Meltdown and Spectre computer vulnerabilities affect HIPAA Covered Entities and Business Associates. Every computer, phone, and tablet is impacted. What are they and what do you need to know? Read our series to find out.
Start with Meltdown and Spectre Part I: What Are They?
HIPAA Covered Entities and Business Associates should pay attention to three major risk areas from Meltdown and Spectre:
One — Unpatched equals unsafe, especially for these vulnerabilities. Unfortunately, having automatic updates turned on doesn’t mean you are protected, as many of the updates take some work on your part. See the third article in this series “Meltdown and Spectre Part III: What To Do” (coming soon) for details on how to patch your systems. Also be aware that medical equipment with embedded computers are either not going to be patched by their manufacturers or will be patched more slowly, so you will also need to consider extra security measures if these devices are on your network.
Two — “The most likely exploit scenario in the short term for Spectre is a JavaScript type of attack,” noted Qualys, an information security and compliance company, in a recent article on these vulnerabilities. Noting that malicious JavaScript could use Spectre to break into other information, Qualys emphasized, “Right now, the priority should be closing the JavaScript attack vector by patching browsers.” In other words, keep your browsers up to date.
Three — Cloud providers and any businesses or practices using virtual machines are affected by Meltdown and Spectre in a specific way: the vulnerabilities could allow someone to get from one virtual machine to another or to the server hosting them. Google’s testing “showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.” Major cloud services like Amazon Web Services (AWS) have started patching already, but you may need to follow up with your cloud service provider (like your EMR or PM systems) to make sure they are protecting you and your PHI.
In closing, I agree with the perspective offered by NH-ISAC: “The perception of this vulnerability impact is likely to be greater than the actual impact of potential compromise.” Because ultimately, as noted in the previous article, an attack needs to gain access to your system before Meltdown and Spectre become issues. These are serious vulnerabilities. You absolutely need to patch and update your systems. But Meltdown and Spectre are not the end of the world.
Continue reading with Meltdown and Spectre Part III: What To Do (Coming soon)
Further Reading
