Applied Bimatics - An Informatics & eHealth Blog

I am a clinician with a passion for informatics. This blog is about my eHealth journey exploring interoperability in Electronic Medical Records (EMR/EHR), Patient Safety, Pharmacovigilance, Data Analytics, Clinical Research and Bioinformatics in a clinical context. Comparing Canadian, Indian and Middle Eastern healthcare systems and services. Join our open facebook group here: https://www.facebook.com/groups/clinical.bioinformaticians/


Electronic Health Records heartbleed

Open Source Media Framework Icon
Open Source Media Framework Icon (Photo credit: Wikipedia)
Finally we presented our ultra small EHR project (TED) on wednesday with the promise of pushing it into GitHub as an open-source project soon. The biggest challenge in small turnkey EHRs is data security and privacy. While we were presenting our project the world was desperately seeking the patch for the Heartbleed bug and CRA Canada shut down its portal to avoid any potential data security breach. We are still not sure about the impact of this bug worldwide. So what exactly is heartbleed and how can it effect the burgeoning open-source revolution in health informatics?

Heartbleed is a bug in a widely used open-source encryption method called openSSL. When two computers are securely connected by this method there is a mechanism for periodic checking of this secure connection. We now know that this process was not secure after all, as there was a flow in this method that made the data in the RAM of the computers potentially visible to intruders. The data in the RAM of the computer at any time is likely to be the most sensitive including information such as passwords. This vulnerability was present for almost 2 years till it was spotted recently. Though the obvious question at this point is, who knew about this vulnerability before, the potential ramifications of heartbleed extends right to the heart of the open-source philosophy in secure software systems such as EHRs.



Though it is unlikely, there is a possibility that heartbleed bug was intentionally introduced into the software by someone in the open-source community. This is an eye-opener to massively open-source EHR products. The people managing such open-source projects must be aware of the possibility of a security breach by malicious code introduced by the contributors. It may not be easy to spot such vulnerabilities.

Many EHR systems employ openSSL encryption making them vulnerable to heartbleed. Though patching may happen fast in active and funded projects, it may be delayed for some projects making them potentially vulnerable to heartbleed for extended time. Since this vulnerability is known, the chances of potential exploitation is quite high. Though healthcare data is probably less interesting to hackers than other data sources (contrary to what most of us in eHealth think), heartbleed could give healthcare CEOs some heartburn if not a bleed for days to come.

Labels: , , ,



Post a Comment

All comments, questions and criticisms welcome. Relevant comments with hyperlinks will be accepted. Though this form is not CommentLuv enabled, interesting and useful comments will be acknowledged with DoFollow links in the body of the post. Irrelevant comments and spam will be deleted.

Links to this post:

Create a Link

<< Home

About Me

As a Dermatologist and Informatician my research mainly involves application of bioinformatics techniques and tools in dermatological conditions. However my research interests are varied and I have publications in areas ranging from artificial intelligence, sequence analysis, systems biology, ontology development, microarray analysis, immunology, computational biology and clinical dermatology. I am also interested in eHealth, Health Informatics and Health Policy.

Address

Bell Raj Eapen
Hamilton, ON
Canada