Health-care solution provider Coretek Services is seeing its hospital customers eschew Spectre and Meltdown patches because of the multimillion-dollar cost of adding new hardware to overcome the up to 40 percent application workload hit to electronic health record systems.
"With a 40 percent reduction in CPU cycles based on Meltdown our customers would have to double their hardware footprint to implement the patch," said Brian Barnes, director of solution architecture at Coretek, a Farmington Hills, Mich., solution provider that has more than 100 health care customers grappling with the patch update issue. "A customer with 60 servers today would need 100 to 120 if they were to implement that patch. Most of our customers have put a freeze on the patch because they just don't have the capital budget to acquire the hardware to implement the patch."
A health-care provider with 60 servers in a redundant data center environment would be looking at adding 40 servers at a cost of $1 million to $3.5 million to compensate for the application workload hit that would come with implementing the patch, said Barnes.
As a consultant, Barnes said he would never recommend that customers avoid required patch updates. The "hope" for customers is that the patch fixes coming down the line will be "better over time," drastically reducing the application workload performance hit, said Barnes.
So far, there have been no known security breaches or data loss that have resulted from Spectre or Meltdown. "Most health-care customers are betting that will continue to be the case. One advantage the health-care providers have is that a hacker would have to breach already rigorous security software before being able to exploit Spectre or Meltdown, said Barnes.
"You are not going to get in the data center door using Spectre and Meltdown," said Barnes. "An attacker would need to take advantage of an existing vulnerability to gain administrative control before they could execute Spectre or Meltdown."
The fear is a "zero-day vulnerability" could open the door to a Spectre or Meltdown breach. "If a zero-day vulnerability hit today, you could get onto a system and then take advantage of Spectre," said Barnes. "So the threat is there. If you could get access to the system, that means you could read everything in the processor memory."
Coretek is working with customers on a case-by-case basis to deal with the Spectre and Meltdown exploits
One of the key pieces of software being used to analyze the application workload hit is from Lakeside Software, a workspace analytics software vendor that has found that the Spectre and Meltodwn patches increase CPU load.
Lakeside, in fact, has found that on average the total impact on Citrix XenApp server was a roughly 20 percent increase in CPU overhead. The newer server architecture with Microsoft 40Windows Server 2012 R2 had a lower hit, coming in at a 16 percent increase in CPU overhead, according to Lakeside.
Lakeside CEO Michael Schumacher said companies must look closely at their own workloads before implementing the Spectre and Meltdown patches. "Everybody needs to evaluate the 'before and after' for their own workloads to know how it affects you," said Schumacher."You need to know whether you are CPU-limited, memory-limited, IO-(Input/Output) limited. You need to know what the limiting factor is in your own IT environment to understand Spectre and Meltdown."
The topic of just how big an application workload and scalability hit customers will see from the Spectre and Meltdown patches is a hot issue among technologists. "It's not the biggest problem we face right now," said one technology specialist, who did not want to be identified. "You need a lot of time and a lot of luck to get information out of memory."
Pete Downing, chief technology marketing officer for XenTegra, a Citrix Platinum solution provider headquartered in Charlotte, N.C., said he sees the Spectre and Meltdown vulnerabilities as threats that cannot be "actively" exploited. The "bigger threat" is from users that are not following proper security protocols, he said.
Downing praised IGEL – an end point management software company which is holding its DISRUPT end user computing forum this week in Austin, Texas, as being the most proactive and secure in the Spectre and Meltdown fight. "IGEL is being very proactive on security at the endpoint, which is key," he said.
IGEL, which was one of the first technology vendors to make Spectre and Meltdown patches available, issued a new patch just last week.
Mathias Huber, a security product manager for IGEL, said Meltdown is fixed in the Linux kernel, but Spectre has yet to be resolved. He said it ultimately remains to be seen what kind of risks and consequences will result from the "fundamental" Spectre flaw. "I know that is not a very satisfying answer, but that is all I have at this moment," he said.