Meltdown is one of two significant hardware “chip” defects recently identified. These defects can only be directly by replacing the affected Intel Central Processing Unit (CPU.) The affected CPU’s are used in virtually every compute server on the market which uses an Intel CPU. Compensating security controls are being deployed by the operating system vendors to repair the damage in the software so the hardware doesn’t have to be replaced.
Many pundits have been warning these software measures will impact server performance but, until now, it was not known by how much. The magic number appears to be 6%. A patched server will nominally be degraded in processing power by 6%.
This may be significant or not, depending on how an organization is using the servers. For the sake of this post, we will focus only on cloud or hosted providers of critical Electronic Health Record (EHR) systems serving the national healthcare “critical” infrastructure sector. It is important to patient safety that these systems continue to perform appropriately for providers and clinicians to effectively use them to document patient information. There is nothing more frustrating than what some providers have termed “the spinning wheel of death.” This is the little icon that spins when an application is not responding because of application overload or computing infrastructure issues. Waiting on an EHR to respond is frustrating and can lead to clinical errors.
Any organization that is using a cloud or hosted EHR service provider should initiate their incident response plan and contact their service provider directly to determine what measures they are taking to either correct the defective hardware or mitigate with compensating software controls. It is important to receive a documented response with an appropriate timeline and identification of any performance impacts. If a negative change to the performance of the EHR has been identified, it is may be time to escalate outside of the “sales channel.”
If you do not have an incident response plan, you can still form a committee comprised of critical stakeholders to identify areas of concern and take action to manage the situation before it starts to manage you.