enterprises are doing nothing to contribute to the development, testing and validation of the free software on which they depend. They are takers, pure and simple. Nothing makes this more obvious than the details revealed by the German developer who was responsible for the bug in the first place, Dr. Robin Seggelmann. Dr. Seggelmann, it appears, was spending his end-of-the-year holiday working to fix bugs in the first version of OpenSSL, the encryption software that was becoming a standard on the Internet. While he was at it, Seggelmann developed a way to create a heartbeat function that could keep encrypted sessions open rather than timing out over time.
Read more at http://www.eweek.com/security/heartbleed-openssl-bug-reveals-the-true-cost-of-open-source-software.html
The vast majority of those taking advantage of free, open-source software such as OpenSSL do nothing to contribute to its development—and that’s part of the problem.