“I'm not saying all of them are vulnerable,” he said. That depends on whether sites use the affected versions of what's known as OpenSSL, software used to access encryption algorithms.
“Catastrophic” is how cryptographer Bruce Schneier, writing on his Schneier on Security blog, described the bug, publicly disclosed this week and dubbed Heartbleed for its location within OpenSSL code.
“On the scale of 1 to 10, this is an 11,” said Schneier, who estimates a half million websites are vulnerable, including his own.
The problem could be even worse, an “11, 12 or 15, whatever you want to call it,” Mathews said.
“Anything you logged into and assumed was confidential could possibly have been eavesdropped on for the past two years,” Mathews said. “If it was exploited by the right people for nefarious reasons, it could be haunting us for years to come.”
The bug, which doesn't leave much in the way of a trail, reportedly was found by separate groups, a Google engineer and a team from Codenomicon, a security software firm based in Finland, according to a website devoted to the vulnerability.
A programmer has claimed responsibility for writing the section of bad code that created Heartbleed.
The one saving grace, Mathews said, is that while a hacker outside an organization could have used Heartbleed to access encrypted data, “You have to know where you want to go and you have to wait for the data to come to you,” he said.
“Let's say you wanted to exploit Amazon,” he said. “First, you have to know if Amazon is vulnerable. Then, you have to exploit the vulnerability. Then, you have to sit there and wait for the data to move. Someone has to have enough umph and motivation to target your site.”
Unfortunately, with today's computing power and the known threats to healthcare IT systems from sophisticated hackers, neither are much of a limitation.
So far, it's impossible to estimate how much fixing this bug will cost the healthcare industry, Matthews said.
“I don't think we're going to know that until after the fact,” he said. And like the risk to data, he said, “This is going to be affecting us for some time to come.”
Follow Joseph Conn on Twitter: @MHJConn