Skip to Content

Heartbleed Bodes Ill for Sensitive Health Data

Research suggests that electronic health information is particularly vulnerable to software bugs.
April 22, 2014

Recent discoveries, along with the recent drama over the Heartbleed bug, make me believe that in next few months we could see the largest leak of private patient information ever reported. Attacks against health IT systems are particularly concerning because so much personal data lives in an electronic health record. If hackers compromised such a system, they’d get contact and financial information, as well as lots of even more personal health data. 

Heartbleed, the recently exposed vulnerability in a very common version of OpenSSL, put pressure on many IT security professionals to roll out quick fixes. Unfortunately, backwards thinking in health IT, arguably one of the most important-to-protect arenas, leaves many vendors unprepared to respond quickly to bugs like Heartbleed.

There is already evidence that companies that develop electronic health record software and other health IT products are not prepared to react to security vulnerabilities of any kind. For example, on April 4, Josh Mandel, a health IT expert with the SMART project, an effort to develop a common interface for health IT platforms, discovered a significant vulnerability in a common part of a health-care informatics software adopted by many electronic health record software vendors. Mandel and his team reported the bug, but very few vendors of electronic health record software responded appropriately. Mandel found that less than 10 percent of electronic health record vendors he contacted had the proper procedures in place to handle vulnerabilities.

Hackers generally move at breathtaking speed, and can take over millions of machines in minutes. The only advantage that security professionals have is that they can take certain steps to prepare for attacks. If those preparations are in place, the IT professionals can (barely) keep up. But in the case of health information, most security professional aren’t properly prepared to react.

Has Heartbleed affected any electronic health record systems? It is hard to say. Usually leaks of protected health information must be reported to the HHS Office of Civil Rights under the Health Insurance Portability and Accountability Act. But it is an open secret in health IT circles that health-care providers frequently fail to report “smaller” problems. Even if hospitals and other providers did report back to the Office of Civil Rights, it might be difficult for us to tell, as an industry, how well health IT vendors performed.

It will be interesting to see, over the course of the next few months, what kinds of hacking attempts are reported. Let’s hope I’m wrong about that leak.

Fred Trotter is chief operating officer at Open Source Health, founder of CareSet, and a technical blogger for O’Reilly Radar.

Keep Reading

Most Popular

open sourcing language models concept
open sourcing language models concept

Meta has built a massive new language AI—and it’s giving it away for free

Facebook’s parent company is inviting researchers to pore over and pick apart the flaws in its version of GPT-3

transplant surgery
transplant surgery

The gene-edited pig heart given to a dying patient was infected with a pig virus

The first transplant of a genetically-modified pig heart into a human may have ended prematurely because of a well-known—and avoidable—risk.

Muhammad bin Salman funds anti-aging research
Muhammad bin Salman funds anti-aging research

Saudi Arabia plans to spend $1 billion a year discovering treatments to slow aging

The oil kingdom fears that its population is aging at an accelerated rate and hopes to test drugs to reverse the problem. First up might be the diabetes drug metformin.

Yann LeCun
Yann LeCun

Yann LeCun has a bold new vision for the future of AI

One of the godfathers of deep learning pulls together old ideas to sketch out a fresh path for AI, but raises as many questions as he answers.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.