Chat with us, powered by LiveChat

HIPAAOne statement on Heartbleed

HIPAA One Heartbleed update:

You are probably aware of the Heartbleed Bug. This vulnerability is in the OpenSSL cryptographic software library (CVE-2014-0346 / CVE-2014-0160).  There has been a tremendous amount of media coverage due to the severity of this bug.

This bug enables someone to read the memory of systems protected by vulnerable versions of OpenSSL software

. More details can be found here: http://heartbleed.com.  In summary, an information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server could send a specially crafted TLS or DTLS Heartbeat packet to disclose a limited portion of memory per request from a connected client or server. Note that the disclosed portions of memory could potentially include sensitive information such as private keys. (CVE-2014-0160)

HeartbleedAfter analyzing our cloud infrastructure at https://secure.hipaaone.com, we found that no production servers were impacted by this bug.

We conduct regular vulnerability scans and are commencing with periodic ethical hacking.  This helps provide assurances we are current with vulnerabilities and managing risk in our production platforms.
Thank you for your attention to this matter.

For anyone else who is running Linux, and and are running OpenSSL it internally, we recommend you apply the security patch issued by RedHat or equivalent against affected servers and restart the OpenSSL service. For example, you can issue “openssl version” from the command line to determine if it is running a version susceptible to the bug. The RedHat security advisory is included here for your reference.

https://rhn.redhat.com/errata/RHSA-2014-0376.html

Steven Marco

HIPAA One® President