NH-ISAC Partnership, SEC, Data Breach Ruling

Posted by: Julia Annaloro      Date: March 20, 2018

TLP White

We start first with exciting news regarding a new NH-ISAC partnership and then visit the Security Exchange Commission’s latest guidance on data breach disclosures. We also take a look at recent healthcare breaches, including an update on the CareFirst case, and conclude with the latest Amazon team up. Welcome back to Hacking Healthcare:


Hot Links –
1. NH-ISAC Partners With Anomali: NH-ISAC is excited to announce that we have partnered with Anomali, a leading provider of threat management and collaboration solutions.[1] Anomali will provide NH-ISAC the tools and infrastructure necessary to enable NH-ISAC members to share threat information securely and efficiently with one another.[2] NH-ISAC board member, Jim Routh, recently said, “Sharing threat intelligence among member firms is one of the most essential services of any ISAC… [and] [t]he NH-ISAC Board is pleased with the opportunity to work with the ThreatStream platform to enhance threat intelligence sharing for the healthcare sector.” [3]

 2. Regulatory.  Living in a Material World.  Last week U.S. Securities and Exchange Commission (“SEC”) Commissioner Robert J. Jackson Jr. made “the rising cyber threat” the focus of his keynote address during the annual Tulane Corporate Law Institute conference.[4]  His remarks were some of his first as SEC Commissioner, and were timed about a month after the SEC released new guidelines on disclosing material cybersecurity risks and incidents.  The new SEC guidance provides that publicly traded companies may be obligated to make timely disclosure of material cybersecurity risks and incidents that could potentially impact stock prices.[5]  The materiality standard is highly fact-specific, and is intended to balance the nature and scope of a breach, the nature of the information compromised, and the resulting harm or costs.

3Legal News.  CareFirst Data Breach Ruling: Harmless for Healthcare?  Although the Supreme Court chose not to take up CareFirst’s case in February, CareFirst will have yet another opportunity to argue its case to the DC District Court. Incase you forgot, the case has been working its way through federal courts since 2015.  At issue is whether victims of the 2014 and 2015 CareFirst data breaches suffered an injury for purposes of establishing legal “standing.”[6]


Because the Supreme Court will not hear the case, the Circuit Court’s decision to reverse and remand the case back to the District Court stands. Elizabeth Snell of HealthITSecurity does a nice job at explaining how the case, despite being denied by the Supreme Court, impacts health care.[7]


According to Ms. Snell, the Supreme Court’s denial “is unlikely to have any significant impact on future data breach cases” because the Supreme Court’s denial leaves the DC Circuit Court’s decision in place. Therefore, she recommends that healthcare organizations continue to take cybersecurity seriously and invest in cybersecurity measures.

[1] https://www.anomali.com

[2] https://www.businesswire.com/news/home/20180315005772/en/NH-ISAC-Anomali-Join-Forces-Accelerate-Cyber-Threat

[4] https://www.sec.gov/news/public-statement/statement-jackson-2018-02-21

[5] https://www.sec.gov/rules/interp/2018/33-10459.pdf

[6] https://healthitsecurity.com/news/what-the-carefirst-data-breach-decision-means-for-healthcare

[7] https://healthitsecurity.com/news/carefirst-data-breach-case-moves-to-us-supreme-court

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:

HackingHealthcare Public TLP White Newsletter 3.20.2018


NIST on IoT, Apple Health, Net Neutrality, Stroke Alert App and Microsoft

Posted by: Julia Annaloro      Date: March 13, 2018

TLP White

This week we wish Ben Flatgard well on the next chapter of his career and welcome our new Hacking Healthcare blogger. We’ll also take a look at a few federal agency reports and announcements as well as a tech giant’s decision to launch medical clinics for all its employees. As a special treat, we also provide a quick recap of an exciting Supreme Court case. Welcome back to Hacking Healthcare.


Hot Links –

  1. Keep your wearables secure, and your implantables securer: The National Institute of Standards and Technology (“NIST”) recently released a draft report developed by the Interagency International Cybersecurity Standardization Working Group entitled Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT) (“Report”).[1]


The Report explains that Health IoT and Medical Devices (wearables, implantables, injectables, ingestibles) enable doctors, patients, and users to participate in real-time health monitoring, medication and nutrition tracking, and imaging.  Despite these benefits, the Report also explains that like most IoT devices, Health IoT and Medical devices may be exposed to cybersecurity vulnerabilities.


If you are feeling inspired, NIST is accepting public comments on the Report until April 18, 2018.[2]  


  1. Apple tackles employee health: Apple is making health care moves with the launch of a group of independent health clinics, also known as AC Wellness.[3] Apple will initially operate two clinics in Santa Clara County, California, and will be providing primary care services to Apple employees and their families as early as this spring.  Job listings show that Apple is looking to hire designers to implement a program focused on preventing disease and promoting healthy behavior.


  1. FCC’s net neutrality repeal: The Federal Communications Commission recently published its order to repeal net neutrality[4] and HealthcareITNews addressed how the order impacts the healthcare industry.[5] Jessica Davis reports that while FCC Chairman Ajit Pai argues the repeal will boost telemedicine, some groups argue the repeal will enable the internet service providers to create fast lanes and charge higher fees and services. Ms. Davis says that some opponents feel the repeal may actually cause hospitals to reduce telemedicine programs because they will need to spend more money on the increased internet prices.


  1. Stroke-alert – there’s an app for that: The Food and Drug Administration said it will permit Viz.ai, a healthcare company that relies on artificial intelligence and deep learning to analyze medical data,[6] to market an application that may alert medical practitioners of a potential stroke.[7] According to an FDA press release, the application permits a first-line practitioner to use the application to analyze CT images of a patient’s brain.  If the application identifies a potential stroke, it will automatically alert a medical specialist’s mobile device of the potential stroke. However, the specialist must review the CT images on a clinical workstation.


  1. Divided court on U.S. v. Microsoft: The Supreme Court heard oral argument for U.S. v. Microsoft, which examines whether the federal government can use warrants to force Microsoft to turn over data stored overseas.[8] The case is the latest example of applying an old law to technology that was unfathomable at the time of its passage.


Microsoft’s position has been that U.S. law enforcement must go through Irish authorities to obtain the content of emails regarding a U.S. drug tracking investigation.  Meanwhile, the Justice Department asserts that the U.S. issued warrant is enough to access the data because the information is stored on the cloud, thus Microsoft can obtain the data from within the United States.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:


HackingHealthcare Public TLP White Newsletter 3.13.2018

[1] https://csrc.nist.gov/CSRC/media/Publications/nistir/8200/draft/documents/nistir8200-draft.pdf

[2] https://csrc.nist.gov/publications/detail/nistir/8200/draft

[3] https://www.acwellness.com/

[4] https://www.federalregister.gov/documents/2018/02/22/2018-03464/restoring-internet-freedom

[5] http://www.healthcareitnews.com/news/fcc-publishes-net-neutrality-repeal-order-so-whats-next

[6] https://www.viz.ai/about/

[7] https://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm596575.htm

[8] http://www.scotusblog.com/case-files/cases/united-states-v-microsoft-corp/

Privacy Shield, Data Breach Laws, New Regs Old Cases

Posted by: Julia Annaloro      Date: February 27, 2018

TLP White

We take one more trip to Europe – this time to look at Privacy Shield – as well as revisiting data breach laws, new regs, and old court cases. Welcome back to NH-ISAC’s Hacking Healthcare:


Hot Links –

  1. Privacy Shield: Following our review of the European GDPR, let’s shift our focus to the EU-US Privacy Shield framework. Privacy Shield came into effect in 2016[1] to enable transatlantic commerce that is compliant with laws in respective jurisdictions. Privacy Shield came into effect to replace the previous Safe Harbor agreement, which the European Court of Justice invalidated in 2015.


Privacy Shield creates a standard set of principles that govern the transfer of protected data of EU citizens to the United States (e.g., for purposes of storing or processing). A company can self-certify compliance with the Privacy Shield framework by registering with the U.S. Department of Commerce.[2]

The framework[3] is built around the same concepts of privacy and data protection that underpin GDPR and previous European data regulations. There are requirements for disclosure of data collection and use to relevant individuals, the limited use of data for appropriate purposes, the use of necessary security controls, and oversight regarding any use of the data by third parties. The framework requires companies who self-certify to provide recourse for any citizens to register complaints.

The EU has indicated that the Privacy Shield framework will be subject to an annual review, so as the GDPR is implemented over the coming years we will need to keep an eye on corresponding modifications to Privacy Shield.


  1. Data Breach: There is a good piece in Lawfare[4] this week that is relevant to our recent discussion of data breach laws in Europe, Australia, and the U.S. Susan Landau looks at how the theft of personal information – including personal health information – can pose a national security risk. She goes on to suggest that Congress should address this shortcoming with a national data breach requirement.


  1. Update to ‘Common Rule’: “With the exception of certain burden-reducing provisions of the 2018 Requirements,” the interim final rule updating ‘Common Rule’ requirements will now come into effect in July. This update includes new exemptions to research activities, which is what has prompted the delay in order for detailed implementation guidance to be developed. Find the register notice here: https://s3.amazonaws.com/public-inspection.federalregister.gov/2018-00997.pdf


  1. The Court takes a Pass: The Supreme Court ruled against CareFirst this past week in a case we have been watching for quite some time. If you remember, CareFirst’s complaint to the Supreme Court was over the interpretation of “harm” in the context of the data breach victims. The case will now be heard in the DC court of appeals, which took a broader view over whether the victims had suffered any “harm” when they agreed to hear the case.[5]


In other court news, U.S. v. Microsoft will be heard today.[6]


[1] https://www.commerce.gov/news/fact-sheets/2016/07/fact-sheet-overview-eu-us-privacy-shield-framework

[2] https://www.privacyshield.gov/PrivacyShield/ApplyNow

[3] https://www.privacyshield.gov/EU-US-Framework

[4] https://www.lawfareblog.com/understanding-data-breaches-national-security-threats

[5] http://www.healthcareitnews.com/news/supreme-court-rejects-carefirst-bid-review-breach-case

[6] https://www.lawfareblog.com/microsoft-ireland-oral-argument-preview-will-supreme-court-stave-data-localization

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:


Budgets, GDPR, Australia Data Breach Law

Posted by: Julia Annaloro      Date: February 20, 2018

TLP White
This week we revisit budgets, finish up with GDPR, look down-under, and worry about adversaries exploiting our data breach laws. Welcome back to Hacking Healthcare:

Hot Links –
1. Budgets: The HHS Secretary went in front of House Ways and Means last Wednesday for a two-hour budget hearing. Cybersecurity was mentioned only in passing – by Rep. Patrick Meehan (R-PA) who encouraged the Secretary to engage with Congressional leadership on efforts to protect the safety and privacy of patients.
Since then, HHS has put out their 2019 “Budget in Brief,” which adds details to the high-level budget proposal put out by the President last week. The budget proposes $68 million to “ensure the Department is able to detect, manage, and remediate cybersecurity risks.” While these are mostly funds designated to help protect HHS from cyber threats, there is also intent to “proactively engage with a range of stakeholders.” The budget proposal represents an increase of $18 million over the 2018 enacted budget.
A Budget in Brief can also be a helpful way to understand future Departmental plans. This document is no different and reveals OCR’s intent to develop guidance documents that explain “how to effectively respond to cybersecurity threats, including issuing resources to illustrate the steps HIPAA-covered entities or business associates should take in response to a cyber-related security incident.”

2. GDPR: For the last couple weeks we have looked at the foundations of GDPR and its implications in terms of breach notification requirements and potential penalties for non-compliance. But compliance with GDPR includes some proactive organizational measures related to how data is protected when stored and processed. Today we will look at those.

Register as an NH-ISAC member to get access to this analysis each and every week!

3. Privacy Shield: Tune in next week for more detail on privacy shield – a 2016 agreement that regulates the protections required for transporting data between the EU and US. Here’s a primer if you want to jump right in: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en

4. Australian Data Breach Law: Starting February 22 (this Thursday), Australia will introduce a new data breach notification requirement for organizations conducting business in the country. The law places a requirement to notify individuals and the government in the event of the unauthorized access, disclosure, or loss of personal information “likely to cause serious harm.” This requirement applies to all health service providers and organizations that hold health data on individuals. It also covers all other organizations operating in Australia with an annual turnover exceeding $3mm AUS.

When a data breach that may require notification is discovered, the organization has 30 days to conduct an assessment of the breach. If the assessment determines that serious harm may result, notification must occur “as soon as practicable.” Notification can occur through direct notification to impacted individuals or broad publication of the incident. Importantly, notification must include recommendations on how an impacted individual can protect oneself.

NH-ISAC is planning its first Australian Cybersecurity Workshop on April 13 in Sydney. Sign-up here: https://nhisac.org/events/nhisac-events/healthcare-cybersecurity-workshop-australia/

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:


GDPR, the federal government budget, Olympic mania

Posted by: Julia Annaloro      Date: February 13, 2018

TLP White


Hot Links –

  1. Google gets Aggressive: I’m a fan of simple and intuitive security disclosures that can inform (or nudge[1]) the market to reward good security practices. Google Chrome’s move towards more intuitive and visible markings for unencrypted web traffic is a good step in the right direction.[2] Tinder better catch-up![3]


  1. Olympic Destroyer: It looks like the Olympic organizers dodged a bullet ahead of the opening ceremony. Talos says that the purpose of the attack was disruption and destruction – rather than any attempt at theft. “The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment.”[4]


  1. Budgets: Last Friday, the President signed a two-year spending bill into law.

This week, the White House released a proposal for its next budget.[5] While the proposal included big spending cuts across the board – security spending got some bumps. The budget proposes a significant increase in the DHS office that handles critical infrastructure security and federal network security.[6]

That being said, Treasury, Education, Energy[7], and Interior all had proposals to increase their ability to support the cybersecurity of key critical infrastructure. HHS didn’t get any of the same attention. What gives?

No one believes this proposal will be adopted by Congress. But it does serve an important role in signaling the Administration’s priorities. The new HHS Secretary is due to defend the proposal in a hearing on Wednesday morning. Let’s see if he talks cyber.

  1. GDPR: As we started to discuss last week, GDPR is the new General Data Protection Regulation that comes into effect on May 25. GDPR establishes the rights of European residents in relation to their personal data. It is designed to protect the privacy of European citizens and residents – and in doing so impacts all organizations that are located in Europe or that collect or store the information of European residents.

GDPR pertains not only to how an organization must protect information and notify impacted parties in the event of a breach, but also when and how it is permissible for an entity to collect, store, and process personal data.

Personal data is the broad term under GDPR for “any information relating to an identified or identifiable natural person (data subject).” This is a more inclusive definition than PII in the U.S. – a name or even an IP address can constitute personal data under the GDPR.

Health data is given special consideration under the GDPR.[8] Under the regulation there is a default prohibition against processing health data – which includes “data concerning health,”[9] biometric data, and genetic data. To process health data certain conditions must be met. One condition is for the data subject to provide “explicit consent.” This is the strongest grounds for an organization to stand on – and is somewhat like the provisions requiring disclosure and affirmative consent within HIPAA. There are further conditions where health data can be processed – most notably when “processing is necessary for the purposes of preventive or occupational medicine.”[10]

GDPR sets an expectation that organizations will report any breaches very quickly – “without undue delay and, where feasible, not later than 72 hours after becoming aware of it” – to the relevant national supervisory authority. There is a further obligation to notify the data subject without undue delay.

Similar to OCR’s view, ransomware may constitute a data breach that requires reporting under GDPR[11] unless an organization can demonstrate that the ransomware attack “is unlikely to result in a risk to the rights and freedoms of natural persons.”[12]

[1] https://www.theverge.com/2018/2/8/16991254/chrome-not-secure-marked-http-encryption-ssl

[2] https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

[3] https://www.wired.com/story/tinder-lack-of-encryption-lets-strangers-spy-on-swipes/

[4] http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

[5] https://www.whitehouse.gov/wp-content/uploads/2018/02/budget-fy2019.pdf

[6] http://thehill.com/policy/cybersecurity/373457-trump-requests-33-billion-for-homeland-security-cyber-unit-in-2019

[7] https://www.cyberscoop.com/department-of-energy-cybersecurity-office-ceser/

[8] https://iapp.org/resources/article/the-eu-general-data-protection-regulation/#A9

[9] “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”[9]

[10] Article 9, Paragraph 2.8

[11] Definitions, from Article 4, paragraph 12: “’personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

[12] https://iapp.org/resources/article/the-eu-general-data-protection-regulation/#R85

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:


State of the Union, Botnets and GDPR

Posted by: Julia Annaloro      Date: February 07, 2018

TLP White
We will take a look back at the State of the Union and a look ahead at fighting botnets, as well as a tease of our dive into GDPR – all on this week’s NH-ISAC Hacking Healthcare:

Hot Links –
1. State of the Union – So we went 1-1 in SOTU predictions. There was definitely no focus on cybersecurity, critical infrastructure, or the digitization of different sectors. But the President also gave a very long speech. Let’s see if the tie can be broken with any follow-up from last year’s Executive Order over the next week or so as the White House looks to clear 2017 brush and focus in on election year priorities.

2. Cyber Priorities – Speaking of election year priorities, what are the Administration’s priorities this year in cyber policy? So far it is unclear, particularly when it comes to critical infrastructure protection. There has been some discussion that the Administration will focus on creating international agreements for data exchange.

3. Anti-Botnet Policy – Another priority for this year – which is a carry-over from last year, is a focus on combatting botnets and preventing their spread in the future.

Early in January, the National Telecommunications & Information Administration (part of Commerce) released a draft report on how to combat botnets. The comment period is now closing (February 12 is the last day to submit feedback).

4. WannaCry AfterAction – The British government has been evaluating NHS preparedness in response to the WannaCry attacks last spring. In conducting onsite reviews of the different NHS trusts, it found that none were at the “cyber essentials plus” standard set out as a goal by the government. This report came out of the UK government last October detailing the findings.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:


The Cyber State of the Union

Posted by: Julia Annaloro      Date: January 29, 2018

TLP White

It is State of the Union time on this week’s Hacking Healthcare:


Hot Links –

1. State of the Union – On Tuesday night, President Trump will give his first State of the Union. What are the odds that cybersecurity will get a mention? I would bet against cybersecurity getting anything more than a passing reference. Cyber-stuff barely got mentioned in Obama’s final SOTUs, and there wasn’t a looming investigation into foreign interference related to cybery-


 I get the sense that POTUS wants to keep his speech short so that it is more popularly engaging than most of Obama’s wonk-fests. With a need to count wins on the economy and present an election-year vision for government funding, immigration, jobs, and foreign policy, there just isn’t much room for new cyber policy.

 That being said, we still have not seen much in the way of deliverables from last year’s cyber Executive Order. Maybe they are being held for the speech? Still seems unlikely, but maybe there will be something cybery in a follow-up announcement over the next week or so.

We will just have to tune-in and find out: 9PM EST on all the networks.

2. National 5G? – In the vein of State of the Union type announcements, there was a leaked document from the White House this past weekend, which excitedly proposes an “information age” equivalent to the interstate highway system where the government intervenes in the telecommunications market and develops a state-owned 5G network.[1]

3. Heck of a job Intel ­– A new report by the Wall Street Journal introduces a broader national security concern to the Meltdown and Spectre vulnerabilities. The headline[2] says it all: “Intel Warned Chinese Companies of Chip Flaws Before U.S. Government.”

[1] https://www.axios.com/trump-team-debates-nationalizing-5g-network-f1e92a49-60f2-4e3e-acd4-f3eb03d910ff.html

[2] https://www.wsj.com/articles/intel-warned-chinese-companies-of-chip-flaws-before-u-s-government-1517157430

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:


Sharing, Shutdown and More

Posted by: Julia Annaloro      Date: January 23, 2018

TLP White

Hot Links –

  1. Attacks, Vulnerabilities – Members Listserv!: Just wanted to plug the NH-ISAC listserv which has been very active around the continued fallout from Meltdown and Spectre as well as other recent incidents impacting the health sector. Make sure you are signed up and receiving the emails!


  1. Shutdown: As you all know, the Government shut down for a couple days. The Hill[1] and Politico[2] both tell us that there wasn’t much of an impact. Greg Touhill, former Federal CISO, rightly says that any lapse in funding increases our risk[3]. Thankfully, it didn’t last long. But on the same score, we need long term funding in place to increase the Federal cybersecurity spend as planned. Let’s hope that Congress and the White House can put a full appropriations bill in place by February 8, though smart money is probably betting against it.


  1. Pompeo talks: The Director of the CIA, Mike Pompeo, spoke in Washington today about future national security threats[4]. Interesting conversation with Marc Thiessen at AEI that gives you a look into the Administration’s view on threats facing the country. There should be more in here about cyber-threats – the subject is only touched on very briefly.


[1] http://thehill.com/policy/cybersecurity/overnights/369817-cyber-world-braces-for-shutdown

[2] https://www.politico.com/newsletters/morning-cybersecurity/2018/01/22/how-the-government-shutdown-is-affecting-cybersecurity-079344

[3] https://federalnewsradio.com/federal-drive/2018/01/greg-touhill-how-cyber-security-is-affected/

[4] http://www.aei.org/events/intelligence-beyond-2018-a-conversation-with-cia-director-mike-pompeo-livestreamed-event/

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:


HHS Secretary, Meltdown fallout, and Russia

Posted by: Julia Annaloro      Date: January 16, 2018

TLP White

We may have a new HHS Secretary, there’s fallout from meltdown, and more from Russia. All on this week’s Hacking Healthcare:


Hot Links –

  1. Azar for HHS: Last week, Alex Azar testified[1] before Senate Finance as a nominee to be the next HHS Secretary. He listed four priorities in his testimony, none of which touched on the cybersecurity and resilience of the sector. A passing comment would have been nice, but we also got nothing on this subject during Tom Price’s hearing.[2] Better learn quick as the threat is only getting worse: “Ransomware Attacks Against Healthcare Orgs Increased 89 Percent in 2017”[3]


  1. HHS Meltdown: We failed to reference a bulletin[4] from the HCCIC in last week’s edition on the Meltdown and Spectre It is good to see the HCCIC generating product. However, recommendations given in this document may be misconstrued as regulatory guidance. It would be good to see future bulletins to clarify such guidance.


  1. Russia Russia Russia: Last week, the Senate Foreign Relations Committee published an important report on Russia’s global campaign against democracy. The 200-page report looks at different techniques the Kremlin has used against established and emerging democracies around the world. The report acknowledges the cyber-threat that Russia poses to the critical infrastructure of the U.S. and its allies. One of the recommendations is to impose a muli-lateral regime of escalating sanctions against the perpetrators of cyber-attacks.[5]

[1] https://www.finance.senate.gov/imo/media/doc/09Jan2018AzarSTMNT.pdf


[3] https://www.healthcare-informatics.com/news-item/cybersecurity/report-ransomware-attacks-against-healthcare-orgs-increased-89-percent-2017

[4] https://content.govdelivery.com/attachments/USDHSCIKR/2018/01/05/file_attachments/939003/HCCIC-2018-001-Spectre-Meltdown-3.pdf

[5] https://www.foreign.senate.gov/imo/media/doc/FinalRR.pdf

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below:


Chip Flaw, Trusted Data Exchange & Medical Device Security

Posted by: Julia Annaloro      Date: January 09, 2018

TLP White

After a calm holiday, we have started the year in total Meltdown. We will look at the Spectre of the chip vulnerability and much more in this week’s Hacking Healthcare:


Hot Links –

  1. Chip Flaw: The biggest security story[1] in the new year is the disclosure of twin vulnerabilities – Meltdown[2] and Spectre[3] – that have been identified in Intel, AMD, and ARM processors. Researchers have produced proof-of-concept attacks that enable non-privileged users to read the cached memory in the systems kernel. It appears this is made possible by a performance feature on the chips that anticipates and “speculatively” executes future commands. Typical security controls are not applied to commands in speculative execution.


Chip and OS manufactures, as well as independent security researchers, believe the impact of an attack that leverages Meltdown or Spectre is likely limited to data theft and not operational control of systems (since the security controls kick in before the machine runs those speculatively executed commands).


Intel[4], AMD[5], and ARM[6] all have press pages devoted to tracking the flaws and their fixes. Intel ARM has noted that it’s Cortex-M line of processors (which are used in some medical devices) have not been impacted.

[1] https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

[2] https://meltdownattack.com/meltdown.pdf

[3] https://spectreattack.com/spectre.pdf

[4] https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

The folks at The Register who broke the story, are not that impressed with Intel: http://www.theregister.co.uk/2018/01/04/intel_meltdown_spectre_bugs_the_registers_annotations/

Ars Technica has a look at all responses: https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/

[5] https://www.amd.com/en/corporate/speculative-execution

[6] https://developer.arm.com/support/security-update


As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below: