Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.
By James Swann
The federal government has identified two new cyberthreats that put patients’ personal data at risk for exposure.
The threats, known as Spectre and Meltdown, exploit a vulnerability in many commercial computer chips underpinning health-care computer networks, the Department of Health and Human Services said Jan. 17.
The scope and seriousness of the threat make it critical for all health-care organizations to ensure they’ve installed the most current security patches, the HHS said.
“This is a significant threat for institutions, and there’s no quick fix,” Colin Zick, a health-care attorney with Foley Hoag LLP in Boston, told Bloomberg Law Jan. 18. The best thing health-care organizations can do in the short run is implement software patches that have been developed to work around the issue, Zick said.
A successful Meltdown or Spectre attack could expose patients’ health record passwords, payment data, and protected health information (PHI), according to the HHS Healthcare Cybersecurity and Communications Integration Center (HCCIC).
The attacks exploit a vulnerability in how computer chips process instructions, and can allow hackers to access data from computer networks using the infected chips.
The patches aren’t a true fix against the attacks, but they can help shore up security temporarily, Zick said. Microsoft, Intel, Google, and Apple have already rolled out security patches to counter the vulnerability.
Fixing the hardware—replacing the vulnerable chips—will take a long time, Zick said.
Health-care providers should make sure their anti-virus software is compatible with the security patches that are coming out, the HHS said.
The HCCIC didn’t respond to a request for comment on the scope of the Meltdown and Spectre cyber threats.
The new threats are forcing the health-care industry to worry about more than just securing computers, mobile devices, phones, and other IT assets, Dianne Bourque, a health-care attorney with Mintz, Levin, Cohn, Ferris, Glovsky and Popeo PC in Boston, told Bloomberg Law Jan. 18. Many medical devices run on operating systems that rely on computer chips, Bourque said, putting them at risk as well.
Identifying how many devices might be affected by a Spectre or Meltdown attack is the first step health-care organizations should take, Bourque said. “Hopefully, providers will have an up-to-date inventory of equipment and applications hosting PHI as part of a comprehensive Health Insurance Portability and Accountability Act security risk assessment and risk management program,” Bourque said.
Providers should also reach out to their IT staff and medical device vendors to discuss chip vulnerabilities and any potential patches that could mitigate the threat, Bourque said.
Unfortunately, the chip vulnerabilities are part of a design feature that speeds up system performance, Bourque said, so removing the vulnerabilities will slow down system operations.
“Providers should discuss this with their vendors and IT staff and consider the potential operational impacts of a significant slowdown,” Bourque said.
Medical records stored in the cloud are especially at risk, the HHS report said, noting that while major cloud vendors have implemented software patches, smaller vendors may not be aware of the vulnerabilities.
Large cloud storage providers such as Amazon Web Services and Microsoft Azure implemented security patches before the Spectre and Meltdown threats were made public.
Health-care organizations who store patient records in the cloud should check with their vendors to make sure security patches have been applied, Zick said.
To contact the reporter on this story: James Swann in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Kendra Casey Plank at email@example.com
Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)