Heartbleed 'top of food chain' for healthcare industry, says CISO

A bug the industry will continue to 'stumble on for a little while'
By Erin McCann
11:02 AM
When it comes to security threat severity, the Heartbleed bug doesn't miss a beat. That's according to Phil Lerner, chief information security officer at Beth Israel Deaconess Medical Center, who, on a scale from 1 to 10, ranks the bug a solid "high priority" at 7.5.
 
That's a big deal. "It's a serious threat for any enterprise, quite frankly, that's using OpenSSL," said Lerner in an interview with Healthcare IT News.
 
When Lerner and his BIDMC security team first saw Heartbleed, they shifted into gear working closely together to ensure compliance and resolutions. Even to this day -- the vulnerability has been known among the open source community for about a week now -- the bug continues to be "top of the food chain" and chief priority for Lerner.
 
From the looks of it, this appears to be the general consensus across all industries.
 
Kevin Johnson, chief executive officer of security consulting firm Secure Ideas, called the miscreant Heartbleed a "very serious deal," as the attack against the bug can go undetected. "If your system is being exploited, the logs and such do not show any maliciousness," he explained. There are, of course, newly-built detection rules that can now aid vulnerable servers, he pointed out.

What to do

 
In terms of dealing with a security event of this magnitude, Beth Israel's Lerner said collaboration and communication are king. 
 
"It all starts with communication. The teams get together. We make sure we limit exposure, test and mitigate, and that's a continuous process at most enterprises," added Lerner, who, due to security concerns could not divulge specifically what the hospital had done to mitigate risks. 
 
Referring to the healthcare industry as a whole, though, Lerner said it's no easy patch and not necessarily a short-lived event. 
 
Heartbleed is one of those things the healthcare industry will "stumble on for a little while," he added. 
 
And it's not just healthcare that's stumbling about.
 
Tech industry behemoths Cisco and Juniper have already discovered routers, servers, video cameras and phones affected by the Heartbleed bug, according to an April 11 CNNMoney report. The implications? Considering the vulnerability has existed for nearly two years now, this means a hacker could have tapped these phones calls, computer sessions, emails and voicemails for that time period.
 
"The spread, or sort of the nature of the exploit is what makes it difficult," he said. "If you had OpenStack SSL deployed, and you were able to in a single line disable the SSL heartbeat, where the bounds checking and 64K can be exploited, meaning open up availability to the private key for crypto or other sensitive information that may be transmitted in that SSL communication -- that's the issue," he added. 
 
A lot of folks in the healthcare industry may be using vendor-supplied solutions embedded with OpenStack in off-the-shelf applications, Lerner pointed out.

"And it took the vulnerability assessment, 10 people and scanning developers a while, meaning a little bit longer than I think most folks would have liked to have gotten out ready to test patches." 

 
That brought Lerner to his next point: testing. You can't just go and apply patches without tests, he said, due to potential hooks through the applications and databases under the apps and front ends that can potentially be affected when changes are made to embedded code. "Because of the size of typical enterprise of user community, the test process and the threat vetting process as when can we run it through open scanners or our own scanners," Lerner continued, "made things a little bit more difficult just because its time consuming." 
 
He then cautioned against those websites out there where you enter your code into a scanner, then it gives vulnerability recommendations based on the code entered. Overall, he's not a "huge fan" due to the risk. "Usually, that's done in clear text, not into the tool that folks might think that they could easily mitigate with," he said. "In large enterprises, there's typically lots of homegrown, especially if you look at verticals over all because people tend to be creative in maybe their legacy applications."
 
The app owners, in general, know what's underneath the app, said Lerner, as they're typically writing the code, or at least maintaining it. "Making changes to the application to support a critical vulnerability or exploit may be more difficult in some cases," he said, "because they don't want to break any of the clients' icon activity."
 
Johnson, too, said the client software piece is particularly difficult. "There is currently no easy was to scan for this flaw in the myriad of programs using the OpenSSL libraries," he said. And the patching process for client programs is no walk in the park, "but that is the answer," Johnson added. 
 
Though, for some companies, patches haven't yet been made. 
 
Intel, for example, has not released a patch for Heartbleed, eliciting frustrating responses from industry officials. McAfee, an Intel-owned company posted a statement to their website on the incident. "We understand this is a difficult time for businesses as they scramble to update multiple products from multiple vendors in the coming weeks. The McAfee products that use affected versions of OpenSSL are vulnerable and need to be updated."

Accidental beginnings

 
Earlier this week, it was discovered that a German software developer Robin Seggelmann was responsible for accidentally creating Heartbleed.
 
"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," he told The Sydney Morning Herald. "In one of the new features, unfortunately, I missed validating a variable containing a length."
 
Upon submitting the code, a reviewer also failed to notice the mistake, Seggelmann pointed out.  
 
The effects from the Heartbleed bug are percolating virtually every industry nationwide. 
 
Dropbox, Dartmouth College, Facebook, Instagram, Google, Yahoo and Wikipedia are also among the companies who have reported being affected by the bug.
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.