A Statement About Heartbleed
Heartbleed Internet Security Vulnerability
By now, you’ve probably heard about heartbleed, a term given to a very serious security bug in some open source software used by 60% of the systems on the internet, including systems in the healthcare industry. But, because STI uses Microsoft technology, this problem did not affect any ChartMaker® related software. That includes our internet (aka cloud) services like ChartMaker Cloud, ChartMaker Health Portal, and ChartMaker Patient Portal. Therefore, you and any patients that you serve can rest assured that their protected health information in ChartMaker systems was not affected by heartbleed.
We advise you to look for a similar statement to ours from other technology vendors you may use. If their systems were affected, they should explain
What you need to do once the affected systems have been fixed. This usually includes changing your passwords; but again, only after the systems have been fixed. The nature of this bug is that changing your password is an action that could be monitored by malicious hackers on a system with this bug.
The problem was termed heartbleed because it is an appropriately scary metaphor to describe the bug in a program feature called heartbeat. Heartbeat is a programming term commonly used to describe the process of determining if a program is still alive (running) or not; something we in the healthcare industry can appreciate.
A university student enhanced a security feature in open source software called OpenSSL. This brings up a question about why companies could adopt unpaid, student written code so crucial to the core security of the internet without checking it more thoroughly. Unfortunately, this is done more often than you think for economic reasons. It brings to mind the expressions, “There’s no free lunch” and “You get what you pay for”, but that’s a different topic.
As soon as this problem became known during the week of April 7th, one of our Software Development managers contacted our manager of Information Technology who is responsible for production systems. They jumped on it. We determined quickly that this was not a problem for our systems, nevertheless we made sure that we double-checked our systems as well as those of our technology partners to be sure. By the end of that following weekend, we had all the information we needed.
What we know about computer security is that this won’t be the last issue of its kind. With unending and ever-changing tactics by unscrupulous people, we need to be vigilant in protecting the health information of the patients we serve. As users of the ChartMaker brand of products, you know STI will be there applying preventative measures, reacting quickly to problems if needed, and keeping you informed.
Thank you for being an STI customer.