Last spring the WannaCry ransomware cyber-attack crippled the global economy, impacting over 100,000 organizations throughout 150 countries and generating an estimated $4 billion in losses. The National Health Information Sharing and Analysis Center, a community of actors within the healthcare and public health sectors, recently announced that a new threat has emerged that could result in significant exposure to healthcare entities.
While WannaCry exploited vulnerabilities in software, the new security vulnerabilities, known as Meltdown and Spectre, exploit vulnerabilities in computer hardware. More specifically, they exploit vulnerabilities in computer processors to allow attackers to access and steal information from the memory of other programs. This information could include passwords and other sensitive information, potentially including information protected under HIPAA. All devices with processors made since 1995 are affected. It is important to note that mobile devices such as cell phones and tablets are also impacted by these vulnerabilities.
Although similar, Meltdown and Spectre are different vulnerabilities and require different fixes. For Meltdown, Windows, Apple, and Linux have all released security patches, so users should make sure their operating systems are up to date. Spectre has proven harder to mitigate than Meltdown; however, it is also more challenging for attackers to use. Experts recommend updating browsers and turning on “site isolation” in Google Chrome and Firefox to prevent malicious website from exploiting Spectre.
No actual uses of these vulnerabilities by malicious actors have yet been reported. Entities should ensure that all systems are up to date and should be careful when using browsing programs. Additionally, it is important to note that some patching has resulting in diminished system performance and decreased availability of cloud service providers. Therefore, entities should monitor their systems for performance and work with any vendors or service providers to address any issues that may arise.
Finally, vulnerabilities such as Meltdown and Spectre are particularly concerning for healthcare entities as they may expose such entities to the potential for significant HIPAA violations. Therefore, when updating operating systems, it is also a good opportunity for entities to evaluate their HIPAA compliance through a careful review of their HIPAA policies and procedures and their current administrative, physical, and technical safeguards.
For more information, see the National Health Information Sharing and Analysis Center’s Vulnerability Update, available here.
We will continue to monitor this threat. Check back with the Health Law Gurus™ blog for updates.
