HIPAA and Heartbleed … Are you automatically in breach?
Under the HIPAA Privacy Rule, a breach is defined as:
Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.
Based on this definition, merely having been vulnerable to a security exploit (e.g. Heartbleed) does not constitute a beach and does not trigger breach notification law.
So — just because you used a system that was vulnerable to Heartbleed, does not mean that a breach occurred or that any type of reporting is needed. Imagine if it did … practically everyone would have to report and that would overwhelm Health and Human Services!
However, if you or your provider obtains evidence that the vulnerability was exploited in some manner such that a breach did occur, then breach reporting law is triggered. With Heartbleed, at least before it was announced last week, there was really no way to detect or log such exploits … they were untraceable. Well, unless there is other unrelated evidence that a breach occurred, such as confidential information that only resided on a particular server showing up elsewhere.
Going forward, however, systems that are not patched for Heartbleed stand to violate HIPAA’s Security Rule requirements for patching systems, keeping security up to date, and mitigating risk. Furthermore, it is now possible to detect and log Heartbleed attacks … which only really matters if you are not yet patched, or are writing systems to protect other systems, or installing multiple levels of protection.
HIPAA does require the regular review of records and logs to discover activity that could relate to a security incident. For Heartbleed, there would generally not be anything in the past logs to look at in any direct manner (e.g. few systems were likely logging information about SSL “handshakes” and few had little reason to do so). Furthermore, HHS has not expressed an obligation on security staff to review past logs for evidence of attacks on newly discovered vulnerabilities.
So, the long and short of it is:
- Make sure that all of the systems and vendors that you use have patched their systems and re-issued their SSL certificates to protect against Heartbleed … if they have not, consider changing vendors ASAP
- Update your passwords
- You do not have to report about breaches related to Heartbleed unless you have direct evidence that one actually occurred.
- HeartBleed Attack on OpenSSL and LuxSci: What you should know.
- How to breach your HIPAA-compliant email in 5 minutes while getting coffee
- HIPAA Has Teeth and They are Long and Sharp – Don’t Get Bitten
- Are you Minimizing your Risk by using the Next Generation of Opt In Email Encryption?
- Can S/MIME be trusted when SSL has had so many security issues?