Heartbleed and HIPAA

On April 7th, the news hit the wire that there is a serious bug in the OpenSSL program – one of the most popular cryptography programs out there. This bug allowed information normally protected by an SSL/TLS license (a type of encryption) to be compromised. The scary thing about this bug is that it appears to have been around as far back as December 2011 What does this mean for your website? As of right now, we don’t know if or what information was breached. The first thing you should do is look at your website host and see if they were using OpenSSL. If so, have they patched it?

There are a couple of free resources that have popped up to help test to see if your site is safe:

Before you rush to change all your passwords, make sure that your site(s), and providers, have all applied the patch to their servers. At this point, most servers should be patched, but a quick call to your web host is strongly recommended. Now, let’s talk about your personal information. This is a great time to go through all your financial, email and social media passwords and change them. Here is a list of major sites that may have been affected:

Some of the sites that use OpenSSL are Dropbox, Yahoo Mail, Facebook, and Gmail (Google says that there is no reason to change your password, but it’s probably a good idea just to be safe.) All of these sites appear to have been patched, but any older passwords could be vulnerable. Here is a post from a few weeks back where we talk about updating your passwords.

Now, how does Heartbleed affect your HIPAA compliance? Does this mean you need to send a breach notice to all your clients? As of right now, we don’t know if anyone actually has been grabbing information. We don’t think there is a need to send out breach notifications to your clients, but it might be nice to post a statement on your website or send out an email to your clients that says something like:

We here at (your company name) take your privacy very seriously. Your personal information may be vulnerable if your web hosting company used OpenSSL We recommend that you contacted your web providers, inquire if they used OpenSSL and whether they have patched their systems if they have used that encryption. Once the system is patched we recommend that you update any passwords you have at this time, and report any suspicious activity that you find with your personal information to us and the proper authorities so we can help you address this as quickly as possible.

And in case you were wondering… Yes, we’ve done those things too in order protect our clients, and to protect our own personal information. It’s always better to be safe, and we take that responsibility very seriously when it comes to the information we have and keep on you. We at Total HIPAA have patched all our systems and changed all our passwords, and we are recommending that you do the same for any passwords that protect sensitive information. If nothing else, it’s a good business practice. Remember, this action needs to be documented in your Risk Analysis and possibly addressed in your security policies and procedures.

By Jason Karn


Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)