Electronic Health Records heartbleed
|Open Source Media Framework Icon (Photo credit: Wikipedia)
Finally we presented our ultra small EHR project (TED) on wednesday with the promise of pushing it into GitHub as an open-source project soon. The biggest challenge in small turnkey EHRs is data security and privacy. While we were presenting our project the world was desperately seeking the patch for the Heartbleed bug and CRA Canada shut down its portal to avoid any potential data security breach. We are still not sure about the impact of this bug worldwide. So what exactly is heartbleed and how can it effect the burgeoning open-source revolution in health informatics?
Heartbleed is a bug in a widely used open-source encryption method called openSSL. When two computers are securely connected by this method there is a mechanism for periodic checking of this secure connection. We now know that this process was not secure after all, as there was a flow in this method that made the data in the RAM of the computers potentially visible to intruders. The data in the RAM of the computer at any time is likely to be the most sensitive including information such as passwords. This vulnerability was present for almost 2 years till it was spotted recently. Though the obvious question at this point is, who knew about this vulnerability before, the potential ramifications of heartbleed extends right to the heart of the open-source philosophy in secure software systems such as EHRs.
Though it is unlikely, there is a possibility that heartbleed bug was intentionally introduced into the software by someone in the open-source community. This is an eye-opener to massively open-source EHR products. The people managing such open-source projects must be aware of the possibility of a security breach by malicious code introduced by the contributors. It may not be easy to spot such vulnerabilities.
Many EHR systems employ openSSL encryption making them vulnerable to heartbleed. Though patching may happen fast in active and funded projects, it may be delayed for some projects making them potentially vulnerable to heartbleed for extended time. Since this vulnerability is known, the chances of potential exploitation is quite high. Though healthcare data is probably less interesting to hackers than other data sources (contrary to what most of us in eHealth think), heartbleed could give healthcare CEOs some heartburn if not a bleed for days to come.