Skip to main content
Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026|Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026
Best Practices

Heartbleed, Internet Explorer Bug and HIPAA Security

Three weeks ago Internet users were notified en masse that a security vulnerability had been discovered in OpenSSL, a widely-used piece of open-source software that helps securely transport information around the web. The so-called Heartbleed bug forced healthcare IT vendors across the industry to perform internal forensic analyses to check whether they were sending vulnerable PHI across various internal and external networks.

2 min read
heartbleed internet explorer bug and hipaa security|health care security vulnerabilities

Three weeks ago Internet users were notified en masse that a security vulnerability had been discovered in OpenSSL, a widely-used piece of open-source software that helps securely transport information around the web. The so-called Heartbleed bug forced healthcare IT vendors across the industry to perform internal forensic analyses to check whether they were sending vulnerable PHI across various internal and external networks.

Severe Security Vulnerabilities on a Global Scale

Just one week later Microsoft announced that it had discovered a serious security vulnerability in its Internet Explorer browser. The issue was so severe that it prompted the federal government to tell citizens to use another browser until the flaw had been corrected. Once again, health IT vendors had to perform HIPAA-mandated security risk assessments to measure the severity and scope of the security incident.

Lots of Healthcare Security Vulnerabilities Still Possible

Keeping the April security flaw theme going, just last week yet another vulnerability was discovered in a tool that many people use every day. The “Covert Redirect” vulnerability in OAuth, an open-source log-in tool used by such Internet titans as Facebook and Google, allows hackers to steal user data and gain access to secure websites. Again, vendors in the healthcare space with user-facing portals had to perform the same assessments to determine if their customer PHI had been compromised.

Health IT Security Has a Lot of Work on Their Hands

It was certainly an April to remember for health IT security professionals. Aside from countless hours of remediation and forensic efforts, these events should serve as a reminder of the risks associated with allowing a Business Associate to take custody of you patients’ PHI. Business Associate Agreements can be signed, and vendor assessments can be performed, but at the end of the day, you are placing yourself at the mercy of your provider’s security controls. And as the April security incidents have shown us, not even the vendors with the most

health care security vulnerabilities

painstaking security checks will be 100% secure.Sometimes abstinence is the only means of prevention. Passing through the cloud avoids the Business Associate conundrum by never allowing your PHI to be stored or even passed through a vendor’s environment. How many assurance emails can you get from your IT vendors before it’s enough?

Frequently Asked Questions

Find answers to common questions about this topic.

Heartbleed is a security vulnerability in OpenSSL software that could expose protected health information (PHI) during transmission. Healthcare organizations must conduct HIPAA-mandated security risk assessments when such vulnerabilities are discovered to determine if patient data was compromised.

Healthcare organizations should immediately perform security risk assessments to measure the severity and scope of potential PHI exposure. They should also review their Business Associate Agreements and evaluate whether their vendor's security controls adequately protect patient data.

Even with Business Associate Agreements and vendor assessments, healthcare organizations remain at risk because they depend on their vendors' security controls. No vendor can guarantee 100% security, making organizations vulnerable to data breaches beyond their direct control.

OAuth is an open-source login tool used by major platforms like Facebook and Google that enables secure website access. The Covert Redirect vulnerability in OAuth allows hackers to steal user data, requiring healthcare organizations with patient portals to assess potential PHI exposure.

Organizations can consider avoiding cloud storage entirely by ensuring PHI never passes through or gets stored in vendor environments. This approach eliminates Business Associate security dependencies while maintaining HIPAA compliance.

Ben Henson

Written by

Ben Henson

Healthcare IT Specialist

Healthcare IT specialist with expertise in HIPAA compliance and secure messaging.

View all posts

Related Articles

doctor using qliq secure texting app for smartphones
Best Practices

Ease of Access for Truly Secure HIPAA Messaging

Whether you're are an existing user of Qliq Secure Texting, or evaluating HIPAA messaging options for your organization, we've made it extremely easy for users to quickly and securely access their app without jumping through multiple security hurdles. Below is a video that showcases just how easy access really is.

Ben HensonBen Henson
1 min read
HIPAA Compliance for Telehealth - QliqSOFT Blog
Best Practices

HIPAA Compliance for Telehealth

The COVID-19 pandemic has, for the time being, redefined how the world operates. With billions of people around the globe under strict “stay-at-home” orders, modern life has come to seem archaic. With millions of American businesses have been put on hold, while the nation attempts to slow the spread of the virus. Due to the high contagion rate of the respiratory illness, and the lack of clear effective treatment, the healthcare system has been flooded with hospitalizations for COVID-19 patients. 

Ben HensonBen Henson
4 min read
|password settings for healthcare devices and programs
Best Practices

HIT Security Issues in 2017 - Password Management

The first line of defense in preventing hacking is a secure password. Unfortunately, IT administrators and website security and management companies know that educating their users on the definition and necessity of a strong password often falls on deaf ears. Most users opt for convenience and familiarity when they aren’t forced to change passwords that contain strong character and symbol combinations frequently.

Ben HensonBen Henson
2 min read
2m left