📍 Today in health, it, your VPN isn't private. Wow. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator of this week health. Set of channels and events dedicated to transform healthcare. One connection at a time. We want to thank our show sponsors. We're investing in developing the next generation of health leaders.
Notable service now, enterprise health parlance. Certified health and Panda health. Check them out at this week. health.com/today. This new story and all the new stories we talked about on this show, you can find on our website this week, health.com/news. All right. One last thing. Share this podcast with a friend or colleague you said is foundation for daily or weekly discussions on the topics that are relevant. To you and the industry. Use this form of mentoring, they can subscribe wherever you listen to podcasts. All right.
Here's the story. Novel attack against virtually all VPNs. Neuters their entire purpose. This is a direction for contributed this it's ARS Technica. Let me give you a little bit of background. I'll just give you the summary. Researchers have uncovered a critical vulnerability in almost all. Virtual private networks, VPNs. Applications called tunnel vision, which compromises the core function of a VPN by routing some or all traffic outside of the encrypted tunnel. Potentially exposing user data to interception or. Alteration. This attack.
Exploit's the DHCP option 1 21 to reroute traffic through an attacker controlled server. Instead of VPNs encrypted tunnel affecting the users on all operating systems except for Android. Which is not susceptible due to its lack of implementation of option 1 21. Despite various mitigation strategies suggested such as running a VPN and a virtual machine or utilizing a cellular devices.
Wifi. For internet connection, the researchers from Leviathan security indicate that no foolproof solution exists for other operating systems highlighting a significant security gap. In current VPN technologies.
All right. That, that's a huge eye-opener to wake up the morning, but that's not where we're getting stuck, although that is an important announcement and something that we should look into from a security standpoint. This morning for sure. However, where we're getting stuck is the basics, quite frankly.
And as we look at this there's these kinds of really sophisticated attacks that we need to worry about. And then there's the not so sophisticated attacks. It came to light. That the change healthcare breach. Was either helped or caused by the fact that they did not use dual factor authentication. Dual factor authentication is, has been around forever. And the thing that keeps it from being implemented at most systems is the fact that it is. Not a user satisfier. How's that for a nice way of saying that. Users don't like it. And when you go to implement something like this, it's like making your kids eat their vegetables at dinner.
So it's saying I know you don't like it, but it's good for you. We have to do it kind of argument in. And that's very difficult for some organizations and some leaders. So we're struggling with the basics. I was talking to a CIO last week who talks about their. They did a fishing exercise within their organization and they turned it off after a, it wasn't even a full day because 2,500 people. We're compromised in some way, but at least a hundred gave up their credentials or something.
It was a really high number and it doesn't matter. You don't need a hundred, you just need a. In most cases. They only need one to compromise your system. There's no reason to get a hundred. You just need to need it. One or two here or there. And so that was a fishing exercise. I don't know how sophisticated the email was that went out to the leaders and other people within the organization. But, uh, we're struggling with the basics. The sophisticated attacks need to be handled, but we're struggling with the basics.
And when that is the case, When you're trying to, St. Joe's 20, some odd thousand people, 26. 28. We were actually I think about 26, 28 internally. And then we had the physician. Groups which were separate and that kind of stuff. Let's just say 20, 25,000 people. It's hard to train 25,000 people on security measures.
It's important to try. It's an important endeavor to do within your organization. However, it's very hard to do to get to the point where a phishing attack isn't going to be a compromise, at least one or two. People within your organization. So that's one piece of a foundation for protecting your environment. I think the most important piece quite frankly, is to stop the spread when it's happening. Okay.
So best piece of advice I ever got on cyber security. Was after one of our audits. And they essentially said, you have to assume they're on your network. Have to assume they're already on. So let's assume they're in. Let's assume they can get in at will. They can get in any time they want, they can put a phishing attack out there, get the credentials, get onto our Citrix servers, get onto our. VMware servers get onto our stuff. They're already in.
If we assume they're already in. Then your whole design has to be around stopping the spread, stopping the lateral spread across your network. They should be able to, even though they're in, you should be able to contain them. And you should be able to identify those activities. That will indicate that there is nefarious activity going on in your network and shut that down very quickly.
Assume they're in is one of the first things I want to say. The second thing is, shut that down. Have the software have whatever agents you need. Scattered. Around the edge of your environment. I mean at the device level, at the edge level everywhere. So these devices should be able to identify this is not normal behavior and shut it down. So that's the so stop that horizontal spread, if you will. I think the other thing I would strongly consider is the recovery.
So we're right in the middle of the Ascension attack right now. And we're seeing. That it's pretty extensive. And my heart goes out to those people. I. I can only imagine what their days are like. I did hear from one. Person who works at Ascension and they are. They're burning the candle at both ends at this point, too. Get back to recovery and they're diverting patients and doing all those kinds of things.
It's pretty serious. And it's a serious situation and they must've gotten from one end of the system to the other because it feels like it's impacting a lot of their health system. The other thing I've talked to again, professionals I really trust is they are working diligently on that recovery process. They have thought through if we are ransom, what are the first. 20 steps that we have to do. That we don't need to wait until it happens.
We can actually put those 20 steps in place. We can have a sandbox with a clean, active directory. We can have a sandbox with a clean. Fill in the blank, all those things, routing tables, security, you name it. We can have all that stuff clean and ready to go, because that's what you have to have that clean environment.
You have to have that clean room to restore things into and then figure those other things out. Now, obviously there's all sorts of our partners and vendors out there that are saying, Hey, just implement our thing and that kind of stuff. And that's important. I would implement CrowdStrike. I would absolutely do Rubrik. I'd look at Sempras, I'd look at all those different tools.
They all have a place in creating a secure environment and recovering from that environment. But I would be. 10, 15, 20 steps into the recovery. Before an attack happens. And so then you're minimizing the overall exposure. And again, that's assuming they're on the line, assuming they're going to win.
Assuming they're going to compromise you. Now assuming you need to rebuild, I would generate that muscle within your organization. Know how to recover, be ready to recover. And move forward with testing out those processes. I talked to one house with some fairly large health system that has three regional recovery centers set up. So they are ready if an attack takes and they've segmented their environment in such a way that they don't believe that people are going to the attackers are going to be able to get to all three segments.
But if they did within their large health system, they would be able to recover on a regional basis. Because there are that big. Just some things to consider various different conversations I've had over time. Assume they're on your network. Assume they're going to get in. Minimize their lateral movement around your network. Identify that nefarious activity.
Shut it down as quickly as possible. And the only way to do that right now is with tools and AI period. You, you can't have people monitoring that and identifying that. It's just, it's not fast enough. It's not real time enough. So you have to have the right tool set in order to do that. And then start your recovery process started today.
Start at this afternoon. Bring your team in, what would it take to recover our entire environment if we'd lost it? All right now. And if you get blank, stares back, stand in front of a whiteboard and start Writing it out. What does it look like? Alright, difficult time to be a CIO assist.
So a leader in healthcare as if the business environment wasn't tough enough, we are under attack on a daily basis. All right. That's all for today. Don't forget. Share this podcast with a friend or colleague. Use it as a foundation for mentoring. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders.
Notable service now, enterprise health parlance, certified health and 📍 Panda health. Check them out at this week. health.com/today. Thanks for listening. That's all for now.