PHA weighs in on Meltdown and Spectre

Monday, January 29, 2018

Meltdown and SpectreSince the story broke last week on the “Meltdown” and “Spectre” IT vulnerabilities, PHA experts have been busy monitoring media reports and research claims. We offer the following information and guidance to our healthcare clients.

What are Meltdown and Spectre?

“Meltdown” and “Spectre” are IT vulnerabilities that act differently, but both exploit a flaw in processor architecture that allows an attacker to read data from a computer’s memory after the attacker has gained access to the local machine. Since data in memory is presented in clear text, the potential exists for an attacker to read cryptographic keys and other sensitive information in clear text. 

Though the attacker must first gain access to the local machine, it is possible to gain remote access to the machine (via SSH or RDP, for example) and exploit the vulnerabilities remotely.  Some exploits can be performed using JavaScript from a web browser.

Scope and severity:

The architectural flaw at the root of these vulnerabilities impacts nearly all popular processors used in computing devices since the mid-1990s. However, exploiting the vulnerabilities requires very advanced computing and analysis skills usually found in technically advanced criminal organizations or national governments. Therefore, PHA assesses the “Meltdown” and “Spectre” vulnerabilities as low to medium risk threats.

What to do now:

The primary response for all organizations is to patch all computing devices with the most recently released patches for all software on the device. Operating system and web browser patches should be prioritized.  To our knowledge, no firmware updates have been released yet from computer vendors, but be on the lookout for them and install them as they become available. 

If your organization uses cloud computing platforms for sensitive data including electronic patient health information (ePHI), contact your cloud vendor. Obtain assurances (in writing, if possible) that your vendor has patched the host operating system on their hardware and the guest operating system on which your data resides. Both the host and guest operating systems must be patched to protect your data. 

If your organization uses medical devices, contact your device vendor and request firmware updates and notifications of any future firmware releases.  Install those firmware updates.

 

If you have questions regarding these vulnerabilities, contact PHA Managing Advisor Joe Beckman.


Purdue University, West Lafayette, IN 47907 (765) 496-1911

© 2014 Purdue University | An equal access/equal opportunity university | Copyright Complaints

If you have trouble accessing this page because of a disability, please contact Purdue Technical Assistance Program taphelp@purdue.edu.