In the pursuit of speed, processors have been built to feature speculative execution, which has now been found to introduce vulnerabilities by allowing unauthorized viewing of cached content potentially containing passwords, encryption keys, and other sensitive data. Detected by independent researchers, the chip vulnerabilities have been dubbed Meltdown and Spectre. These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.
Advisory and Mitigation Information
The Meltdown and Spectre Side-Channel Vulnerability Guidance issued by the United States Computer Emergency Readiness Team (US-CERT) encourages users and administrators to refer to their hardware and software vendors for the most recent information and is maintaining a table that contains links to vendor advisories and software patches. A current concern with the available operating system patches is that they may slow computer performance; impact on performance may vary based on workload volume and type of processing.
Healthcare industry resources advise healthcare organizations to exercise appropriate caution and test operating software patches carefully before implementing on high-value assets including systems which handle PHI and PII. Please refer to the following:
- The U.S. Department of Health and Human Services (HHS) Healthcare Cybersecurity and Communications Integration Center’s (HCCIC) summary report on mitigation tactics and the Center's update on technical details.
- The National Health Information Sharing and Analysis Center’s (NH-ISAC) Threat Intelligence Committee’s (TIC) alert with recommended corrective actions.
New vulnerabilities like these continue to be revealed on a regular basis and as a normal course of business, Quadax regularly patches systems to proactively eliminate known vulnerabilities. Because of the widespread nature of these specific vulnerabilities and the potential performance impact with the patches, Quadax has organized a committee of experts to focus on Meltdown and Spectre developments and remediation. This committee is monitoring patches, testing patches prior to release, analyzing the potential performance impact, interfacing with third-parties and working together to provide a smooth path to remediation.
Cyber Hygiene - A good defense remains the best protection
Practicing preemptive cybersecurity hygiene can help prevent adversaries from accessing your systems and is an important first line of defense. An enterprise-wide cybersecurity awareness program can strengthen your organization’s security strategy by alerting employees of current security threats and providing them a set of best practices. Using employee security awareness in combination with installing the recommended operating software patches can help to mitigate risk during this time of widespread processor vulnerability.
Reach out to vendors as well. Learn what they are doing to mitigate processor vulnerabilities. The Quadax security team continues to monitor the situation and guard against cyber threats. We also engaged our first line of defense, reminding all employees to exercise cyber hygiene.
Achieving 100% participation in our 2017 enterprise-wide employee security awareness program, Quadax remains fully compliant with security awareness training requirements. Recognizing that employee security awareness is a continuous process and an integral part of our on-going security strategy, Quadax is proud to be a 2018 Data Privacy Day Champion. Data Privacy Day, celebrated January 28th, is an international effort to empower individuals and encourage businesses to respect privacy, safeguard data and enable trust.