Share This Post

Is 'Heartbleed' dangerous for healthcare providers?

April 11, 2014
Compliance By LW Consulting Inc.

Healthcare professionals, especially those dealing with electronic health records, have to tread lightly thanks to the security problems caused by the recently discovered "Heartbleed," an internet bug. This security flaw may make the information contained on medical computers vulnerable, but practitioners have to be careful how they fix it.

Heartbleed works by allowing hackers the chance to incrementally access data on computers through an encryption fault that potentially exposes the contents of a server. While consumers have been warned, solving the problem might pose its own difficulties to healthcare providers, at least in certain parts of the world, depending on what the law says.

British source the Register reported on the situation that providers might face in the United Kingdom if they try too hard to try and police the computer systems used for important digital medical functions.

Although "Heartbleed" carries a significant risk, the source quoted computer security professional David Litchfield, who said that assessing systems to see if they had been breached would in itself be a violation of British law.

"I would say it would certainly contravene the Computer Misuse Act in the U.K.," he said. "This is no different than say testing to see if a site is vulnerable to SQL injection. It's not legal without permission."

So with that in mind, what can healthcare providers do to see if their systems and patients are at risk? Lauren Still of GovHealthIT writes that more involved forms of encryption can be sued while all patients and partners can be informed of possible problems if Open SSL affects your processes at all.

Proper medical litigation support could be used to try and help doctors who are unsure whether or not they have overstepped their bounds.