“Open source is still a great way of building solid software,” said Steve Pate, chief architect for HyTrust, a provider of cloud-based virtual security services for healthcare and other industries.
Support also remains for OpenSSL, the security and encryption arm of open source where the Heartbleed was found. “The encryption methods in there are rock solid. It's the whole mechanism we've been basing online commerce on for a long time. It has had a lot more eyes on it than a lot of the commercial security products today,” Pate said.
There's a maxim in the open-source software development community that, “Given enough eyeballs, all bugs are shallow.”
That means, because so many programmers have access to the source code of a successful open-source project, any problems with that code will be spotted readily.
It didn't quite work that way for the Heartbleed vulnerability on OpenSSL.
Earlier this month, the small bug with massive implications was found to have been embedded in the widely used open-source encryption software for the past two years. All that time, Heartbleed essentially had left a back door open to potential hackers on millions of websites and devices worldwide.
“It was put in place by a young German Ph.D. student,” Pate said. “You could understand that a young programmer makes a mistake.” But given “how difficult it is to get a piece of software accepted by the open-source community,” Pate said, “It's surprising it escaped the eyes of so many people looking over this code.”
The global IT community is still reacting to Heartbleed.
HHS posted a notice to its Healthcare.gov website last week strongly recommending that Obamacare registrants who used the site create new passwords.
HHS did not use OpenSSL, “not directly,” said Kevin Charest, chief information security officer at HHS. But an internet content provider, Akamai Technologies, Cambridge, Mass., used by HHS “had a specific challenge with it,” Charest said
So, “out of an abundance of caution,” HHS recommended millions of Obamacare enrollees who used the site change their passwords.
HHS' precaution prompted a blast from Rep. Diane Black (R-Tenn), saying it “speaks volumes to the website's continued vulnerability.”
She called for the Senate to take up the Health Exchange and Data Security Act passed by the House in January. The bill would require notifying Healthcare.gov registrants within 48 hours in the event of a breach of their information.
Across the healthcare industry, Heartbleed made vulnerable not only provider web sites, but also browsers, medical devices, patient records, passwords and other information on their computer systems. So far, according to healthcare security expert Michael McMillan, there are no verified breaches in healthcare where Heartbleed is the known culprit, but it would be a mistake to assume the industry has dodged a bullet.
The Heartbleed vulnerability was such that hackers could have exploited it and barely left a trace, said McMillan, co-founder and CEO of CynergisTek, an Austin, Texas, health IT security consultancy, and chairman of the privacy and security policy task force for the Healthcare Information and Management Systems Society.
“If they were compromised by Heartbleed, it wouldn't have sent up any red flags,” unless an organization was closing monitoring its systems' audit trails and performing sophisticated pattern analysis on them. “The level of monitoring need was way beyond what healthcare organizations are used to doing,” he said.
“The other thing, it's so damn pervasive,” McMillan said. “You've got OpenSSL imbedded in servers, and appliances and products.”
Since the bug surfaced, McMillan said his advice to clients has been to first plug holes. Down the road, “We're still going to have the arduous job of determining whether they've been compromised.”
Problems with OpenSSL have not directly impacted one of the largest open-source projects in healthcare, adaptation to open source of the Veterans Affairs Department's VistA electronic health-records system.
Seong Ki Mun, president of the Open Source Electronic Health Record Alliance, the not-for-profit organization designated by the VA as the overseer of an open-source project to update and improve VistA, said OpenSSL was not part of its package.
And, according to Mun, the open source movement in healthcare could actually benefit from publicity about Heartbleed.
“We look at this as a real positive as people have a better understanding what open source is,” he said.
Mun pointed to a team effort last November in which Raymond's maxim of many eyeballs worked as envisioned. The VA and OSEHRA staff as well as some of its member organizations collaborated to close a vulnerability in VistA and the Indian Health Service's EHR that had been found by a graduate student at Georgia Tech University.
In contrast, with proprietary software, where the code is inaccessible to outsiders, it's like “somebody giving you a black box and saying, trust us,” Mun said.
WorldVistA, a not-for-profit organization that also promotes the use of an open-source version of VistA outside the VA, uses a “copy left” open-source software license. Copy left obliges its users to keep the code open, so any improvements to it become part of the communal stew pot of software, open for inspection and use by others.
Open-source advocate K. S. Bhaskar, of Malvern, Pa., a co-founder and former board member of WorldVistA, said the licensing issue impacts the vulnerability of software, even if its open source.
OpenSSL was released with a “permissive license,” Bhaskar said. That means a developer can take the source code from OpenSSL, incorporate it into a proprietary product and not disclose it, leaving the purchaser of that software ignorant of and vulnerable to Heartbleed or any other undisclosed bug.
“If they had used a strong copy left, they would have had to disclose it,” Bhaskar said. “Perfect software is not going to happen in our lifetimes, so the question is, how do you deal with the imperfections?”
Turning to another cyber security issue, McMillan expressed a sense of foreboding about what he sees as an unusually high number of cases of income tax return fraud this year targeting medical professionals.
“We've just had all this leakage of data that supports this tax fraud that's been nationwide,” McMillan said. Tax fraud stories are always common this time of year, but “You don't find a pattern against a certain type of individual. This year, it's been like open season on doctors and dentists. The question is, where did they get the data?”
Follow Joseph Conn on Twitter: @MHJConn