Are Faulty Chips Opening the Door to Health-Care Theft?


The names seem to belong in a James Bond film, but the recently discovered Spectre and Meltdown attacks are all too real and pose a serious threat to the security of health-care data.

The two cyberthreats exploit a vulnerability found in most commercial computer chips manufactured over the past decade, allowing a hacker to get inside a health-care organization’s computer network and access protected health information. It’s critical for all health-care organizations to make sure that they’ve installed the most current security patches, the Department of Health and Human Services said in a recent update on the attacks.

However, security patches are just a short-term fix, Colin Zick, an attorney with Foley Hoag LLP in Boston, told me. While health-care organizations should absolutely take advantage of available security updates, a long-term fix focused on the underlying hardware will take a long time, Zick said.

Spectre and Meltdown are forcing the health-care industry to more than just worry about securing their computer networks, Dianne Bourque, an attorney with Mintz Levin in Boston, told me.

Most medical devices run on operating systems backed by computer chips, Bourque said, so they might be at risk as well. Health-care organizations should count how many devices could be affected by a Spectre or Meltdown attack, and make sure they’re all up-to-date with security patches, she said.

Unfortunately, the chip vulnerability is part of a design feature that speeds up a computer’s performance, so removing the vulnerability altogether could lead to slower performance, Bourque told me.

Read my full story here.

Stay on top of new developments in health law and regulation, and learn more, by signing up for a free trial to Bloomberg Law.