The Department of Health and Human Services (HHS) issued a report addressing a vulnerability found in certain computer processor chips that may pose a threat to protected health information (PHI). The report includes recommendations for mitigating the risks posed by this vulnerability.
On January 5, 2018, HHS issued a report addressing a vulnerability found in most computer processor chips sold in the last decade that could pose a threat to protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) (see HIPAA Privacy, Security, and Breach Notification Toolkit). The vulnerability set is known in the computer security industry as the "Spectre" and "Meltdown" vulnerabilities. Attackers exploiting this vulnerability could bypass data access restrictions and gain access to sensitive information, including:
The vulnerability affects computers using various operating systems (including Windows, Mac, and Linux). Several operating system vendors have released (or will release) software patches for their systems to address the vulnerability.
In HHS's view, the vulnerability poses a medium risk to the health care sector because:
Operating system vendors already are releasing patches to address the vulnerability.
An attacker generally must have local access to a computer to exploit the vulnerability.
According to the government, there are varying opinions in the industry concerning whether the vulnerability can be exploited through compromised websites.
Risk Mitigation
HHS indicated that health care and other covered entities should promptly install the software patches that are available for at-risk operating systems. The government cautioned, however, that the patches might:
Conflict with certain anti-virus programs.
Decrease system performance by as much as 30% in high-demand computing applications.
As a result, organizations should test the patches before applying them to systems that handle PHI or personally identifiable information (PII).
With more HIPAA covered entities moving information (including PHI) to cloud storage, a technical vulnerability such as the one at issue in this HHS report takes on greater significance. Determining who is responsible for implementing software updates to mitigate the risk of unintended information disclosures is the type of issue that a covered entity may wish to address in its service level agreement with cloud services providers.