Heartbleed HIPAA Documentation

If you haven’t considered your HIPAA requirements for Heartbleed yet, you should probably get started sooner rather than later.  If you don’t run a site that needed a patch you almost certainly use one or more on a regular basis.  This is a perfect time to create nice, clean issue resolution documentation to show that you recognized the risk and took appropriate action.

For those who may need more explanation on Heartbleed, it is a very serious bug found in the software that has been trusted to make millions of transmissions secure on the Internet every second.  The bug has been there for two years, and there is no way to know if it has really been used as an attack method for sure.

What is certain is that it is a big hole in security all over the Internet.  It is a major wake up call to the Internet Security Gurus world-wide.  For the rest of us, though, it isn’t something to ignore because it sounds too techie.  It is very serious and every single person that ever connects to the Internet, in any way, should worry about it.  Here is the first flush on what to worry about but there will be more as time goes on, it is almost certain.

As always, you must document everything you are doing with this situation to tell your compliance story.  You should be able to show anyone the process you have taken to check out your network and website risks.  Then, any activity you take to mitigate those risks should be documented and planned.  Sound familiar?  Yes, it is a mini Risk Analysis for this one situation.

  1. Contact your IT provider and have them confirm, in writing, your network equipment, VPN clients, internal servers, etc. were checked and any necessary patches have been loaded.
  2. If you use a tool for password management, as is strongly recommended, the next step will be easier. You must start changing passwords for any of your important sites that use HTTPS connections.
    • Usually these are your most critical applications such as banking, any other financial sites, email, social networks, etc.
    • Most importantly, though, change sites that involve ePHI in any manner.
    • If you know the details about the bug, there are a few exceptions but most experts suggest you play it safe and change them all.
    • But— this part is very important— you should NOT change a site that has not been fixed or confirmed to be unaffected. It is a waste of time.
    • Sites should not be used at all until a confirmation is received one way or the other.
    • There are several free tools that will let you check a website, such as the Heartbleed Test at the following URL: https://filippo.io/Heartbleed/ . . . (notice it was “built in a frenzy”). When you enter a URL or hostname to test the server, you should see a message that says something like this: All good, [your URL here] seems fixed or unaffected!

One note, if you have implemented a two-factor authentication (2FA) method for a site, then your exposure is very limited.  Even if a password was stolen, the second factor authentication would prevent using it for logging into the site.  Those sites do not require changing.

Every user on your network needs to account for changing their passwords on all sites and it should be documented for your security compliance.  Remember, you can’t just say you did it anymore, you should prove it.



ABOUT THE AUTHOR: Donna Grindle, CHPSE has been writing medical practice software as a programmer since 1987. She is currently the owner and president of Karden Technology, which specializes in IT and HIPAA compliance services, working with small healthcare providers and businesses that support them.

Accessibility Toolbar