- New variants of the Meltdown and Spectre security vulnerabilities were recently discovered by researchers, possibly putting healthcare data security at risk.
The vulnerabilities affect hundreds of millions of processors used in desktop computers, laptops, and cloud computers and can be exploited by attackers to steal sensitive data. The affected processors are made by Intel, AMD, and ARM.
Meltdown is a bug that “melts” the security boundaries normally enforced by the hardware. Spectre is a flaw that an attacker can exploit to force a processor to reveal its data, explained US-CERT in an advisory about the new variants.
While not specific to healthcare, these side-channel processor vulnerabilities impact computers used widely in the industry.
The vulnerabilities could enable attackers to steal data that is processed on a computer or other device that uses the affected processers. Malware can exploit the Meltdown and Spectre vulnerabilities to get access to data stored in the memory of running programs.
When the vulnerabilities were first discovered in January, the National Health Information Sharing and Analysis Center (NH-ISAC) issued an alert in which it noted that deploying patches for these vulnerabilities could slowdown system performance.
“Healthcare organizations may be asked to deploy patches without understanding the actual risk and the business impact of degradation of service. The likelihood or an exploit in an enterprise environment is not likely at this time,” the alert related.
NH-ISAC recommended that healthcare companies take the following corrective actions:
• Do analysis of IT asset inventory to determine scope of impacted devices
• Make a list of applications dependent on fast throughput that may be at risk with a performance degradation of greater than 20 percent to assess potential business impact
• Test the patches in a lab or Dev environment to calculate performance impact
• Monitor the industry for information on exploits of these vulnerabilities, expanding testing to determine full performance impact for Intel devices if necessary
• Prepare stakeholder communication to respond to inquiries from third-party stakeholders and share information with third-party vendors
• Reach out to cloud infrastructure service providers and monitor chat channels for service information relevant to these vulnerabilities and patch performance issues
Several medical device companies have issued security notices about the Meltdown and Spectre vulnerabilities.
Abbott said it is monitoring updates about these vulnerabilities but has received no reports of compromised products.
“Abbott’s information security team also is testing vendor patches for effectiveness and potential impact to Abbott systems,” the company said in a product security update.
BD recommended that product users with a vulnerable processor and an unpatched operating system with network connectivity do the following: ensure the Microsoft patches in security advisory ADV180002 are applied, apply any applicable firmware update provided by the device manufacturer, ensure data has been backed up and stored according to individual processes and that disaster recovery procedures are in place, limit physical access to products to authorized individuals only, and update malware protection.
For its vascular access devices, BD said it was conducting an evaluation of performance impact by the patches to the operating system or firmware.
Johnson & Johnson said it determined that the vulnerabilities “pose a low risk” across its product line and that there have been no reports of active exploitation of its products.
Medtronic found “no evidence suggests that Medtronic products are directly impacted by the Spectre/Meltdown vulnerabilities.”
Philips said it “has not received reports of these vulnerabilities affecting clinical use of company products.”
Smiths Medical said that its products have not been affected by the vulnerabilities but recommended that product users implement patches anyway.
“Smiths Medical is aware that some updates can result in compatibility, performance or stability issues on certain products and operating systems…. Smiths Medical recommends consulting the product support documentation via the usual information channels or to contact Smiths Medical customer service for information on compatibility before applying the updates,” the company said in a products security bulletin.