Serious New Security Issues (Meltdown/Spectre) and How to Address Them

chip blog

A Serious Problem

Over the past few days you may have heard some news about the new security flaws-“Spectre” and “Meltdown”-  affecting the processors on computers, mobile phones & tablets and in the cloud. Current CPU chips from Intel, AMD, Qualcomm, ARM & others have this flaw, which means that these risks cover virtually every computing device. Windows, Linux & Apple products are all affected, as well as embedded processors relying on these CPU chips. This vulnerability is so significant that the US Dept. of Homeland Security has issued an alert.

This issue is caused by a flaw in the fundamental design of these chips called “speculative processing”, which is used to accelerate them. Estimating next steps in an operation & speculatively processing them does indeed speed up these chips (& the computers that run them). However, it also allows a hacker to jump ahead and grab sensitive information (like passwords) prior to the all-important step of being authenticated.

Risks to the Cloud

These vulnerabilities affect cloud services, including those from Amazon Web Services (AWS), Google, Oracle, ADP, etc. and most external hosting environments. Cloud services are particularly at risk, because they rely on virtualization – the creation of virtual CPUs within a physical CPU.   The “wall jumping” nature of the Spectre and Meltdown vulnerabilities allows them to potentially cross the electronic barriers between virtual CPUs (& between different companies hosted on those cloud services).

Spectre vs Meltdown

Spectre breaks the designed isolation between different applications. It allows an attacker to trick error-free programs such as browsers (Firefox, Explorer, Chrome, Safari, Edge, etc.) and gain access to password information. The built-in safety checks in many applications ironically may make them more susceptible to Spectre. All of the common CPU chips today have inherent Spectre vulnerabilities.

Meltdown breaks the fundamental isolation between user applications and the operating system. Any application in theory could steal your data, including simple things such as javascript from a web page viewed in a browser. Every Intel processor with speculative processing is potentially affected. This is effectively every computer with “Intel Inside” since 1995.

Immediate Steps to Take

The best steps to take right now are to patch operating systems and browsers, as well as updating the BIOS and firmware on all affected computers (other than those based on AMD chips, which should hold for the moment). Major computer manufacturers and browser developers are rush-releasing patches to protect their systems.

1. First, check your hardware configurations to see what CPU chip your computers are based on. (Here is how to do that on a Windows 10 machineon a Mac , and on Linux-based  computers.

2. Install patches for vulnerable OS’s, BIOS (Basic Input Output System – software stored on a small motherboard memory chip that initializes hardware and manages the flow of data between the CPU & peripherals) and firmware (embedded software for hardware component control) on phones, tablets & computers using Intel & ARD chips. (Wait on those using AMD chips for now, see below):

  • Android-  Google has issued instructions on how to test your phone’s security level and released patches to its manufacturing partners & supported phones.  It encourages all users to accept the latest security updates.
  • Apple (iPhone, iPad, MAC)-  Yesterday Apple released patches to its mobile platforms (phones/ iPads) and computer systems. iPhones and Tablets should be updated to iOS 11.2.2. Mac OS’s should be updated to 10.13.2 (High Sierra) with the supplemental security update installed. There is some risk that older applications which run on Sierra (10.12) may not run on the new OS.  We have seen this issue with Quickbooks 2014, for example. In this case, another option is to install the new Safari 11.0.2 update for Yosemite (10.11) and Sierra (10.12).
  • Intel-based Microsoft PC’s- Intel has released a tool to test the vulnerability of individual PC’s and a security advisory describing the affected models. This tool should be run to detect possible vulnerabilities and then the OS (for other than AMD-based computers at this point) should be updated (cautiously), following these instructions (Windows). In addition the computer manufacturers’ support (scroll down for a helpful list) should be contacted for instructions on updating the firmware and BIOS.
  • Intel-based Linux PC’s- Intel has released a tool to test the vulnerability of individual PC’s and a security advisory describing the affected models. This tool should be run to detect possible vulnerabilities and then the OS (for other than AMD-based computers at this point) should be updated (cautiously), following these instructions (Linux- should be updated to version 4.14.12). In addition the computer manufacturers’ support (scroll down for a helpful list) should be contacted for instructions on updating the firmware and BIOS.
  • Surface Tablets- These are not vulnerable (whew!) due to their design.

3. Update Browsers:

  • Chrome-  Update to the latest version (63.0.3239.132) by clicking on the About Chrome tab & running the auto-update. Google has promised full protection in Chrome in their planned 64.0 release on Jan. 23, 2018.
  • Explorer/Edge- Microsoft is bundling patches (which actually slow the browser execution a bit) to address these vulnerabilities in with its Windows Updates
  • Firefox- should be updated to version 57.0.4. This contains a protective security patch.
  • Safari- these are addressed by Apple in conjunction with its iOS and OS updates. For older OS’s (Yosemite and Sierra) these are available as a direct update via the App Store – see Safari 11.0.2 update.

4. Update any Virtualization software. These pieces of software allow multiple “virtual” CPU’s to run on a single hardware server. The name of the Spectre and Meltdown vulnerabilities could allow malicious applications to jump across these virtual CPUs. The most commonly-used virtualization system is VMWare from Dell/EMC; their security updates are available here.

5. Get Information from your Cloud Partners on their mitigation efforts. These vulnerabilities affect all of them, and therefore you. Consequently your cloud vendors, hosting partners & embedded systems manufacturers need to provide a plan and timeline for addressing these vulnerabilities.

6. Repeat at Home. To state the obvious, these risks occur at home as well.   Follow the same protocol for all home systems and phones.

7. Be wary of possible phishing attempts mimicking Microsoft fixes! Microsoft patching happens automatically via the internal Windows Update and does NOT require clicking on a link or pop-up to activate! Only install software or patches from the manufacturer (& confirm that the links go to urls from, etc. and not or, etc.)

Patch Performance Issues

Since most of these patches are new and not fully tested due to time pressures there is a need to proceed carefully. Microsoft patches are known to interfere with some antivirus solutions as well. Anti-virus/malware protection software may need to be turned off during installs and updated or replaced on an on-going basis. In addition, Microsoft updates are making some computers based on AMD chips unbootable (inoperable, because they will not start up). Each company blames the other but a fix is likely to emerge within a week or so.

In addition, since the patches are slowing fundamental processes important to computer speeds, there may be visible performance degradation (cloud services, phones, and laptops will run slower). It appears that patches for Meltdown affect machine performance more significantly than Spectre.

The Longer Term Fix

A real fix vs. patches requires new chip designs and new hardware.   These systems will be accelerated into production and should be on the market within 6 months to a year.

Body1 Approach

We develop and host software and websites on all major OS platforms (Windows, Linux, Mac-OS, Android & iOS). We are closely monitoring this situation and following all of our own advice in this advisory. We have made significant progress in protecting all of our (and your!) systems. In addition, as we continue to upgrade our data centers, we will deploy new redundant hardware with new chip sets that do not have these vulnerabilities.

For More Information

We at Body1 are dedicated to a secure web and are here to help. Please do not hesitate to contact any of us if you have any questions.


Cyber Security and Spam: How to Protect Your Website from Attack

CS and S pic 12015 was a year of major cyber attacks. From Ashley Madison’s massive data breach to hackers stealing the personnel information of 21.5 million current and former federal workers, the past year has proven the importance of implementing and regularly updating effective security measures.  Hackers are constantly improving their methods of breaking through cyber security, so security must constantly improve to match it.

CS and S Header 1

CS and S pic 2At Body1, we’ve implemented a multi-tier security system that thwarts everything from viruses to full cyber attacks.  First, we deliver content through CloudFlare, a content caching system that makes web pages load faster and blocks abusive botsand crawlers. Second, we use SSL (Secure Sockets Layer) certificates to encrypt all sites that handle sensitive data. Third, we deploy a firewall to limit unapproved access to our web servers. Fourth, we utilize a load balancer with a built-in intrusion protection system to filter out malicious traffic. These methods allow us to counter cyber attacks before they reach our sites.

CS and S Header 2

CS and S pic 4 On the other end of the security spectrum, Body1 is dedicated to providing ways for users to contact our clients without allowing spam to sneak through. There are many reasons why website owners would want to provide contact information on their site, but an unprotected email address can result in hundreds of spam messages a day. Toprevent spam, we use a javascript form that hides the email address that it sends to, block robots with a swipe captcha, and run all outgoing mail through a spam filter from GFI so that any spam that makes it past the captcha isn’t sent further.

CS and S Header 3

CS and S pic 3Data loss can happen to even the best companies if proper measures aren’t taken. In 2011, Amazon Cloud crashed, permanently destroying many of their customers’ data. Hardware malfunctions, server crashes, system overloads, and malicious attacks can all result in lost data. This is why backing up content and code is critical. Body1 utilizes a redundant content back-up system from CrashPlan that stores duplicate content and code copies locally and distributes it in the cloud.

CS and S Header 4

CS and S pic 5Maximizing uptime is vital to any business that depends, even in part, on the web. The majority of users will never return to your site if it’s down the first time they visit, and even long-time visitors will give up on your site if it’s often down. The best way to minimize downtime is to use a system with multiple layers of redundancy, each layer monitored for latency (slowness) and inavailability. At Body1, we achieve this by utilizing networked hardware and web monitors. Each of our web servers are monitored from global locations in North America, Europe, and Asia by both Hyperspin and Monitor.Us. Any latency can be picked up within five minutes, and the server can be swiftly scheduled for maintenance or, if necessary, replacement.

Can the Compassion of “The Crowd” Reduce Suicide?

HodlerDespondency1887WinterthurA web

Hodler, Despondency, 1887, Winterthur

Something we think a lot about here at Body1 is how to “Connect People with the Health Information that Matters Most to Them”.   In fact, we’ve made that our Mission.   We seek to apply it in our work, and in the ideas which we share.

Here’s one idea.  There’s a huge social opportunity to leverage digital for suicide prevention. Especially so, since suicide is a huge mental health issue that is largely unresolved.   It is a top 10 cause of death in America, 3rd behind only cancer and heart disease in years of life lost.   In the most recent full reporting year (2012), the US Centers for Disease Control and Prevention (CDC) report 40,600 suicides, equivalent to someone dying every 13 minutes.

Given the immediacy of the need and the ubiquitous of smartphones, digital could offer a solution.  A 24 hour/day, 7 day/week, 365 day/year (24×7, 365) app that video links to a trained peer counselor is one possible approach.

There are some big questions to be answered first, including (but not limited to):

1. How to staff with appropriately trained personnel?
(one approach- could be drawn from a pool of *trained* volunteers with a round robin telephone routing),

2. How to market & distribute
(possibly via health plans, Apple, Google, telco’s, etc);

3. Who funds?
(options include CDC, state Health depts, crowdfunded?)

This seems to us like a wonderful way for digital to contribute to the social good.  Thoughts? Comments?

7 Deadly Mistakes which Kill Templated Medical Websites

Templated sites from WordPress (WP), Magento, and others have become popular.   We at Body1 even deploy these for small healthcare clients launching their first sites.   They are cheap.  They are convenient.  And they can be dangerous.

Here are seven common mistakes that we’ve seen.  We’re often brought in to fixed “shattered” software projects, where a project starts and then cannot finish because of added complexity due to poor planning and unexpected scope creep.

1. Modifying a template without planning. Template-driven systems like WP or Magento are fine but customization adds considerable complexity.  Adding or deleting features changes the overall code base.  Separate parts of the site will break, suddenly incorporate random pieces of code, or reformat the page, among other unexpected issues.  To address this, Body1 systematically scans the entire site in a staging environment after every major code push, with the ability to selectively roll back and adjust potentially problematic changes.

2. Ignoring QC and testing.  The activities of quality control (QC) and testing actually are as important as coding.  Coding is only 50% of successful website or marketing software deployment.   Once a site is coded it has to be thoroughly checked and the code updated to fix issues.  This step is often skipped on templated sites- and then the owner is surprised when the site breaks.  Automated link checkers, load simulators, and browser emulators are useful tools.  On sites Body1 builds we use such tools to check issues prior to launching but inevitably there are still issues which can only be caught by a smart pair of human eyes.

3. Not deploying a separate “stage” site.  It’s easy to develop in a folder on the planned live site.   It’s harder to set up a separate, password-protected “staging” site with a process to cleanly copy the files over to the planned live site.  But that is best practice.   Completely separating the development from the live code ensures that:

  • all the functionality can be confirmed as working before deployment,
  • code in the development & live folders does not conflict, and
  • issues in deployment can be quickly and easily fixed.

4. Ignoring the hosting environment details.  Understanding and control of the hosting environment is critical to successful programming.  Issues in hosting often cause problems with the site performance that masquerade as software problems. This is why Body1 controls its hosting environment.  We were called by a panicked customer with a Magento site (eCommerce web template from eBay) whose log-on was failing and their “Magento programmer” couldn’t figure it out.  It turned out it was caused by the host running out of disc space (see below).  Without disc space the programs will fail.  This was especially acute for this eCommerce site where there was a 4gb catalog and multiple development folders.

5. Hiring a low cost developer to start with a quality development team on stand-by.   This is the classic “penny-wise, pound-foolish” trap.   Coming in to clean-up in a crisis situation is not ideal for anyone.   Starting with a low cost developer (often one with heavily discounted rates who works out of state or overseas but is “always available via Skype”) is a sure way to slow or break your website.  Such a process also ensures that a high quality development team will have to be brought in at the last minute, on a rush basis, to decipher code and re-architect a site under intense deadlines.  Since it is always more complex and takes longer to unravel someone else’s code, problems are invariably missed.  This results in the development process being more time consuming and expensive.

6. Retaining the cheap talent to work on perceived “easy parts” of the website while the top talent fixes the problems.  This is the classic “Too many cooks in the kitchen spoil the broth” situation.  We’ve seen firms do this to try to reduce costs on shattered projects.   However it inevitably ends up not being cost-effective as the coordination needs increase significantly and the coding efforts end up conflicting.  If the project is “shattered”, the cheap outsourced programmer costs, rather than saves, money.  Using a top development firm on a templated site facilitates control of the hosting environment, properly staged projects, and leverage of automated testing tools and QC.

7. Eschewing site monitoring and maintenance after launch.   A templated site is not a high-availability site, nor is it fool-proof site.  Automated monitoring and planned on-going maintenance of websites is valuable.  This is especially so for healthcare sites.  Automated monitors can detect problems before they before obvious to the end user.  Monitors even can be set up that follow every order through the purchase funnel for sites selling health products or services.  Besides real-time QC, those monitors then provide a tool to analyze consumer buying behavior.

Maintenance plans allow these problems to be fixed proactively without impacting the their live environment.  Because web browsers (such as Explorer, Chrome, Safari, and Firefox) and operating systems (such as Windows, OS, and Android) evolve, it is inevitable that the unmaintained templated website will break.  A good rule of thumb is to allocate 20-25% of an initial web budget to ongoing maintenance.

Avoiding the 7 deadly mistakes of templated medical websites is not hard.  A little forethought, a dash of prudence, and the willingness to invest initially is the best way. Besides on time and on budget website launches, there is an added benefit- maintaining one’s own emotional equilibrium.

Chris Messina

Gene Tests, Delivery Drones, & Avoiding Regulatory Meltdowns on the Web

There are some interesting parallels in the FDA’s recent action telling the firm 23andMe to “cease & desist” all marketing of its personal genomics test with the recent news about Jeff Bezos and the Amazon “delivery drones”.  Both are new technologies which will require regulatory understanding and adaptation.

However, by contrast, Amazon has floated (figuratively & maybe literally…) the drone idea, launching public discussion and regulatory contemplation.  By contrast, 23andMe blazed ahead.  Brave? Hubristic? Both?

The FDA’s approach is almost always to prioritize the prevention of harm.  Is there potential harm (like unnecessary prophylactic organ removal) from misinterpretation? Probably.  Can it be mitigated?  Surely, but the FDA will want to be part of crafting the solution if it’s potentially accountable for the potential harm.

My experience running an orthopedic device firm taught me that firms consult with the FDA retroactively at their peril. Even now it is surprising how few medical & wellness firms have a regulatory control process in place for public-facing web content and mobile apps.

What are the practical lessons here?

  1. Both are new technologies, which will require regulatory understanding and adaptation.
  2. Both are best served by proactive vs. reactive regulatory engagement
  3. Amazon has approached the regulatory environment more cleverly by “floating” its idea early.
  4. It’s possible to re-engage after facing regulatory problems, but more difficult.
  5. Inadequate or missing systems for regulatory content management is another area where many firms fail.

I hope 23andMe works things out with the FDA. It would have been far better to fully engage them earlier, but there is still hope.

Chris Messina

Deciphering “Cyber Monday”: 5 Lessons for HealthCare CEO’s

There are five valuable lessons from the phenomena-turned trend “Cyber Monday” for healthcare executives. First, Cyber Monday shows that anything can be marketed online, including healthcare. Second, demographics say that your audience will be online that day. Third, an effective web presence is critical in determining your success. There’s more; let’s get started with a story…

Like most, my e-mail box was flooded with “Cyber Monday” deals and offers. There were the usual “Get away to the Sunshine” travel and “Stock up NOW for Christmas” gift offers. However, more interestingly, strewn among the “Beethoven’s 7th Symphony (42% off) and Leather Custom Photo Books (72% off) was a whole new class of sellers.

For the first time healthcare information and service offers were prominent. Harvard Medical School promoted its Health Reports at 20% off for the remaining 8 hours of Cyber Monday. There were local yoga, massage, and kick boxing class specials. More esoteric was the offer from Advamed, the trade association of large device manufacturers, offering a one-time Cyber Monday special of 20% off of courses ranging from “The PMA Process”  to Molecular Diagnostics and the Changing Landscape: Considerations and Implications”. In short, there were a lot of healthcare offers and they ranged widely.

Cyber Monday is the little brother to “Black Friday”, the deal-filled day after Thanksgiving. However as often happens with little brothers, it is on the way to dwarf its big sister. In-person live transactions are shrinking; the National Retail Federation (NRF) reported that Black Friday in-person retail shopping fell for the 1st time ever in 2013- by 4.1%. By contrast, online transactions are growing. What are the big five “take home” lessons?

Lesson 1-Whether it is a good, a service, or information, Cyber Monday shows it can be sold online. Some of the fastest online sales growth rates are in service and information segments. That means that virtually anything can be promoted on Cyber Monday. However, chose your audience well. A deal on birth readiness classes in Seattle will not do well if promoted to seniors in Miami.

Lesson 2- Your specific audience, even if highly targeted or very local, is online on Cyber Monday. It’s not a fad anymore; 131 million Americans are estimated to go online shopping this Cyber Monday (52% of the US adult population), a 2% annual increase. Morever, they are projected to purchase 36% more goods, information and services this year than last Cyber Monday, according to analytics firm comScore.

Lesson 3- Beyond selling products and services, Cyber Monday can be leveraged to drive awareness for your mission. Even politicians have discovered this; this year the Republican National Committee (RNC) promoted Ronald Reagan lithographs at a Cyber Monday special 15% off, while a Democratic Campaign Committee touted a Cyber Monday promo of Elizabeth Warren wearables. In the healthcare world, promoting mission awareness is critical. For example, Advamed’s mission goes far beyond selling technical healthcare courses; they are promoting courses on Cyber Monday to raise the profile and impact of the medical device industry writ large.

Lesson 4- Your website needs to be prepared for Cyber Monday. A failure would not only hurt sales, it would impair credibility. Has your web presence been strategically planned, and is it regulatory-compliant? Demand to honest responses to the question, “Can our site(s) handle ten times its normal load?” Have your sites been “stress-tested across multiple platforms by a credible third party and have you seen the results? Is the user-experience friendly and consistent across varied browsers? Is there an accountable leader for each site?

Lesson 5- Your web presence must be mobile-friendly, on both Cyber Monday and beyond. Somewhere between 1 in 5 (comScore) and 1 in 3 (IBM) of all users will access sites this Cyber Monday from mobile platforms- smart phones & tablets. Deploying “responsive sites” or sites which auto-detect mobile access and reconfigure accordingly is critical. Body1 has a Mobilized™ web process that it uses to analyze and deploy health sites which anticipate, detect, and respond dynamically to mobile traffic. Some similar technical audit process should be required by every senior healthcare executive for all of their websites.

Savvy healthcare executives learn from multiple industries. Cyber Monday is a great lesson originating in retail proving that anything can be marketed online, including healthcare. The demographics show that most educated adults are online that day and many are prepared to act. However capturing those actions whether via a sale, a recommendation, or an introduction requires an effective, managed web presence.

“Cyber shopping” may not be for you. However, it is not a fad, it is a trend. As a result, “Cyber marketing” and “Cyber sales” should be top of mind for health and life science leaders—and not just on “Cyber Monday”.

Ground-breaking Doctor Leaves an Extraordinary Legacy Behind

John Ludden, M.D. was an extraordinary man. He was a physician, a business executive, and a teacher who radiated both intelligence and humility, despite holding three degrees from Harvard. He was generous with his insights, only requesting that the recipient in turn share theirs. He was a “pay it forward” guy.

John was immensely interested in how the health care system itself could be improved. He realized early that people and processes were both vital. Many of the best parts of ongoing health reform came out of ideas that John helped pioneer, first as Medical Director at Harvard Community Health Plan, then as Director of the MD/MBA program at Tufts Medical School. He was busy there and as a director at NCQA, the American College of Physician Executives, and elsewhere, but still found time to help an emerging eHealth start-up, (Body1).

John was not only a director of Body1, he was an active contributing creative force. He was intrigued by the Internet’s promise as a means to improve patient care. As just one example, John’s psychiatry experience and insights were the intellectual basis behind Body1’s online depression self-assessment tool. This tool was so robust when it first launched that we had to reduce some of the functionality, as we did not want to “practice medicine online”. But that was classic John Ludden–give what you needed, and then also give some extra.

John died last month but his legacy lives on. I am grateful to have known and worked with him. Everyone at Body1 is. We remember his keen intelligence, his unique grin when a particularly good insight hit him, and his kind sense of humor. In a world where gentlemen are often hard to find, Dr. John Ludden was a consummate gentleman and we are all better people because of him.

Chris Messina, CEO, Body1

Note: John’s family has chosen to support The Great Books Foundation in his memory.

Will the Next Wave in Global Health Care reform be Mobile…and Come from Africa?

Recently I participating in a roundtable discussion with the Harvard Business School Health Care Special Interest Group. Our speaker for the evening was explaining (& pitching) his company, which had developed a tracking approach for identifying which brands of drugs were counterfeit. Apparently that’s a huge problem. That wasn’t the most interesting part.

The most interesting was:

a. how ubiquitous mobile phones are in Africa and

b. how people there are using them to manage their medical care (it’s true consumer-directed healthcare at work)

Seems like we in the US could learn a lot from this simple model. It connects the medical buyer directly with the medical provider. Costs are transparent.   Payment is swift and simple.In Kenya, for example, a pre-paid care for medical services can be purchased and continuously filled. Family members can add to the stored value as a gift and many do. Physicians accept these cards as payment for medical services, debiting the charges as provided. There is acute awareness of which clinical provider offers the “best value for money”. Patients vote accordingly, with their money and their feet.

Professor Clay Christiansen at Harvard has introduced the world to the concept of “Disintermediation”, the idea that over time, simple innovations starting from the low end of the market, end up completely changing and disrupting the market. Given that seminal insight, maybe we in the US healthcare industry should be looking hard over our shoulder at the innovations underway in Africa.

Photo: Erik Hersman