Friday, May 2, 2014
Secure-Mail™ Unaffected by Heartbleed
Brightsquid is extremely pleased to share that Secure-Mail™ was unaffected by the Heartbleed Bug as we are not using an affected version of OpenSSL, a cryptography library commonly used for secure communication on the Internet. Further, the OpenSSL library has already been patched, so future versions will not be vulnerable either.
Heartbleed is caused by an issue in the OpenSSL library called a buffer over-read, where a computer responds to a request with more information that it should provide. It exploits a mechanism called a heartbeat extension, which is used to confirm that a remote computer is still available. The computer requesting the heartbeat sends a text string (such as “potato”, “bird” or “hat”) and the length of that string to a remote computer and asks for it to be repeated back. In the case of Heartbleed, the remote computer doesn’t check to see whether the length provided and the actual length of the string match. A malicious user can request a much longer response than the string’s true length, causing the remote computer to return the requested string as well as other information after the string in the computer’s memory. This could include sensitive information such as passwords, credit card numbers, and banking information. This is illustrated very clearly in the following web comic:
At Brightsquid, we understand the importance of maintaining data security for Protected Health Information (PHI) within your practice and the regulatory implications. Secure-Mail™ remains the best way to safely share protected health information with patients, dentists, specialists and labs.
For more information about what Secure-Mail™ has to offer and how it delivers regulatory compliance for your practice, please visit: