By Carrie Wheeler
Chief Operations Officer and Head of Support
Liquid Web
Spectre and Meltdown are critical security vulnerabilities caused by mistakes in the way processor hardware is designed. Spectre and Meltdown exploit the same underlying vulnerability in chip design, taking advantage of a technique called speculative execution to gain access to data that would otherwise be private.
The technical details of Spectre and Meltdown have been discussed in-depth elsewhere, so in this article, I’d like to look at the practical consequences for healthcare organizations.
Spectre and Meltdown are everywhere
All unpatched servers are vulnerable because Spectre and Meltdown affect the vast majority of processors used in servers, including those manufactured by Intel, AMD, and companies that use ARM chip designs in their processors.
Clearly, this should worry healthcare organizations that are required to store data according to the privacy and security rules of HIPAA. Is that data at risk? The one-word answer to that question is yes, but it depends on how quickly your hosting provider or server admin team react.
Operating system developers, including Microsoft and the Linux kernel project, have released patches that work around Spectre and Meltdown. Chip manufacturers have released firmware patches that also mitigate the risk.
Responsible HIPAA-compliant server hosting providers have reacted quickly to patch their servers, but there’s a worry that less responsible hosting providers or healthcare organizations that manage their own servers may be slow to update, putting their businesses and their patients at risk.
How can Spectre and Meltdown be used against healthcare organizations?
The biggest danger is for healthcare organizations that use the cloud or shared hosting. In theory, a malicious actor with an account or virtual machine on the same server could run code which gives them access to data owned by other clients on the same server. Clearly, this would be a breach of HIPAA’s security and privacy rules, which mandate technical safeguards aimed at preventing third-parties from accessing Protected Health Information.
The really pernicious aspect of Spectre and Meltdown is that they can be used to bypass many of the protections built into HIPAA-compliant hosting. For example, if a healthcare provider has encrypted their data while it is at rest, that doesn’t necessarily mean it’s safe from an attacker. To be used, data has to be decrypted, and because Spectre and Meltdown can (in theory at least) be used to access data in the kernel’s memory space or the memory space of other processors, the decrypted data is at risk of being leaked.
The risk is lower for healthcare organizations that use dedicated servers. There is no risk of a hosting client running code that would allow them to access the data of other hosting clients using the same server, because dedicated servers are “owned” by a single client.
Even though the risk is lower, it doesn’t remove all potential sources of risk. Any situation in which a third party can run code on a server has the potential to be exploited. If an attacker were able to brute force a user account on the server, they might be able to access private information that would typically be inaccessible to that account. It’s also possible that remote code execution vulnerabilities in other software could be exploited by an attacker to gain local access and run Spectre and Meltdown code.
The only effective way to mitigate the risk posed by Spectre and Meltdown is to apply operating system and firmware updates to the affected servers. Healthcare organizations should ensure that any third-party hosting providers have applied the patches. Healthcare organizations that manage their own servers should update as soon as possible.