Venom Security Vulnerability

[Hxxx]

In reality, how many medical facilities are buying VPSs for their infrastructure or allowing outside parties on their servers? I doubt many if any at all.

Well Joe, the answer to that is a lot.

Many facilities or organization use virtualization platforms in external locations. To just point a popular provider in this matter: Firehost

That is to host applications related to the field which contains PHI.

Another example is cloud backups (though you are supposed to encrypt these).

 

[MartinD]

The vast majority of those outfits will be running in-house networks that would really only be attacked by people on the 'inside'. Still serious nonetheless.

 

[KuJoe]

Well Joe, the answer to that is a lot.

Many facilities or organization use virtualization platforms in external locations. To just point a popular provider in this matter: Firehost

That is to host applications related to the field which contains PHI.

Another example is cloud backups (though you are supposed to encrypt these).

Based on their information it doesn't look like they are using shared servers like most VPS providers. Being HIPPA compliant is no joke (and something I never want to be involved in ever again) and you cannot be HIPPA compliant if you're hosting other clients on the infrastructure so an exploit like this would have no impact on this unless of course they compromised a server on their network which can happen in any environment.

 

[Hxxx]

Based on their information it doesn't look like they are using shared servers like most VPS providers. Being HIPPA compliant is no joke (and something I never want to be involved in ever again) and you cannot be HIPPA compliant if you're hosting other clients on the infrastructure so an exploit like this would have no impact on this unless of course they compromised a server on their network which can happen in any environment.

We are talking about VPS, Cloud, anything virtualized. Firehost is virtualized. How familiar are you with HIPAA and the requirements, because you can get compliance using a Cloud container such as the firehost or Amazon, or Microsoft, or Google. Plus the compliance is a mix of many things , from datacenter certification to ---------------------- office certification---------------------workstations compliance. Is a lot of things, (i worked in the field and had to assist some of my past clients).

But to end the blah, my intentions were not to derailed the thread, simply put, any platform using such virtualization technologies (not to forget the past emergency patches) could at some point leave the data to be compromised. Thought again, you are supposed to encrypt.

 

[joepie91]

any platform using such virtualization technologies (not to forget the past emergency patches) could at some point leave the data to be compromised. Thought again, you are supposed to encrypt.

The same applies for a physical server. And "encrypting" in and of itself isn't going to do anything, unless you actually have a split architecture where encryption is automatic but decryption is not (eg. using public key cryptography). Anything else is security theater.

 

[KMyers]

The vast majority of those outfits will be running in-house networks that would really only be attacked by people on the 'inside'. Still serious nonetheless.

True however if a flaw exists on one VM in that infrastructure such as an unpatched flaw in a web application or other 0-day, an attacker could still gain administrative access to a container on the network and could potentially use VENOM to travel into other containers.