GE and Intel Vulnerabilities
This past month was extremely active in the healthcare cybersecurity world. Along with speculation about how the CoronaVirus may impact healthcare facilities, there were announcements of vulnerabilities in both Intel CPUs and GE Medical Devices.
Where GE is concerned, there’s a vulnerability in specific monitoring devices that could allow a hacker to gain access to the devices and reconfigure them or render them useless. By reconfigure, they could turn off alerts, alter information, or extract PHI. GE is currently working on patches, but if you’re running any of the following devices, you need to contact your GE representative and make sure you’re getting the updates. Here’s the list:
- ApexPro Telemetry Server, Versions 4.2 and prior
- Clinical Information Center (CIC), Versions 4.X and 5.X
- CARESCAPE Telemetry Server, Versions 4.3 and prior
- CARESCAPE Central Station (CSCS), Versions 1.X and 2.X
- Patient monitors B450, B650, and B850, Versions 1.X and 2.X
CPU based vulnerabilities are problematic because it’s difficult for many people to patch the problem. In this particular case, the CacheOut vulnerability, very simplified, gives hackers the ability to access stored information on the CPU and to extract that information. Intel is still working on fixes for many of their CPUs, so there’s a high likelihood you are running machines with this problem. However, any CPUs released after Q4, 2018, should be safe.
The CacheOut vulnerability is a derivative of the Spectre/Meltdown vulnerabilities we learned about last year. CacheOut actually bypasses some of the fixes Intel did to stop Meltdown, so a new round of fixes is in the works. If you have this vulnerability, there’s little you can do until the patches are released. However, running (and keeping updated), malware and antivirus programs may help detect any software a hacker may install. At this time, there are no known exploits of this vulnerability, but it would also be difficult to impossible to detect if one has occurred.
The Intel vulnerability is yet another reason to upgrade your hardware sooner rather than later if it’s in the budget for 2020. Couple that with the official sunsetting (meaning no longer HIPAA compliant) of Windows 7, and we have a fertile playground for hackers.
Stay safe out there. Keep your software and hardware up to date.
If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.
For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.
The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminderto help stay compliant.