Health-care solution provider Coretek Services is seeing its hospital customers eschew Spectre and Meltdown patches because of the multimillion-dollar cost of adding new hardware to overcome the up to 40 percent application workload hit to electronic health record systems.
“With a 40 percent reduction in CPU cycles based on Meltdown our customers would have to double their hardware footprint to implement the patch,” said Brian Barnes, director of solution architecture at Coretek, a Farmington Hills, Mich., solution provider that has more than 100 health care customers grappling with the patch update issue. “A customer with 60 servers today would need 100 to 120 if they were to implement that patch. Most of our customers have put a freeze on the patch because they just don’t have the capital budget to acquire the hardware to implement the patch.”
A health-care provider with 60 servers in a redundant data center environment would be looking at adding 40 servers at a cost of $1 million to $3.5 million to compensate for the application workload hit that would come with implementing the patch, said Barnes.
As a consultant, Barnes said he would never recommend that customers avoid required patch updates. The “hope” for customers is that the patch fixes coming down the line will be “better over time,” drastically reducing the application workload performance hit, said Barnes.
So far, there have been no known security breaches or data loss that have resulted from Spectre or Meltdown. “Most health-care customers are betting that will continue to be the case. One advantage the health-care providers have is that a hacker would have to breach already rigorous security software before being able to exploit Spectre or Meltdown, said Barnes.