On January 5, the OCR sent out an emergency update to the security and privacy email lists notifying health care organizations about new discovered computer vulnerabilities that may affect PHI.

In the update, the OCR linked to a report from the Healthcare Cybersecurity and Communications Integration Center (HCCIC).  The report outlines new computer processor vulnerabilities.

The computer processor is a small chip inside computers and other devices that receives input and provides output.  Essentially, it handles instructions and calculations.

The vulnerabilities, named Spectre and Meltdown, allow a “malicious computer program to bypass data access restrictions and gain unauthorized access to potentially sensitive information from other programs.”  That sensitive information might include PHI, as well as passwords, which could be used later.

The HCCIC has determined that these vulnerabilities are a medium threat to health care organizations, as it would require physical access to each system to affect a change.  These vulnerabilities are present in nearly all processors produced in the last 10 years, including Apple computers.

Many operating system vendors have released patches that will mitigate these vulnerabilities.  However, there have been some issues with AMD processors and Microsoft has paused Windows security updates for AMD devices.

Installing patches in a timely manner is important, but you should also double check that there aren’t any issues before installing them.  If you are unsure if the patch will cause an issue, ensure that you have the system backed up before installing the patch.  Remember, backups of protected health information are a HIPAA requirement.


To learn what else you can do to mitigate vulnerabilities, join HIPAAgps today.