When the heartbleed open ssl bug became public a few months ago, a couple of things happened. Open source software got some reputation bashing (what’s new!) and a fix was developed very quickly. In fact, the fix was extremely simple and could be done in two steps. There was even a website that would let you know if your website was vulnerable. And time passed.
Last week Community Health Systems announced that 4.5 million customer health records had been stolen. And it was determined that the heartbleed bug was to blame for enabling the hack.
So why did this happen? We will probably never know exactly what happened but it is fairly obvious that the company did have the right processes in place to ensure vulnerable systems are identified and appropriate action taken to prevent such hacks from happening. CHS is fairly large organization with the resources to be able to do that but still did not do all that was necessary.
Does your organization have the right processes in place?