In this episode of the HIPAA Vault show, we delve into two critical topics affecting the healthcare and IT sectors. First, we explore VMware’s significant transition from perpetual licensing to a subscription model. This shift has led to substantial cost increases for some customers, with reports indicating price hikes as much as 1,200%. We’ll discuss the reasons behind this transition, the initial impact on the market, and the counterarguments for maintaining private cloud virtualization. Key considerations include compliance and data sovereignty, legacy applications, and cost predictability. We also cover the latest developments in the healthcare sector, focusing on the recent ransomware attack on Ascension, the largest nonprofit and Catholic health system in the U.S. The cyberattack has disrupted operations across all 142 of its hospitals, affecting electronic medical records, phone systems, and more. We’ll examine the implications of this breach, the response efforts, and general guidelines for improving cybersecurity in healthcare organizations.
Do you have any remaining questions, requests, or just want to chat with us? Email us at podcast@hipaavault.com!
Transcript:
Adam
Hello and welcome to the hipaa Vault show, where we discuss all things HIPAA compliance and cloud technology. I’m joined, as always, by Gil Vidals. Hey, Gil.
Gil
Hey, Adam. Good to see you again.
Adam
Great to see you, too. Today we are going to be discussing changes in the VMware licensing, and we’re also going to be touching on the latest breach of the week, a ransomware attack, and stick around till the end, where we talk about that and give you more info on it. So, to kick us off, the headline that we’re starting with today is VMware end of availability of perpetual licensing. VMware end of availability of perpetual licensing and SaaS services. So this is from the vmware.com blog. Many VMware software solutions will only be offered as part of VMware Cloud foundation, and they will not be available for purchase of standalone products. It looks like towards the end of last year, Gil VMware was acquired by Broadcom. And at that time, they’d stated that they were looking at shifting their models.
Adam
They previously had both a perpetual license set up where you could buy a license one time and then just pay a regular kind of supported maintenance fee, and that you own that license. They also had a SaaS based model where it was a monthly license fee all built in. And they said that they were deciding which one to shift towards and they were going to be removing one. There was speculation at the time, and I think it was warranted that, of course it was going to be, they were going to favor the SaaS services because that’s, you know, the modern way. And it looks like over the past couple of weeks, that’s been confirmed. It was actually, you know, reported here earlier this year.
Adam
But what we’re seeing now is we’re seeing the feedback or the, you know, the, what would be the right term here, though?
Gil
It’s called the backlash.
Adam
Yeah, the backlash. There we go.
Gil
Some of the companies that, well, first, the audience understands that perpetual license means that you buy the license, you own it perpetually, forever, but you do pay a support maintenance fee, for example. That’s smallish. But now they’re saying, oh, forget that. And really, software, the modern software is all in the cloud, and it’s always based on a subscription. Like you pay every month, forever, every month you’re paying. And that’s a better business model, especially when Broadcom spent how many billions of dollars to buy VM, where they got to make up all that money they spent. So obviously, going for subscription model is a lot better, to the behest of the customers that aren’t happy with that. And, you know, if you go up 1200 percent, that’s ridiculous. Or. No, not 1200. Yeah, 1200 percent.
Adam
That’s right. VMware costs increases as much as 1200 percent for certain product bundles. So what’s happening here is there could be some customers that were, you know, smaller. They’re partners of VMware. And, you know, maybe they’re not the biggest companies in the world. And they were able to license previously based on a certain, like a small number of cores. But now to serve smaller businesses, they’re now required to buy 3500 cores. So if they were running on, let’s say, that they were only offering 100 cores, now the minimum threshold is 3500 cores. So that’s where those kind of. Yeah, that’s crazy increases are coming from.
Gil
Yeah, I remember in the day were really heavily using VMware. You would pay a license based on how much RaM you were consuming in your environment. So you would add up all the virtual machines, RAm, whatever that is. Then you would pay roughly $5, $6 per gigabyte Ram. It’s a big hefty price. But VMware is not inexpensive. I mean, they have good product and they charge a decent amount for it. So wants to charge what they feel is right.
Adam
Yeah. And it looks like customers who have purchased perpetual licenses can still use their products until the contract ends. So that, you know, maybe today or it might be in a year or two, depending on how long the contract is. And that will determine how big a headache it is right now for the customer. But it’s certainly something that’s going to need looking into. Gil, what are your thoughts on the impact of this in the, let’s say, medium to long term, will companies start to go to, let’s say, VMware’s direct competitors, like, for example, Nutanix, second bigger, biggest market share? Or will they start to look at maybe moving away from private cloud offering?
Gil
Well, you know, there was a time where everybody was starting to go into the cloud, moving away from having to lease and rent your own equipment. And there was a big movement for that. And then there was a bit of a pause because some companies realized, wow, in the cloud is pretty expensive. When we had it in our own data center, they have a bunch of equipment. They paid for the equipment, so there’s no monthly fee. So there was some kind of a balancing where they said, well, maybe we’ll put some stuff in the cloud, but some stuff we’ll keep in our own data center. So it kind of slowed down.
Gil
But I think now with this kind of a change, I think that the costs to go into the cloud are probably going to be closer to what the data centers were charging because you had these license fees and it’s a lot of money. So I think you’re right. I think at some point these customers are going to say, let’s just go to the cloud. We don’t need to pay all these crazy fees. And in the cloud, you have big advantages. You have huge advantages because you don’t have to maintain your own equipment. Maintaining your equipment is very difficult because you have to have employees that live near the data center. Right. They can’t just log in from anywhere. They have to drive to the data center to repair fiber optics cables and change disks and fix things.
Gil
And so they have to be physically located proximity to the data center. And that could be very expensive. If your data center is in Southern California, you’re paying top dollar to have those employees nearby. So I do think that there’s going to be a wave of companies that were on the fence, and now this is going to push them over.
Adam
Yeah. And bringing this to healthcare specifically, there’s a large number of healthcare companies using these systems and VMware systems. So that is going to be a decision. I think you’re right. Over the next coming months and years, as to switching to the public cloud, what things should businesses that are considering shifting to public cloud consider maybe specifically when it comes to the sensitivity of the data that they currently have stored in their existing environment when migrating? And, yeah, I know that we’ve had a lot of inquiries recently about shifting to the cloud. So what kind of advice could you give when talking about sensitive data and.
Gil
Migrating that, well, I think there’s some silver lining to a dark cloud. Right. So if you’re one of those companies that is getting hit by this avalanche of costs, it may not hit you today, but gradually you’re going to be paying more and more to VMware. So the silver lining is that finally, you have a good reason. You’ve been thinking about going to the cloud. Your costs are now going up dramatically in the data centers, and so going to the cloud is looking more appealing to you. So the good news is that the security in the cloud is usually better than what you could do in your own data center, even though you may have good security already. Let’s say you have spent a lot of money on security devices and software and all of that.
Gil
But in the cloud, you’re going to get excellent security, likely better than what you had before because it’s hard to compete with billion dollar companies. Right. They have a lot more money to throw at these problems. So anyway, you’ll end up very likely with a better and more secure environment as long as you follow best practices. So you do. There are configuration settings within the cloud providers that you do have to enable in order to protect your data. So you are going to have to train some of your staff to know what to do there or hire somebody who’s an expert already in the cloud that you choose. So I would just say move to the cloud, but ensure that you have some expertise in security. HIPAA vault specializes in that.
Gil
So our plug for ourselves is, of course, we help companies do this all the time. That’s why they come to us, because they don’t have time to review all this stuff. They want to just be able to focus on their application, on their platform and they let us do all of that infrastructure and security work for them. So that’s another option. You could pay a third party to do that for you. Yeah. So when you’re planning the move and you’re planning the migration from your current, say on prem to the cloud, you’re going to want to take an assessment, an inventory of what you have, some of the intercourse segment, and figure out how much of your data is sensitive data.
Gil
Then once you go to the cloud, the advantage is there’s a lot of things in the cloud that have become a service now. So even though you may have an expensive server sitting there, this big chunk of metal in the cloud, there are things like, for example, cloud SQL. So you don’t need to have a big beefy Microsoft SQL box sitting there. You could use the cloud service. And so that’s a benefit to you because then you don’t have to maintain that system yourself. So there’ll be some advantages. Now as far as the sensitive data that you have. Yeah. And you’re going to host that. That’s where you really need to pay attention to figure out, well, where’s my data going to live in my new environment? It’s going to be, you know, in a well protected environment.
Gil
And not all the providers, Adam, have 100% HIPAA compliance. What I mean by that is the vast majority of what they offer is HIPAA compliant, Fedramp certified, you know, PCI certified, all that. But you have to look at the list like they publish a list, they’ll say all of these services, you know, all a through z, these are HIPAA compliant. But then if it’s not on the list, then it’s not HIPAA compliant. So you have to look at that carefully because not every single service is on the list.
Adam
I hope we’ve covered a fair amount there about the VMware licensing changes and what the potential would be for next steps about moving from potentially private to public cloud. Next up, we’ve got our breach of the week, and our breach of the week for this week is Ascension ransomware attack affecting 142 hospitals. So ascension is the largest nonprofit catholic health system in the United States, and it’s announced it is investigating a suspected cyber attack that’s disrupted clinical operations. This was on May 8 that it announced it. Since then, and as reported by Steve Alder, our HIPAA journal, the Ascension, who have 142 hospitals, 40 senior living facilities, and more than 2600 care sites in 19 states and DC, said that unusual activity was detected on May 8. And it’s confirmed now on Earth.
Adam
It confirmed on May 13 that it was a ransomware attack that affected operations at its 142 hospitals. So we’re talking at least hundreds of thousands of records here, if not in the millions, because I’ve also seen people as far as, you know, as far as, like, Texas, starting litigation. So it seems like this is across the US ransomware attack. It looks like they’re using the hackers used code and ransomware software developed by Black Faster. Black faster is. I’d never heard of this before. I’m sure you have, though, Gil Ras Ransomware as a service offering. So they’ll. They’ll rent you or sell you ransomware code for as little as, like $40 a month, so you can focus on what you do best, hacking people. So, yeah, it’s Blackmaster.
Adam
The hackers got into the systems, installed this ransomware, and then now they’re holding hundreds of thousands of records.
Gil
Do we know if they. If Ascension paid the ransomware and not yet.
Adam
Also done? Yeah, yeah.
Gil
We know that the previous, one of the previous stories you were telling about ransomware, you said that they did actually pay. Yeah. That’s a big bucks here.
Adam
Yeah. They’re all.
Gil
I think that it’s. The people charging $40 a month for this software should charge a little bit more, I think.
Adam
Well, payout is 20 million. The more payouts there are, the higher the ROI. Right. It’s crazy that this is. I mean, yeah, the dark web. It’s a business model, isn’t it?
Gil
I know we. I’ve mentioned this before, but I’ll say it again, because I think people, a lot of people, I still think, are living in the world of Hollywood, where they see a hacker in the attic of their home with the hoodie on, you know, one single guy. And that kind of hacker still exists today. But that’s not what we’re talking about in these cases. These are this organized crime. And these organizations have managers, mid level managers, technicians, engineers that, by the way, where a lot of those were educated at MIT or Stanford and the best universities. These are well funded organizations because they’re making a killing. They’re making, what, 22 million, 10 million? They’re making hundreds of millions of dollars. So they’re well organized and they know what they’re doing.
Adam
Yeah, I mean, these are effectively the pirates of the 21st century. You know, back to the 16 hundreds, 17 hundreds, where you had the golden age of piracy. Yeah, pirates would get on a ship together and go and, you know, go treasure hunting. Yeah, this is effectively what it is. And one thing I think as well to note is that the golden age of piracy, if you’ve read any history, it was really accelerated by disenfranchised soldiers and sailors who lost. You know, they maybe a war ended and they were out of jobs, so they went and, you know, hopped on a ship and started to earn the living for this kind of business here.
Adam
You know, there’s going to be a lot of people, especially over the past year or two, that have been laid off from tech jobs, the recession as well, and they might have a little bit of, a sour taste in the mouth and a lot of skills. So I think this is only going to get worse over the next, coming months and years.
Gil
Yeah, I hadn’t thought about it that way. That’s an interesting view that you bring on where they need work and they’re looking for that. Now, the usually, though, these kind of attacks that will organize crime, it’s usually nation states. So you’re looking at nations that have the government, that the government knows about the organized crime. They, they’re paid off so they don’t step in to stop it. You know, they’re benefiting from it. So the nation states, they do this and they can get away with it, and they’re not worried about their own government coming down hard on them. They’re just, as long as they’re paying out to everybody, they’re doing well. So it’s a very difficult problem and it’s affecting the patients, you know, some of these patients can’t get the care they need because the systems are down and there’s a problem.
Gil
And so it’s a pretty serious thing. I think strongly that Congress is going to start passing some kind of laws that they’re going to try to force better security. And there’s already talks about that now exactly how that’s going to work, I don’t know. All these hospitals need is more fines. If they don’t follow regulations, that’s not going to help a lot.
Adam
But what are your recommendations for the, I mean, we’re talking a very high level here. But for the man on the ground, two, factor authentication. What else?
Gil
Well, okay, this is a good one because if you look at these attacks and how they get in, there are quite a few of them that have gotten in through software like Teamviewer, where it’s software that’s running on a server inside the company, and they use that software to allow others to get in so they make a connection. And companies also have that to like connect out to others to fix their technical problems. So you could have a technician, in other words, that might be able to log into the hospital servers remotely to work on that server without having to drive into the hospital. Right. So that software is meant to tunnel in from the outside and allow an engineer or systems administrator to work on something.
Gil
It’s very practical because if you have something urgent, the guy says, well, I’m in traffic and I’ll just stay home and fix it. I don’t need to drive 2 hours. But what happens to that software? It’s left running, literally, it’s just left running twenty four seven. And some of this ransomware people, they do is they get onto that software that’s already a tunnel into the servers. And once they get into that software, they found vulnerabilities in this remote access software. They found vulnerabilities in that kind of software. And then once they tunnel into, once they’re in that server that has tunnels into the hospital, now the world’s their oyster. They can do whatever they want, install their ransomware encryption stuff.
Gil
So the moral of the story there is, look, if you’re going to use that kind of software, you better really know what you’re doing because having your employees remote into those kind of servers, it’s probably not worth it. Or you need to think of a different way. There are different ways to do it. There’s private, public keys, you know, other methods that probably are a lot better.
Adam
I like that. If you’re going to give access. Make sure you know what you’re doing before you do it. We also advise you to, like, share and subscribe. The podcast?
Gil
Yeah.
Adam
Do you know, let a friend know about it if you enjoyed any of the content in it. And until next time, thank you for stopping by.