Add More To Your HIPAA Heartbleed Review List

Just as I mentioned in my earlier post on Heartbleed, there would be more to come.  Just hours after finishing that article I was reading the latest articles on the status of the situation.  This thing seems to get worse every day to many people.  I am not as shocked by the number of devices and sites that have been found affected, I am surprised it isn’t bigger already.

CloudFlare, a company that secures websites, created a test server with the flaw in it on Friday.  They published a Heartbleed Challenge to hackers that could steal the private encryption keys from the server using Heartbleed and send the key to them.  The site was hacked so easily and quickly that many believe it proved the worst case scenario of the bug’s potential damage.

The company actually posted earlier in the day that they believed it was impossible to get the actual keys to the kingdom using the bug.  The hackers had it stolen and back to them in less than a day.  One of the first to get through said it took just 3 hours to break in and get the key.

Add these to your list for certain – they have announced they have issues for certain versions and devices:

  • Android Mobile devices.  Not all devices but certain versions of the popular mobile operating system are vulnerable.  You can use this free app from Google Play to determine if a device needs a patch.
  • Cisco Networks announced they have some devices with the problem.
  • Juniper Networks did also.
  • FortiGuard announced issues with several of it’s products.

This will take time for everything to be identified and fixed.  It is important to monitor this situation closely and work out your plan.

Do not just start changing passwords or making changes without a plan.  You will only waste time and, possibly, make your situation worse.  Review everything and only change things that are verified one way or the other.

Filed under: HIPAA Tagged: Business Associates, Health Insurance Portability and Accountability Act, HIPAA, Security Rule, Small Provider