Following recent news about the Heartbleed exploit, CloudFlare, a San Francisco-based security services company, challenged hackers to use Heartbleed to get private encryption keys that would unlock secure data. It reported multiple winners to its challenge. By obtaining the private key for an SSL/TLS certificate, an attacker could set up a fake website that passes the security verification. They could also decrypt traffic passing between a client and a server, known as a man-in-the-middle attack, or possibly unscramble encrypted communications they’ve collected in the past.
Possibly vulnerable health care sites include provider websites, physician and patient portals, secure e-mail services, medical monitoring devices and remote-access PACS/RIS systems. Basically, “anything that has built-in encryption capability across the Internet,”said Michael Mathews, president, chief operating officer and chief technical officer of CynergisTek, an Austin, Texas-based systems security firm that specializes in health care IT. Companies continue to try to patch the exploit, but it is being reported that this will take a significant period of time. In light of the latest discovery, many sites still appear to be vulnerable; an attacker could have used Heartbleed to steal a site’s valid security keys any time before the site patched its systems. The next step, experts say, is for all 500,000 affected sites to revoke their security certificates and issue new ones.