Reproduced with permission from Bloomberg Law: Privacy & Data Security, (Jan. 18, 2018). Copyright 2018 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com
By James Swann
The federal government has identified two new cyberthreats that put patients’ personal data at risk for exposure.
The threats, known as Spectre and Meltdown, exploit a vulnerability in many commercial computer chips underpinning health-care computer networks, the Department of Health and Human Services saidJan. 17.
The scope and seriousness of the threat make it critical for all health-care organizations to ensure they’ve installed the most current security patches, the HHS said.
“This is a significant threat for institutions, and there’s no quick fix,” Colin Zick, a health-care attorney with Foley Hoag LLP in Boston, told Bloomberg Law Jan. 18. The best thing health-care organizations can do in the short run is implement software patches that have been developed to work around the issue, Zick said.
A successful Meltdown or Spectre attack could expose patients’ health record passwords, payment data, and protected health information (PHI), according to the HHS Healthcare Cybersecurity and Communications Integration Center (HCCIC).
The attacks exploit a vulnerability in how computer chips process instructions, and can allow hackers to access data from computer networks using the infected chips.
The patches aren’t a true fix against the attacks, but they can help shore up security temporarily, Zick said. Microsoft, Intel, Google, and Apple have already rolled out security patches to counter the vulnerability.
Fixing the hardware—replacing the vulnerable chips—will take a long time, Zick said.
Health-care providers should make sure their anti-virus software is compatible with the security patches that are coming out, the HHS said.
The HCCIC didn’t respond to a request for comment on the scope of the Meltdown and Spectre cyber threats.
The new threats are forcing the health-care industry to worry about more than just securing computers, mobile devices, phones, and other IT assets, Dianne Bourque, a health-care attorney with Mintz, Levin, Cohn, Ferris, Glovsky and Popeo PC in Boston, told Bloomberg Law Jan. 18. Many medical devices run on operating systems that rely on computer chips, Bourque said, putting them at risk as well.
Identifying how many devices might be affected by a Spectre or Meltdown attack is the first step health-care organizations should take, Bourque said. “Hopefully, providers will have an up-to-date inventory of equipment and applications hosting PHI as part of a comprehensive Health Insurance Portability and Accountability Act security risk assessment and risk management program,” Bourque said.
Providers should also reach out to their IT staff and medical device vendors to discuss chip vulnerabilities and any potential patches that could mitigate the threat, Bourque said.
Unfortunately, the chip vulnerabilities are part of a design feature that speeds up system performance, Bourque said, so removing the vulnerabilities will slow down system operations.
“Providers should discuss this with their vendors and IT staff and consider the potential operational impacts of a significant slowdown,” Bourque said.
Medical records stored in the cloud are especially at risk, the HHS report said, noting that while major cloud vendors have implemented software patches, smaller vendors may not be aware of the vulnerabilities.
Large cloud storage providers such as Amazon Web Services and Microsoft Azure implemented security patches before the Spectre and Meltdown threats were made public.
Health-care organizations who store patient records in the cloud should check with their vendors to make sure security patches have been applied, Zick said.