by Wyn Staheli, Director of Research
February 1st, 2018
Healthcare providers must be vigilant in ensuring that software upgrades, also known as patches, are kept current. Failure to do so can lead to a HIPAA Security Breach with all its associated penalties. For example Windows XP no longer has security updates and should not be used in healthcare settings.
On January 17, 2018, the OCR released another known problem with the chips on some computers. The notice stated:
Healthcare and Public Health Sector partners-
The attached report is a technical update to the previously distributed HPH Cyber Notice covering chip vulnerabilities named Meltdown and Spectre. Both Meltdown and Spectre are vulnerabilities in how computer chips handle data that have the potential to expose sensitive information, such as protected health information (PHI), being processed on the chip. As this information is protected from disclosure under HIPAA, Healthcare and Public Health (HPH) entities should employ risk management processes to address these vulnerabilities and ensure the security of medical records and other PHI.
Major concerns for the HPH sector include but are not limited to:
- Challenges identifying vulnerable medical devices and accessory medical equipment and ensuring patches are validated to prevent impacts to the intended use.
- Cloud Computing: Potential PHI or Personally Identifiable Information (PII) data leakage in shared computing environments
- Web browsers: Possible PHI/PII data leakage
- Patches: Potential for service degradation and/or interruption from patches
The detailed report can be found here: Technical Report on Widespread Processor Vulnerabilities
Refer to the "Mitigation Tactics" portion of the report for information. Do not assume that your antivirus or malware software will cover this issue. Be sure that you have taken the necessary steps to ensure that your computers meet security standards and don't forget to perform your annual Security Risk Analysis.