- The Healthcare Cybersecurity and Communications Integration Center (HCCIC) released an update on previously discovered Spectre and Meltdown vulnerabilities that could create healthcare cybersecurity threats for organizations.
The National Health Information Sharing and Analysis Center’s Threat Intelligence Committee first discovered the vulnerabilities on January 4, 2017. Meltdown and Spectre could circumvent certain protections and expose “nearly any data the computer processes, such as passwords, proprietary information, or encrypted communications,” researchers explained.
HCCIC warned in its recent email that Healthcare and Public Health (HPH) entities need to employ appropriate risk management processes to ensure PHI security. The vulnerabilities could bring numerous issues to the HPH community, including medical device security issues or personally identifiable information (PII) leaking from the cloud.
The update added that healthcare organizations should also focus on PHI or PII leakage from web browsers and be mindful of the possibility of service degradation and/or interruption from patches.
“Medical devices and supporting medical equipment, may not resemble computers, but may run operating systems (Windows, Linux, etc.) on processors that could be vulnerable to Meltdown and Spectre,” the update explained. “Contact medical device manufacturers through security portals, if available, for information specific to each medical device and the manufacturer’s recommendations for patching medical devices.”
PHI data leakage is also a greater possibility in shared infrastructure (i.e., cloud computing). Larger cloud hosting providers, like Amazon AWS, made Spectre and Meltdown patches before the vulnerabilities were made public. However, other cloud managed service providers may not yet have applied patches.
“A successful attack could lead to an information leak of sensitive browser information including cookies, credentials, passwords, or payment information a user enters into a browser,” the update continued.
Microsoft did release Windows security updates on January 3, 2018 to help organizations mitigate potential threats. The updates are applicable to software that is compatible with the January 2018 Windows operating system security update, HCCIC stated.
“If you have not been offered the security update, you may be running incompatible anti-virus software and you should follow up with your software vendor,” the HCCIC update said.
HCCIC also stressed that there were key differences between Spectre and Meltdown. First, Spectre’s CPU mechanism for triggering is speculative execution from branch prediction, while Meltdown’s is an out-of-order execution.
Spectre will also affect CPUs that perform speculative execution from branch prediction, while Meltdown affects CPUs that allow memory reads in out-of-order instructions.
If a Meltdown attack is successful, “privileged data can be presented to the attacker such as cryptographic keys used to protect data or the PII, PHI or PCI information handled by an application's database,” HCCIC warned.
A successful Spectre attack “could expose potentially sensitive information such as the cryptographic keys used to protect data or the PII, PHI or PCI information handled by an application's database.”
HCCIC also noted that Spectre had a high difficulty level for a successful attack to take place. Meltdown holds a low difficulty level, as “Kernel memory access exploit code is mostly universal.” Comparatively, Spectre needs to tailor to the software environment of the victim process.
In HCCIC’s first warning about the cybersecurity vulnerabilities, it had urged healthcare organizations to be careful when testing and implementing patches for their Mac, Linux, and Microsoft systems.
“Organizations should exercise appropriate caution and test patches carefully before implementation on high-value assets including systems which handle PHI, PII, and should contact device vendors before deploying patches to medical technologies that are directly involved in patient treatment and/or clinical imaging due to the potential for software conflicts or performance impacts,” the first vulnerability update read. “These patches should be applied as soon as business use-cases allow.”