The National Health Information Sharing and Analysis Center (NH-ISAC) has issued a warning to the industry regarding two new cybersecurity vulnerabilities impacting processors in nearly every computer and mobile device.
NH-ISAC indicated that while the chances of exploitation were still relatively low, the patches issued by software companies could affect performance.
The two vulnerabilities, known as Meltdown and Spectre, were revealed by cybersecurity researchers earlier this week, prompting technology companies like Microsoft, Google, Intel and Apple to release patches. In a blog post on Wednesday, Jann Horn with Google’s Project Zero, said he and other researchers reported the vulnerability to manufacturers in June.
According to researchers, the vulnerabilities “allow programs to steal data which is currently processed on the computer” including information stored in the computer’s memory.
“This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents,” they wrote.
For the healthcare industry, “the perception of this vulnerability will be greater than the actual impact of the potential compromise,” an alert (PDF) from NH-ISAC’s Threat Intelligence Committee warned. The larger impact involves depleted processor performance ranging from 5% to 40%.
“Healthcare organizations will be asked to deploy the patch without understanding the actual risk and the business impact of degradation of service,” the alert stated.
NH-ISAC recommended healthcare organizations analyze IT asset inventory to determine which machines are potential targets, list applications dependent on fast throughput that could be at risk if performance degradation is higher than 20% and test patches in a lab environment to determine the actual impact.
The organization also noted that while the possibility of an enterprise exploit “is not high at this time,” cloud vendors could be impacted if left unpatched. The notice said AWS began patching in mid-December and have been aware of the voluntarily for at least a month.