Description of Event or Problem · 0
VENDOR IS PERFORMING AN UPGRADE TO THEIR SOFTWARE AND SERVICES, HOWEVER IT STILL ONLY SUPPORTS TLS1.0. THEIR PLAN TO GO TO TLS1.2 OR NEWER IS 1 1/2 TO 2 YEARS OUT. TLS 1.0 IS A DEPRECATED VERSION SINCE 2018 AND THEY HAVE NO PLAN TO CORRECT IN THE NEAR FUTURE. THIS IS THE RESPONSE FROM THE VENDOR: TLS 1.0 IS LIMITED TO SPECIFIC FUNCTIONALITY BETWEEN THE SERVER AND DATABASE. ALL APPLICABLE TRAFFIC IS INTERNAL TO ADVOCATE HEALTH. ANY/ALL DATA CONNECTIONS LEAVING ADVOCATE SUPPORTS TLS 1.2+. THERE IS ACTIVE DEVELOPMENT UNDERWAY THOUGH PATCH RELEASE IS NOT IMMINENT (1.5 TO 2 YEARS) A MAJOR UPGRADE/REVISION/REWRITE OF THE PRODUCT IS ALSO UNDERWAY WITH CYBERSECURITY IN MIND FROM BEGINNING. (ALSO 2 YEARS) EVEN WITH THE TLS 1.0 BEING INTERNAL, IF A THREAT ACTOR WAS ALREADY ON OUR NETWORK THEY COULD ACCESS THIS DATA. THEIR INTERIM SOLUTION AND COMPENSATING CONTROL COULD BE INSTALLED. THEY SUPPORT AN ADD-ON TLS WRAPPER TO CREATE VIRTUAL NIC CARDS THAT TUNNEL THE TRAFFIC. THIS IS TEMPORARY AND CANNOT BE IN PLACE FOR 1 1/2 TO 2 YEARS. WE NEED A LONG-TERM PLAN OF REMEDIATION.