Two major computer hardware bugs affecting billions of devices—Meltdown and Spectre—became public this week, and security experts are warning that they could be the nastiest bugs ever. While this is still a developing situation, we know that the security weaknesses can allow attackers to access security keys, passwords, and files stored in the memory of all types of computing devices, even mobile devices. These bugs have the potential to make your secrets accessible to organized cybercriminals, who could steal them without a trace.
The health care industry should pay particularly close attention to these two issues, and not only because health care organizations are lucrative targets for cyber attackers—organizations can also expect to experience reduced system performance and may need to invest considerable time and money in hardware upgrades to address these vulnerabilities.
What we're dealing with: Meltdown and Spectre
Both Meltdown and Spectre are newly discovered flaws in the way computer processors keep data securely siloed. These protections are supposed to keep applications (such as web browsers or mobile apps) from reading data from other processes running on the same system unless they are granted explicit permission. Both flaws potentially allow unprivileged applications such as web applications to steal sensitive secrets, such as system passwords, encryption keys, or protected health information.
To date, only Intel processors are believed to be vulnerable to Meltdown, while Spectre is known to impact a much broader range of processors from Intel, AMD, and ARM covering most server, desktop, laptop, and smartphone devices.
While only made public this week, researchers and industry experts across the globe have been working to address these issues for months now. There is no evidence to-date that either of these bugs have been exploited, and vendors are working to rapidly deploy updates, with many already available.
The second bug, Spectre, is much farther reaching, harder to exploit, and harder to fix. Researchers suggest almost every modern computer system is affected by Spectre: desktops, laptops, private servers, cloud servers, and even smartphones.
The lowdown on Meltdown
The Good: While the Meltdown vulnerability has its roots at the hardware level, it is possible for operating system vendors to address the issue. Intel has been working for months with operating system and virtualization software vendors including Microsoft, IBM, Apple, VMWare, Redhat, and other major Linux and Unix vendors. In many cases, companies made patches available before Meltdown was publicly disclosed.
The Bad: According to Intel, the updates can cause "workload-dependent performance issues." For the average computer user, the issues should not be significant and will be mitigated over time. However, security experts indicate the potential for performance issues vary depending on the hardware and applications in place, potentially leading to a 5%-60% decrease in performance depending on a system's workload.
The Ugly: Multi-tenant machines, especially public cloud services, are at the highest risk for exploitation because of the potential for cybercriminals to breach the security boundaries that virtualization is supposed to enforce. Intel processors are widely used in cloud services, and health care organizations using cloud services should aggressively engage their vendors to ensure all appropriate steps are being taken to patch vulnerable operating systems and, where appropriate, isolate sensitive workloads.
What health care leaders should do:
- Immediately open lines of communication with your vendors
- Ensure you have an up-to-date inventory of equipment and applications
- Guarantee you take regularly scheduled updates from all vendors
- Prepare for reduced system performance in the short term
- Eliminate the ability for unprivileged users to run code to mitigate risk on shared systems
- Revisit your breach plan and mobile device policies
- Communicate the essentials of the risk and your remediation plans to your leadership team
- Consider preparing a public-facing statement for patients and community stakeholders
The lowdown on Spectre
The Good: The only good we can possibly see in Spectre at this point is that it appears to be harder to exploit. Information is still rapidly developing.
The Bad: Spectre impacts nearly all non-trivial computing devices, including servers, desktops, laptops, smartphones, and a significant number of embedded computing devices. Compared to Meltdown, it is more damaging, as successful attackers can execute code on an exploited device, potentially with escalated privileges. It is also harder to fix.
The Ugly: There are currently no updates or patches available to address Spectre. While some degree of protection is expected, it will most likely require a new generation of hardware to completely eradicate the issue.
What health care leaders should do:
- Implement all of the recommendations listed above for Meltdown
- Recognize Spectre impacts everything, including IBM, AMD, and ARM processors on traditional computers and mobile devices
- Work with your hardware vendors to assess the need and availability of firmware upgrades for your hardware
- Begin planning for potential hardware replacements
- Revisit mobile device policies
What individual users should do about Meltdown and Spectre
For you as an individual user, the next action steps are straightforward: Microsoft has already issued an emergency patch for Windows, so make sure you've installed the latest Windows updates. Patches are similarly available for the Internet Explorer, Firefox, and Edge browsers, and an update for Google Chrome is expected later this month. Unfortunately, the Meltdown and Spectre bugs are so widespread that it may be impossible to protect yourself completely—but these steps should provide a valuable first line of defense.
In addition to the recommendations above, we invite you to join us for our "Security and the C-suite" webconference on Feb. 15 to get up to speed on the cybersecurity landscape and different opportunities to engage executive leadership in the issue.
The following Advisory Board resources are also available on how to respond and prepare for cyber events: