HHS report on recently publicized widespread processor vulnerabilities
A widespread vulnerability in most computer processors sold over the previous decade has been identified that could pose a threat to the protection of Healthcare and Public Health (HPH) sector sensitive data, Protected Health Information (PHI), and Personally Identifiable Information (PII).
The significance of this vulnerability for the Healthcare and Public Health Sector is considered medium due to the fact that local access to the computing device is generally required, and vendors are quickly releasing appropriate software patches to mitigate the hardware vulnerability. The patches do have potential to slow down processor performance in limited cases, and organizations should exercise caution and test patches carefully before implementing on high-value assets including systems which handle PHI, PII, or are directly involved in patient treatment or imaging.
Several security research teams recently announced a vulnerability in most computer processor chips sold for at least the previous 10 years. This vulnerability set, referred to as the Spectre and Meltdown vulnerabilities in the computer security industry, allows a malicious computer program to bypass data access restrictions and gain unauthorized access to potentially sensitive information from other programs.
Such sensitive information could include items such as passwords, social security numbers, medical information, or other sensitive data. An attacker using this vulnerability would generally need local access to the computer, although there are mixed views on whether the exploit can be leveraged through compromised websites.
This security flaw is present in nearly all processors produced in the last 10 years, and affects computers running Windows, Mac, Linux, and other operating systems.i,ii,iii As of Jan. 4, 2018, many operating system vendors have released or will soon release software patches to mitigate this vulnerability. Apple reportedly addressed this flaw in its update 10.13.2 issued Dec. 17, 2017, and Microsoft released a patch on Jan. 3, 2018. Other software vendors have also, or will soon, issue appropriate patches.
HPH sector organizations should exercise caution and test patches carefully before implementation as there have been some reported conflicts with anti-virus software packages, and there is a risk that the patches could decrease system performance by 5-30% in high-demand computing applications. Patches should be carefully vetted and tested accordingly before implementation on high-value assets or business-critical systems. With regards to cloud-based computing services, Amazon AWS and Microsoft Azure cloud hosting solutions have reportedly updated their systems to mitigate the risk of inadvertent information disclosure.
HHS recommends that Healthcare and Public Health entities consider installing operating system patches to Mac, Linux, and Microsoft systems in order to mitigate the risks of this widespread processor vulnerability. Organizations should exercise appropriate caution and test patches carefully before implementation on high-value assets including systems which handle PHI, PII, and should contact device vendors before deploying patches to medical technologies that are directly involved in patient treatment and/or clinical imaging due to the potential for software conflicts or performance impacts. These patches should be applied as soon as business use-cases allow.