As you may have heard, on Monday a major security vulnerability was discovered in OpenSSL (CVE-2014-0160, also called the “heartbleed” bug), a software component that encrypts a substantial amount of internet network traffic. We want to be transparent on how this has affected us, what we have done to remediate, and how this affects you as a Wellpepper customer.
How Wellpepper Was Impacted, and Our Response
Our production systems are hosted on Windows Server, and neither the default services nor any application components are vulnerable to this issue.
- We take data security seriously: In addition to using on SSL to protect data in transit, Wellpepper also uses field-level AES encryption to protect identifiable patient data end-to-end (e.g. applies over-the-wire and at-rest), and drive-level AES encryption (which applies to data at-rest).
- We have beta Linux infrastructure which was affected by this issue, however, no customers are using this infrastructure:
- We patched the affected servers on Monday (within hours of the vulnerability disclosure)
- The affected servers use a shared SSL certificate to encrypt traffic.
- While it is very unlikely that our beta infrastructure would be the target of an attack (and we see no log activity to indicate this), in the interest of thoroughness we have re-keyed the *.wellpepper.com SSL certificate, and redeployed the updated certificates across our infrastructure.
- In addition to our own infrastructure, we have also validated that all other infrastructure that we take dependencies have been appropriately remediated.
How This Affects You
- No customer data or security credentials were compromised
- There is no need to reset your password, however if you wish to, you may do this in the Settings screen within the WP Clinic app
- Feel free to reach out to us at firstname.lastname@example.org if you have any questions or concerns