HHS report on recently publicized widespread processor vulnerabilities

Jan. 9, 2018

A widespread vulnerability in most computer processors sold over the previous decade has been identified that could pose a threat to the protection of Healthcare and Public Health (HPH) sector sensitive data, Protected Health Information (PHI), and Personally Identifiable Information (PII).

The significance of this vulnerability for the Healthcare and Public Health Sector is considered medium due to the fact that local access to the computing device is generally required, and vendors are quickly releasing appropriate software patches to mitigate the hardware vulnerability. The patches do have potential to slow down processor performance in limited cases, and organizations should exercise caution and test patches carefully before implementing on high-value assets including systems which handle PHI, PII, or are directly involved in patient treatment or imaging.

Several security research teams recently announced a vulnerability in most computer processor chips sold for at least the previous 10 years. This vulnerability set, referred to as the Spectre and Meltdown vulnerabilities in the computer security industry, allows a malicious computer program to bypass data access restrictions and gain unauthorized access to potentially sensitive information from other programs.

Such sensitive information could include items such as passwords, social security numbers, medical information, or other sensitive data. An attacker using this vulnerability would generally need local access to the computer, although there are mixed views on whether the exploit can be leveraged through compromised websites.

This security flaw is present in nearly all processors produced in the last 10 years, and affects computers running Windows, Mac, Linux, and other operating systems.i,ii,iii As of Jan. 4, 2018, many operating system vendors have released or will soon release software patches to mitigate this vulnerability. Apple reportedly addressed this flaw in its update 10.13.2 issued Dec. 17, 2017, and Microsoft released a patch on Jan. 3, 2018. Other software vendors have also, or will soon, issue appropriate patches.

HPH sector organizations should exercise caution and test patches carefully before implementation as there have been some reported conflicts with anti-virus software packages, and there is a risk that the patches could decrease system performance by 5-30% in high-demand computing applications. Patches should be carefully vetted and tested accordingly before implementation on high-value assets or business-critical systems. With regards to cloud-based computing services, Amazon AWS and Microsoft Azure cloud hosting solutions have reportedly updated their systems to mitigate the risk of inadvertent information disclosure.

HHS recommends that Healthcare and Public Health entities consider installing operating system patches to Mac, Linux, and Microsoft systems in order to mitigate the risks of this widespread processor vulnerability. Organizations should exercise appropriate caution and test patches carefully before implementation on high-value assets including systems which handle PHI, PII, and should contact device vendors before deploying patches to medical technologies that are directly involved in patient treatment and/or clinical imaging due to the potential for software conflicts or performance impacts. These patches should be applied as soon as business use-cases allow.

HHS has the full report

Sponsored Recommendations

How to Build Trust in AI: The Data Leaders’ Playbook

This eBook strives to provide data leaders like you with a comprehensive understanding of the urgent need to deliver high-quality data to your business. It also reviews key strategies...

Quantifying the Value of a 360-Degree view of Healthcare Consumers

To create consistency in how consumers are viewed and treated no matter where they transact, healthcare organizations must have a 360° view based on a trusted consumer profile...

Elevating Clinical Performance and Financial Outcomes with Virtual Care Management

Transform healthcare delivery with Virtual Care Management (VCM) solutions, enabling proactive, continuous patient engagement to close care gaps, improve outcomes, and boost operational...

Examining AI Adoption + ROI in Healthcare Payments

Maximize healthcare payments with AI - today + tomorrow