How HIPAA-Covered Entities Can Prepare Against the Spectre and Meltdown Chip Vulnerabilities

Chip Vulnerabilities

The Office for Civil Rights warned HIPAA-covered entities in an email about the Spectre and Meltdown chip vulnerabilities. If not addressed, the computer chip flaws could compromise the confidentiality, integrity and availability of protected health information.

The Spectre and Meltdown computer chip vulnerabilities are found in all computer processors that were made in the last 10 years. Hackers can exploit these vulnerabilities to bypass data access protections and view sensitive data such as passwords and cryptographic keys used to protect PII and PHI.

Meltdown attacks a hardware vulnerability by tricking the CPU into mispredicting a branch of code that the attacker chooses. Spectre attacks two vulnerabilities to trick the CPU into speculatively loading the memory allocated to another application on the system. Both attacks can affect computers running on Mac, Windows, Linux and other OS. To eradicate the vulnerabilities, chips on all vulnerable devices must be replaced. OS vendors also developed patches that will help to stop the exploitation of the vulnerabilities. Web browsers must be updated to stop web-based exploitation of vulnerabilities.

The vulnerabilities are categorized as a medium threat because local access is necessary to exploit the flaws. But it’s also possible to use remote access to exploit the flaws when users visit a specially crafted website. Browsers are susceptible to Javascript code error which could lead to disclosure of browser data.

Fixing the vulnerabilities is associated with cost and compatibility issues. Patching operating systems and browsers can cause the computer system to slow down by 5-30%. This reduces productivity when running high demand computer apps. In addition, the computer’s anti-virus and other software programs may not be compatible with the patches. So, testing is necessary before implementing the updates. Microsoft released updates that are confirmed compatible with anti-virus software. Anti-virus software companies (not all) did update their programs to ensure there will be no incompatibility issues.

Healthcare organizations must make sure that their running web browsers are updated to the latest versions to avoid data leakage. All vulnerable devices such as computers, accessory medical equipment and medical devices must be fully patched. Cloud service providers should have applied the necessary patches as well to avoid leakage of PII and PHI. Amazon AWS and Azure are already protected against Meltdown and Spectre.