Heartbleed HIPAA Documentation


If you haven’t considered your HIPAA requirements for Heartbleed yet you should probably get started sooner rather than later.  If you don’t run a site that needed a patch you almost certainly use one or more on a regular basis.  This is a perfect time to create nice clean issue resolution documentation to show that you recognized the risk and took appropriate action.

For those who may need more explanation on Heartbleed, it is a very serious bug found in the software that has been trusted to make millions of transmissions secure on the Internet every second.  The bug has been there for two years and there is no way to know if it has really been used as an attack method for sure.

What is certain is that it is a big hole in security all over the Internet.  It is a major wake up call to the Internet Security Gurus world-wide.  For the rest of us, though, it isn’t something to ignore because it sounds too techie.  It is very serious and every single person that ever connects to the Internet, in any way, should worry about it.  Here is the first flush on what to worry about but there will be more as time goes on, it is almost certain.

As always, you must document everything you are doing with this situation to tell your compliance story.  You should be able to show anyone the process you have taken to check out your network and website risks.  Then, any activity you take to mitigate those risks should be documented and planned.  Sound familiar?  Yes, it is a mini Risk Analysis for this one situation.

  1. Contact your IT provider and have them confirm, in writing, your network equipment, VPN clients, internal servers, etc. were checked and any necessary patches have been loaded.
  2. If you use a tool for password management, as we strongly recommend, the next step will be easier.  You must start changing passwords for any of your important sites that use HTTPS connections.
    • Usually these are your most critical applications such as banking, any other financial sites, email, social networks, etc.
    • Most importantly, though, change sites that involve ePHI in any manner.
    • If you know the details about the bug, there are a few exceptions but most experts suggest you play it safe and change them all, as do we.
    • But… this part is very important…..   You should NOT change a site that has not been fixed or confirmed to be unaffected.  It is a waste of time.
    • Sites should not be used at all until a confirmation is received one way or the other.
    • There are several free tools that will let you check a site such as the Heartbleed Test (notice it was “built in a frenzy”).  You should see a message that says something like this: All good, kardontech.com seems fixed or unaffected!

One note, if you have implemented a two-factor authentication (2FA) method for a site then your exposure is very limited.  Even if a password was stolen the second factor authentication would prevent using it for logging into the site.  Those sites do not require changing.

Every user on your network needs to account for changing their passwords on all sites and it should be documented for your security compliance.  Remember, you can’t just say you did it anymore, you should prove it.

I do have to admit that we have been recommending password management tools for some time now for many reasons but I have never been so very happy to have one in place when we needed to do this exercise.  They rolled out tools to let us test all our sites quickly for suspects and address them.  Between that and the use of 2FA wherever possible we have not had the stress for our own internal processes that others have experienced.  Our clients, however, well, we are working with them……..

Filed under: HIPAA Tagged: Documentation, HIPAA, Security, Small Provider