The Heartbleed Bug's Impact on EHR Systems


As reported in the media, a serious vulnerability in the popular OpenSSL cryptographic software library, called the Heartbleed bug, was recently discovered. This vulnerability permits the theft of information, including secret keys used to identify service providers, the names and passwords of users, and actual content, that, under normal circumstances, is protected by SSL/TLS encryption. Most health care providers, however, are not aware that many web-based electronic health record (EHR) systems often use OpenSSL's encryption software to secure protected health information (PHI). These web-based systems may be vulnerable to the bug.

Accordingly, for our provider clients, we have two recommendations. First, we recommend that providers contact their vendors to find out (1) whether their system is (or was) subject to the Heartbleed vulnerability and (2) whether the vendor has deployed the fixed version of OpenSSL. Second, we recommend that providers instruct their users and administrators to change their passwords to prevent any unauthorized access. Please note that passwords changed prior to the vendor's installation of the fixed version of OpenSSL are not secure. Providers should also use this opportunity to review their password policies to ensure that they are changed and tested on a routine basis.

More information about the Heartbleed bug can be found here:

This vulnerability has affected several applications and web-based services.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Baker Donelson | Attorney Advertising

Written by:


Baker Donelson on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.