Health plans, their employer, union, insurer or other sponsors, fiduciaries, administrative or other service providers and their vendors and advisors should act immediately to investigate if any action is needed to protect electronic protected health information or other sensitive data and systems in response to the following cyber risk alert from the Department Of Health and Human Services Office of Civil Rights.
TLP: WHITE: ASPR/CIP HPH Cyber Notice: Meltdown and Spectre Vulnerability Guidance UPDATE #1
January 17, 2018
DISCLAIMER: This product is provided “as is” for informational purposes only. The Department of Health and Human Services (HHS) does not provide warranties of any kind regarding any information contained within. HHS does not endorse any commercial product or service referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header.
TLP: WHITE information may be distributed without restriction (subject to standard copyright rules).
Healthcare and Public Health Sector partners-
The attached report is a technical update to the previously distributed HPH Cyber Notice covering chip vulnerabilities named Meltdown and Spectre. Both Meltdown and Spectre are vulnerabilities in how computer chips handle data that have the potential to expose sensitive information, such as protected health information (PHI), being processed on the chip. As this information is protected from disclosure under HIPAA, Healthcare and Public Health (HPH) entities should employ risk management processes to address these vulnerabilities and ensure the security of medical records and other PHI.
Major concerns for the HPH sector include but are not limited to:
• Challenges identifying vulnerable medical devices and accessory medical equipment and ensuring patches are validated to prevent impacts to the intended use.
• Cloud Computing: Potential PHI or Personally Identifiable Information (PII) data leakage in shared computing environments
• Web browsers: Possible PHI/PII data leakage
• Patches: Potential for service degradation and/or interruption from patches
The detailed report can be found here: Technical Report on Widespread Processor Vulnerabilities