Tag: Healthcare

HHS Issues Guidance on Processor Vulnerabilities

~ Peggy Reetz ~ Leave a comment

In a follow up to an earlier alert regarding the critical problems in modern processors recently reported by Google, HHS issued its own “Technical Report.”  In Google’s “white papers,” they explain that their teams and other analysts and academics discovered and reported on vulnerabilities dubbed “Spectre” and “Meltdown.”  These are described as vulnerabilities that affect nearly every computer chip manufactured in the last 20 years. Recently, the patches also have come under scrutiny as Intel reports reboot problems and slowdowns following implementation.  Microsoft then reported new updates for Windows 10 to resolve such issues.

The fault arises from features built into chips that are supposed to help them run faster.  There is no evidence that the flaws have been exploited but reportedly such exploits may be difficult to detect.

HHS cautions in its alert that the vulnerabilities have the potential to expose sensitive information, such as protected health information (PHI), which is processed on these chips.  HHS warns that entities should employee risk management processes to address the vulnerabilities and ensure the security of medical records.  HHS list the major concerns as:

  • Challenges identifying vulnerable medical devices and accessory medical equipment and ensuring patches are validated to prevent impacts to the intended use.
  • Cloud Computing: Potential PHI or Personally Identifiable Information (PII) data leakage in shared computing environments
  • Web browsers: Possible PHI/PII data leakage
  • Patches: Potential for service degradation and/or interruption from patches

 

Searching medical

Privately disclosed to chipmakers in June 2017, the bugs became public after a series of leaks in early January 2018.  Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. HHS notes that although medical devices and support equipment may not resemble PCs, their operating systems (Windows, Linux) run on processors that could be vulnerable.  HHS states: “The risks of PHI data leakage is especially acute in shared infrastructure like cloud computing instances.”  Amazon Web Services, Google Cloud and Microsoft Azure all immediately deployed patches against the Meltdown attack.  HHS cautions that while the major platforms handled the response in a timely way, there are other cloud managed service providers and institutional or private cloud instances that may not have known about the vulnerabilities before January 3, 2018.

The HHS alert provides technical details and mitigation tactics.  The alert includes links to various references, support pages and press reports.  Technical Report on Widespread Processor Vulnerabilities

For more information on the vulnerabilities: The Meltdown and Spectre security flaws.  One congressman from California has sent a letter to Intel, AMD and ARM requesting  briefing on the vulnerabilities and the companies’ handling of them.  Congressman Requests Briefing

 

Report on Healthcare – Increase in Threats

~ Peggy Reetz ~ Leave a comment

Image
IoT and Healthcare

A whitepaper released by SANS Analyst Program (sponsored by Norse) predicts an increase in risks to healthcare systems and data given “more open exchanges of health care information between patients, insurers, doctors and pharmacists.”  The report subtitled “Widespread Compromises Detected, Compliance Nightmare on Horizon,” describes results from another SANS report, “Biggest Culprits: Internet of Things and Security Devices,” which concluded that since the healthcare and pharmaceutical sectors will employ more devices, the threats are greater.

Specifically, the SANS analysis showed that the healthcare system’s critical information systems are poorly protected and often compromised.  These issues affected radiology imaging software, video conferencing systems, digital video systems, call contact software, security systems and devices, including VPNs, firewalls and routers.  The report’s author warns: “As compared to traditional IT systems, incidents involving Things, such as a hacked MRI machine, can carry physical consequences, as well as policy and financial impacts.”

Notable Devices/Applications:-

  • Connected medical endpoints (examples: online health monitoring to radiology devices to video-oriented services);
  • Internet facing personal health data (example: web-based call center for medical supply entity);
  • Security systems and edge devices (example: enterprise network controllers).

The report details the findings of a study that reviewed the largest sources of malicious traffic.

To get a copy of the report, go to:http://norse-corp.com

Image