Blog

CVE-2014-0160 aka “The Heartbleed Bug”

As you may have heard, on Monday a major security vulnerability was discovered in OpenSSL (CVE-2014-0160, also called the “heartbleed” bug), a software component that encrypts a substantial amount of internet network traffic. We want to be transparent on how this has affected us, what we have done to remediate, and how this affects you as a Wellpepper customer.

How Wellpepper Was Impacted, and Our Response

Our production systems are hosted on Windows Server, and neither the default services nor any application components are vulnerable to this issue.

  • We take data security seriously: In addition to using on SSL to protect data in transit, Wellpepper also uses field-level AES encryption to protect identifiable patient data end-to-end (e.g.  applies over-the-wire and at-rest), and drive-level AES encryption (which applies to data at-rest).
  • We have beta Linux infrastructure which was affected by this issue, however, no customers are using this infrastructure:
    • We patched the affected servers on Monday (within hours of the vulnerability disclosure)
    • The affected servers use a shared SSL certificate to encrypt traffic.
    • While it is very unlikely that our beta infrastructure would be the target of an attack (and we see no log activity to indicate this), in the interest of thoroughness we have re-keyed the *.wellpepper.com SSL certificate, and redeployed the updated certificates across our infrastructure.
  • In addition to our own infrastructure, we have also validated that all other infrastructure that we take dependencies have been appropriately remediated.

How This Affects You

  • No customer data or security credentials were compromised
  • There is no need to reset your password, however if you wish to, you may do this in the Settings screen within the WP Clinic app
  • Feel free to reach out to us at support@wellpepper.com if you have any questions or concerns

Posted in: Uncategorized

Leave a Comment (4) ↓

4 Comments

  1. Jim April 9, 2014

    Just do you know, it’s the Heartbleed bug, not the Heartbreak bug.

  2. Jim April 9, 2014

    Typo!
    do = so

  3. physioweb April 10, 2014

    Hi…

    The bug is called the “Heartbleed Bug”, not the “Heartbreak Bug”.

  4. Anne Weiler April 10, 2014

    Thanks Jim

Leave a Comment

Google+