HHS Addresses Risks to PHI Involving Computer Processor Chips | Practical Law

HHS Addresses Risks to PHI Involving Computer Processor Chips | Practical Law

The Department of Health and Human Services (HHS) issued a report addressing a vulnerability found in certain computer processor chips that may pose a threat to protected health information (PHI). The report includes recommendations for mitigating the risks posed by this vulnerability.

HHS Addresses Risks to PHI Involving Computer Processor Chips

Practical Law Legal Update w-012-5438 (Approx. 4 pages)

HHS Addresses Risks to PHI Involving Computer Processor Chips

by Practical Law Employee Benefits & Executive Compensation
Published on 09 Jan 2018USA (National/Federal)
The Department of Health and Human Services (HHS) issued a report addressing a vulnerability found in certain computer processor chips that may pose a threat to protected health information (PHI). The report includes recommendations for mitigating the risks posed by this vulnerability.
On January 5, 2018, HHS issued a report addressing a vulnerability found in most computer processor chips sold in the last decade that could pose a threat to protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) (see HIPAA Privacy, Security, and Breach Notification Toolkit). The vulnerability set is known in the computer security industry as the "Spectre" and "Meltdown" vulnerabilities. Attackers exploiting this vulnerability could bypass data access restrictions and gain access to sensitive information, including:
  • Passwords.
  • Social Security numbers.
  • Medical information.
(For a discussion of cyber attacks in the HIPAA context, see Article, Expert Q&A on the Impact of Cyber Attacks on Employer Group Health Plans and Related HIPAA Compliance.)
The vulnerability affects computers using various operating systems (including Windows, Mac, and Linux). Several operating system vendors have released (or will release) software patches for their systems to address the vulnerability.
In HHS's view, the vulnerability poses a medium risk to the health care sector because:
  • Operating system vendors already are releasing patches to address the vulnerability.
  • An attacker generally must have local access to a computer to exploit the vulnerability.
According to the government, there are varying opinions in the industry concerning whether the vulnerability can be exploited through compromised websites.

Risk Mitigation

HHS indicated that health care and other covered entities should promptly install the software patches that are available for at-risk operating systems. The government cautioned, however, that the patches might:
  • Conflict with certain anti-virus programs.
  • Decrease system performance by as much as 30% in high-demand computing applications.
As a result, organizations should test the patches before applying them to systems that handle PHI or personally identifiable information (PII).

Cloud-Based Computing Service Providers

According to HHS, at least some of the major cloud-based computing service providers have already updated their systems to address the vulnerability (see Practice Notes, Cloud Computing and HIPAA Privacy and Security and HIPAA Business Associates and Cloud Computing for Group Health Plans). By doing so, the service providers reduced the risk of inadvertent disclosures of their customers' information.

Practical Impact

With more HIPAA covered entities moving information (including PHI) to cloud storage, a technical vulnerability such as the one at issue in this HHS report takes on greater significance. Determining who is responsible for implementing software updates to mitigate the risk of unintended information disclosures is the type of issue that a covered entity may wish to address in its service level agreement with cloud services providers.