Bashing the Bash Bug: Patientco’s Swift Response to Shellshock

By Sean Joyce, Director of Engineering

Last week you may have heard about a software vulnerability called Shellshock. Just as we did following the Heartbleed discovery in April, the engineers at Patientco have been approaching the problem on three fronts to keep our patient data safe and secure. I’ll explain what Shellshock is below, but first I want to highlight our immediate actions:

1) We received early reports of the vulnerability’s discovery and immediately patched all of our systems during the early morning hours on Thursday, September 25th. We are monitoring security sites for additional updates and information.

2) We updated our web application firewall to block traffic that could attempt to take advantage of the Shellshock vulnerability.

3) We looked back at our system before the patch was available to see if we were ever exposed to this attack and the results were reassuring. While we use Bash (via Linux), we do not use Bash on web-exposed interfaces. This means that even before Shellshock was announced, Patientco was not vulnerable to bad actors trying to compromise the site through the web.

So What is Shellshock and Bash?

Bash is a very common computer utility that runs on Linux, Unix, and Mac OS X systems. Estimates put the number of websites running on these operating systems as high as 500 million (half of all websites). Shellshock is a flaw in Bash that allows the program to be tricked into remotely running commands that it should not.

If you want to learn more about the Shellshock vulnerability, I recommend this write up from Engadget.

Patientco takes the protection of your patient data very seriously, and keeping our site secure is the foundation of what we do. Just as our response to Heartbleed showed, we will do whatever is required of us to live up to that responsibility.