- The National Health Information Sharing and Analysis Center’s (NH-ISAC) Threat Intelligence Committee released a cybersecurity warning last week urging entities to be aware of two potential vulnerabilities.
Researchers determined that Meltdown and Spectre could circumvent certain protections and expose “nearly any data the computer processes, such as passwords, proprietary information, or encrypted communications.”
“Meltdown affects Intel processors, and works by breaking through the barrier that prevents applications from accessing arbitrary locations in kernel memory,” stated the warning, which AHA posted on its website. “Segregating and protecting memory spaces prevents applications from accidentally interfering with one another’s data, or malicious software from being able to see and modify it at will. Meltdown makes this fundamental process fundamentally unreliable.”
Spectre will affect nearly any device with a chip in it, such as mobile phones or embedded devices. This vulnerability “tricks applications into accidentally disclosing information that would normally be inaccessible, safe inside their protected memory area.”
The Committee added that this vulnerability will be more difficult to fix because it is “based on an established practice in multiple chip architectures.”
“The new security flaw was discovered in Intel chips that leads to ‘Kernel Memory Leaking’ in Windows, Mac, and Linux operating systems,” the warning explained. “This security flaw is present in all Intel processors produced in the last 10 years. This flaw effects all major operating systems running on machines with Intel chips manufactured in the last decade.”
Microsoft released a patch for the Windows vulnerability and there is also a Linux patch, the Committee stated. Google researchers also cautioned that the vulnerability impacts all chips, not just Intel ones.
“There is substantial evidence that a few large cloud service providers already started the patching process given the increased vulnerability for threat actors to use kernel level code to get around client boundaries at the operating system level of the device,” the Committee said. “AWS started patching in mid-December so they have been aware of this vulnerability for at least a month.”
There will be a business impact for healthcare organizations, the Committee warned. Entities will need to deploy the patch without knowing the actual risk level or how the “degradation of service” may impact the business.
However, there is not currently a high risk of exploits happening in enterprise environments.
“There is an higher impact for cloud service providers that could lead to leakage of partitioned customer data (if unpatched) and will have performance implications when patched,” the Committee said.
Organizations should analyze their IT asset inventory “to determine how many Windows vs. Linux machines are potential targets.” Additionally, proper corrective action should include entities listing their applications that are highly dependent on fast throughput. These applications could be at a higher risk of degradation and organizations must determine where the business will be impacted.
The Committee also listed the following corrective action plan approaches:
- Test the Linux patch in a lab or dev environment to calculate the performance impact
- Test the MS patch to determine the performance impact within the your environment (automated for Windows 10, manual for other versions)
- Monitor the industry for any information on exploits of this vulnerability Expand testing to determine full performance impact for the Intel devices if necessary (T. Newman)
- Prepare stakeholder communication for this vulnerability to respond to inquiries from third party stakeholders and share information with third party vendors
- Reach out to cloud infrastructure service providers and monitor chat channels for service information relevant to this vulnerability and the performance issues.
The Healthcare Cybersecurity and Communications Integration Center (HCCIC) also released its own warning on the Meltdown and Spectre vulnerabilities.
"HHS recommends that Healthcare and Public Health entities consider installing operating system patches to Mac, Linux, and Microsoft systems in order to mitigate the risks of this widespread processor vulnerability," the warning read. "Organizations should exercise appropriate caution and test patches carefully before implementation on high-value assets including systems which handle PHI, PII, and should contact device vendors before deploying patches to medical technologies that are directly involved in patient treatment and/or clinical imaging due to the potential for software conflicts or performance impacts."
5 tips for maintaining healthcare cybersecurity
Healthcare organizations must remain vigilant with software updates and patches, especially as they continue to implement and utilize connected devices. Legacy medical devices could create cybersecurity issues, for example, if entities connect them to a network without considering necessary security measures.
The 2017 WannaCry ransomware attack is one such instance where outdated Windows devices were vulnerable. The ECRI Institute noted in its ransomware guidance that some Windows-based medical device systems potentially remained susceptible to similar types of attacks.
Overall, organizations should remember the following tips to help ensure strong cybersecurity:
- Regularly update computer antivirus – this can help prevent malware from infiltrating a system
- Remain current on available software updates and patches – keep systems as updated as possible
- Regularly back up data – having current backups can be beneficial in numerous cyber attack scenarios, such as a ransomware incident
- Conduct regular employee training – staff members should know not to click on unfamiliar links or open strange emails and know whom to contact should a cybersecurity incident occur
- Maintain HIPAA compliance – HIPAA regulations often include measure that will be beneficial in preparing for, responding do, and recovering from data security incidents
Cybersecurity vulnerabilities will never fully disappear, but healthcare organizations can take the necessary steps to learn how to recognize potential weak spots and then implement adequate security measures.