If you haven’t heard about Heartbleed, let me tell you about it. It’s a security flaw in a very common piece of website server software that was discovered last Monday. The whole Internet has been scrambling to fix it, including our online data backup companies, online practice management system companies, electronic health record companies, email providers, and others. If you don’t store any records online, use email with clients, or otherwise have any health information on the Internet, you likely don’t need to take any action to keep your information secure. For the rest of us, however, it’s time to do our part by changing all our online passwords.
The Heatbleed flaw allowed bad actors to gain access to our secure connections with affected online systems. There are a lot of facets to the flaw, but of highest import to us, the users, is the fact that such bad actors would have been able to get access to your username and password if you logged in to an affected system while the Heartbleed flaw was still present. As such, it is now wise for all of us to change our passwords as soon we can. Otherwise, we simply need to go about our business and keep on keeping on. While this flaw is a big deal, it’s not something that merits great anxiety. Keep calm and carry on, as they say.
First, Check Each Site To See If It’s Ready
It is important that you don’t change your password on a given site until it has fully fixed the Heartbleed flaw. As Rob Reinhardt pointed out in his newsletter alert on Heartbleed, changing your password before the flaw is fixed will have no useful effect.
For each of your websites, check that it’s been fixed with the Heartbleed detection tool:
You can also read Clinton Campbell’s ongoing report in our LinkedIn group. Clinton is providing updates on what is happening and what to do. Members and website managers are posting updates, as well:
Another thing you may run into is that when you visit a website, your browser may tell you that the secure connection is broken, or that the “secure certificate is invalid.” Part of Heartbleed’s damage is that every affected site now has to renew their “secure certificates” – the special digital documents that allow them to create secured connections with us. Sites that haven’t updated this document yet should now be signaling to your Web browser, “Don’t try to make a secure connection with me yet!” Heed that warning, and keep away until they get it fixed.
Then, Change Your Password
Since you have to change most or all of your online passwords at this point, this is an opportunity to start using a better way of doing passwords. Here are some tips for making and using passwords well. Note that if you followed these tips before Heartbleed, the chances of your systems being compromised was a little lower than for people who didn’t follow them.
- Make a different password for each site
- Make your passwords long and full of odd characters
- Use passphrases instead of passwords where possible
- Here is a very geeky but good article about passphrases. Ignore what you don’t know about and look for the useful information about passphrases: http://world.std.com/~reinhold/diceware.html
- Don’t write down your passwords
How Am I Supposed to Follow Those Rules in Reality? I Have Too Many Passwords!
You really can’t do it without tools. Thus, I recommend password storage tools like these two here:
Getting yourself accustomed to using these password storage tools can significantly improve your security. You only have to remember a few passwords, one for your storage tool, one for your computer, one for your smart phone, etc. The rest are stored in the password storage program.
The password storage program can also generate a new, high quality password for you for each of your websites. I recommend taking advantage of this feature.
What Do I Do About Client Information?
Once you’ve done the above process, you’ve done most of what you can do. I recommend you document that you have done so: when did you change passwords, what process did you follow, which sites did you change passwords on.
The next thing to do is to make sure your health record, online storage, email, etc. companies are communicating with you and other customers about the security flaw and what they’re doing about it. Once again, I recommend reading Clinton’s post to see if any extra concerns come up. For example, he has already noted that he is working with a major electronic medical record company to get a straighter picture of how they’re dealing with Heartbleed. Find Clinton’s post here.
Much thanks to Clinton Campbell, LMHC CISSP and to Rob Reinhardt, LPCS NCC for their reports, research and diligence around helping mental health professionals respond to Heartbleed. You can thank them, too, at Quirk Counseling & Quirk Concepts and at Tame Your Practice.
Thank you so much! I cannot tell you how valuable your information always is!!
For the BEST explanation of HOW HeartBleed’s vulnerability works…
see http://xkcd.com/1354/
NOW I get it!!
THANKS for the article Roy.. as always!
You’re very welcome :)
Yes. That’s a great one!