Friday, May 2, 2014

Secure-Mail™ Unaffected by Heartbleed


You’ve probably heard about the Heartbleed Bug that has caused a great stir in the news lately. Many organizations – including large and well-known email providers – have admitted that they were affected and have been forced to take rapid action to protect themselves and their users. A cybersecurity columnist for Forbes described Heartbleed as arguably “the worst vulnerability found since commercial traffic began to flow on the Internet”.

Brightsquid is extremely pleased to share that Secure-Mail was unaffected by the Heartbleed Bug as we are not using an affected version of OpenSSL, a cryptography library commonly used for secure communication on the Internet. Further, the OpenSSL library has already been patched, so future versions will not be vulnerable either.

Heartbleed is caused by an issue in the OpenSSL library called a buffer over-read, where a computer responds to a request with more information that it should provide. It exploits a mechanism called a heartbeat extension, which is used to confirm that a remote computer is still available. The computer requesting the heartbeat sends a text string (such as “potato”, “bird” or “hat”) and the length of that string to a remote computer and asks for it to be repeated back. In the case of Heartbleed, the remote computer doesn’t check to see whether the length provided and the actual length of the string match. A malicious user can request a much longer response than the string’s true length, causing the remote computer to return the requested string as well as other information after the string in the computer’s memory. This could include sensitive information such as passwords, credit card numbers, and banking information. This is illustrated very clearly in the following web comic:

http://xkcd.com/1354/

At Brightsquid, we understand the importance of maintaining data security for Protected Health Information (PHI) within your practice and the regulatory implications. Secure-Mail remains the best way to safely share protected health information with patients, dentists, specialists and labs.

For more information about what Secure-Mail has to offer and how it delivers regulatory compliance for your practice, please visit:

http://brightsquid.com/securemail.html

No comments:

Post a Comment