Meltdown and The Cloud – Time To Validate Cloud and Hosted EHR Performance

Meltdown is one of two significant hardware “chip” defects recently identified. These defects can only be directly by replacing the affected Intel Central Processing Unit (CPU.) The affected CPU’s are used in virtually every compute server on the market which uses an Intel CPU. Compensating security controls are being deployed by the operating system vendors to repair the damage in the software so the hardware doesn’t have to be replaced.


Many pundits have been warning these software measures will impact server performance but, until now, it was not known by how much. The magic number appears to be 6%. A patched server will nominally be degraded in processing power by 6%.

This may be significant or not, depending on how an organization is using the servers. For the sake of this post, we will focus only on cloud or hosted providers of critical Electronic Health Record (EHR) systems serving the national healthcare “critical” infrastructure sector. It is important to patient safety that these systems continue to perform appropriately for providers and clinicians to effectively use them to document patient information. There is nothing more frustrating than what some providers have termed “the spinning wheel of death.” This is the little icon that spins when an application is not responding because of application overload or computing infrastructure issues. Waiting on an EHR to respond is frustrating and can lead to clinical errors.


Any organization that is using a cloud or hosted EHR service provider should initiate their incident response plan and contact their service provider directly to determine what measures they are taking to either correct the defective hardware or mitigate with compensating software controls. It is important to receive a documented response with an appropriate timeline and identification of any performance impacts. If a negative change to the performance of the EHR has been identified, it is may be time to escalate outside of the “sales channel.”


If you do not have an incident response plan, you can still form a committee comprised of critical stakeholders to identify areas of concern and take action to manage the situation before it starts to manage you.

By Rich Curtiss | January 12, 2018 | meltdown | 0 Comments

About the Author: Rich Curtiss

Rich Curtiss

Mr. Curtiss has over 35 years of diverse, executive IT experience across several verticals including Healthcare, Finance, Department of Defense, Intelligence Community and Consulting Services. Rich has served in executive information technology and cybersecurity positions as a CIO, CISO, Director and Program Manager. He's a member of the Clearwater consulting team.

Subscribe for News

    Download New White Paper

Download New White Paper