What You Should Know: 

– Cybercriminals have been highly successful in their ransomware attacks on healthcare organizations, according to a new survey conducted by Sophos. “The State of Ransomware in Healthcare 2023, report reveals nearly 75% of the surveyed healthcare organizations reported that their data was successfully encrypted by the attackers. 

– In addition, only 24% of healthcare organizations were able to disrupt a ransomware attack before the attackers encrypted their data—down from 34% in 2022; this is the lowest rate of disruption reported by the sector over the past three years. 

– Ransomware remains a pressing concern for the healthcare industry. It’s essential for healthcare organizations to stay vigilant and continuously adapt their cybersecurity measures to counter evolving threats and protect patient information. 

Report Key Findings

The findings underscore the critical importance of robust cybersecurity measures in healthcare organizations. With the increasing frequency and sophistication of ransomware attacks, healthcare institutions must invest in advanced security solutions and incident response strategies to protect sensitive data and maintain uninterrupted healthcare services. Additional key findings from the report include:

• In 37% of ransomware attacks where data was successfully encrypted, data was also stolen, suggesting a rise in the “double dip” method 
• Healthcare organizations are now taking longer to recover, with 47% recovering in a week, compared to 54% last year
• The overall number of ransomware attacks against healthcare organizations surveyed declined from 66% in 2022 to 60% this year 
• Compromised credentials were the number one root cause of ransomware attacks against healthcare organizations, followed by exploits
• The number of healthcare organizations surveyed that paid ransom payments declined from 61% last year to 42% this year. This is lower than the cross-sector average of 46% 

3 Best Practices to Protect Healthcare Orgs Against Ransomware, Cyberattacks

Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:

1. Strengthen defensive shields with: 
   • Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-ransomware and anti-exploit capabilities 
   • Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials 
   • Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond 
   • 24/7 threat detection, investigation and response, whether delivered in-house or by a specialized Managed Detection and Response (MDR) provider 
2. Optimize attack preparation, including regularly backing up, practicing recovering data from backups and maintaining an up-to-date incident response plan 

3. Maintain security hygiene, including timely patching and regularly reviewing security tool configurations

In IBM’s 2022 Cost of a Data Breach report, the company revealed that the global average cost of a data breach was $4.35 million. In the healthcare sector, however, that number skyrocketed to $10.1 million. Why is an attack on a healthcare organization so much more costly? While part of this comes down to the fact that healthcare organizations often have big budgets, and so might be able to pay big ransoms, the biggest part of the answer is consequences. In there, real lives are at stake. Downed systems don’t just mean a loss of profit, it means a loss of life. Faced while the choice of paying up or letting people die, the decision to pay a ransom is not a hard one, even if the asking price is very large indeed.

State of the Industry

The healthcare industry is a particularly attractive target for ransomware for two main reasons. First, irrespective of benefits, healthcare companies tend to be large businesses with large balance sheets. Total expenses for U.S. hospitals reached above one trillion dollars in 2022, indicating that on any given day, a massive amount of money is flowing in and out of hospitals nationwide. For cybercriminals, this means an easy target with an almost-guaranteed payout to some degree. 

Second, healthcare is an extremely vital industry for humankind. For many organizations in other verticals, ransomware may be a “pay up or go offline” situation. Devices may be taken offline and productivity may slow temporarily, but ransomware is a temporary setback- organizations may even take their time coming up with a way to circumvent payment. For healthcare, however, time is not on the side of the organization. The effects of a ransomware attack are far more useful for criminals when actual lives are on the line.

The deeper problem is that as long as healthcare organizations have to keep paying ransomware to save lives, criminals will keep attacking- it’s, unfortunately, part of the overall risk factor for these providers. 

A Different Breed of Risk

However, it’s not just the attractiveness of the target that keeps criminals attacking healthcare organizations- it’s also the risk profile of the average healthcare employee.

More than most other industries, we see extremely high mobility of staff within healthcare. Across many healthcare businesses, we see a substantial contingent of staff that are out in the field or is more mobile within their office space. Doctors and nurses are constantly on the move, even if they never actually leave the hospital. Many devices become mobile out of necessity. This creates a physical risk of device loss or theft, increasing the need for a strong, resilient connection and the ability to track or wipe a device should it be stolen. 

Additionally, healthcare data is extremely valuable to criminals. This isn’t simply because of the deeply personal nature of the data. It is because it’s a trove of extremely valuable Personal Identifiable Information (PII) point of view. This sort of personal information is just what cybercriminals need to get the answers to personal questions connecting bank accounts, site logins, and more. 

Finally, healthcare systems are often large and interconnected – if security is not ironclad, criminals can rapidly gain the ability to move from end-user laptops to departments like billing, to the pharmacy, to control systems – always finding the weakest link as long as a valuable target exists. This creates an endless game of ‘whack-a-mole’ for healthcare IT teams, where the objective is to simply become less of a target while routing out malware infections across a wide range of systems. 

Overall, with their large attack surface, interconnected systems and highly valuable data, devices in healthcare settings are a perfect target. They are also a perfect use case for a zero-trust network access approach to security. 

Reducing Risk

Risk is usually defined as the product the probability of a successful attack and the impact of the attack. Protecting your organization to minimize the chances of success is the cost common way people try to reduce risk, but it has its limits. No organization is ever going to be perfectly protected. This means that in most cases the best way to minimize risk is by being ready for an attack so that you can minimize its impact. This means that IT teams must find ways to get their organization to a point where it’s possible to recover without paying. This allows them to break the vicious cycle: as long as attacks lead to payments then payment will lead to more attacks. Breaking the cycle is crucial because if you can’t, then no matter how strong your defenses are, criminals will just find a different part of your business to attack. The ultimate goal is to get to a point where if your organization is ransomed it’s only a minor setback – you have the safeguards and backups to minimize the blowback. When you’re able to recover without paying then you win. Criminals aim to attack where the ROI is the greatest – if you reduce don’t need to pay then they’re more likely to move on. 

In the case of ransomware, minimizing impact means being able to restore your systems to the pre-attack state as quickly and efficiently as possible. Naturally, to do this you need to have backups, but you need more than that if you want a rapid response, especially when you have a mobile workforce. What you need is remote control of the devices and you need remote control tools that will survive a complete, clean slate reinstall of the systems. Surviving a reinstall is crucial because, in an ever-changing world of malware infections, it’s often impossible to be sure that you’ve successfully removed the infection without completely wiping the entire disc. The ability to bounce back in the face of an attack, what IT and Security people call “resilience”, is one of the most effective tools you can deploy to minimize the overall risk from ransomware attacks.

Importance of Forward-Planning

Reducing risk is impossible without a forward-planning, but with a little foresight, healthcare organizations can dramatically reduce the risk from ransomware attacks. The key to this is to balance existing cybersecurity techniques to help prevent attacks with cyber-resilience techniques to help IT teams bounce back. Everyone in healthcare knows that no matter how young and healthy you may be, health insurance is a necessity if you want to get healthy again when illness happens. Cyber-resilience is just the same; if you want to keep your systems healthy you don’t just need to practice good hygiene, you need to ensure that you can get prompt and effective treatment when an infection happens. That way your organization can spend less time and energy keeping PCs healthy and more time keeping the humans healthy!

About Nicko van Someren

Nicko van Someren serves as Chief Technology Officer at Absolute Software, where he oversees the direction and strategic vision of Absolute’s product architecture and security roadmap. He has more than two decades of experience leading, developing and bringing to market disruptive security technologies. Prior to his role at Absolute, Nicko served as Chief Security Officer and Chief Information Officer at nanopay, Inc, a financial services technology company. He has also served as Chief Technology Officer at the Linux Foundation, Good Technology (now a part of BlackBerry) and nCipher (now a part of Entrust Datacard) as well as the Chief Security Architect at Juniper Networks.

Nicko also serves as a board member and advisor for numerous startups and is a mentor for the Techstars accelerator program in Boulder, CO. He has a PhD from the University of Cambridge and fellowships from the Royal Academy of Engineering and British Computer Society.

In 2020, the Dental Care Alliance (DCA) experienced a significant cyberattack on its systems, which lasted approximately an entire month. This gave the threat actor an extended period to compromise the healthcare organization’s servers and extract the private and confidential information of around one million patients. 

This is just another example of how vulnerable the healthcare industry is to cyber criminals looking to exploit security weaknesses. Healthcare organizations are prime targets for threat actors who are fully aware that their targets are invested in keeping their systems and businesses up and running efficiently and securely. This is especially critical in protecting patient privacy and data, particularly when it comes to impacting life-saving information and equipment.

The incident

The cyberattack on the DCA was launched between Sept. 18 and Oct. 11, 2020. During the month of the breach, a cybercriminal was able to access various confidential files, including patient data such as names, contact details, treatments, diagnoses, patient account numbers, their dentist’s names as well as billing details and health insurance data. In 10 percent of the cases, bank account numbers also were compromised, making this the second-largest reported attack that year. 

The attack resulted in a class-action lawsuit, which ended in a $3 million settlement against the DCA. The DCA was accused of negligence for its failure to protect and maintain its systems and infrastructure against breaches, and for failing to implement proper security monitoring. It also was cited for neglecting to upgrade its security measures and to implement proper cybersecurity hardware and software, as well as adequately train its employees. As a result, patients feared an increased risk of fraud. 

While it was not publicized how the attacker gained initial access to the company’s network, plaintiffs argued that it was the DCA’s poor cybersecurity practices that exposed them to the risk of identity theft and fraud. 

Unfortunately, this is not the only case in which an organization has been sued over alleged negligence. Eye Care Leaders was accused of concealing multiple ransomware attacks in 2021, which resulted in a provider-led lawsuit. Not only does this highlight the frequency of attacks on healthcare organizations, but it also underscores the immense cost that is associated with failing to understand risk and provide adequate cybersecurity protocol and measures. Just a single security incident can lead to reputational damage and significant financial losses. This is further exacerbated by the consequences of breaches of confidential patient and client information.

Both cases are windows into the high-stakes cyber risk landscape for healthcare providers and payers, particularly when it comes to an organization’s being fined by the federal government for HIPAA violations. 

Cyber risk in healthcare

In 2021 alone, the healthcare industry was hit with 849 cyber incidents, with 571 of these confirmed that private data had been accessed, according to the Verizon Data Breach Investigations Report. This placed healthcare in eighth place for industries targeted by attacks, and in third place for number of data breaches, out of a total of 21 categories in the Verizon report.

By using past cyber events and parameters such as revenue, number of employees and number of database records, it is possible to estimate a quantified value of risk to which companies are exposed. By using benchmark values, one can deduce that the healthcare industry shows relatively higher rates of reported breaches in comparison to other sectors (though that is in part driven by stronger data privacy policies and required reporting for smaller incidents to meet federal regulations). There is a 9.3 percent overall probability of an annual incident targeting this industry.

The probability of incidents happening in a year and the estimated cost by risk category within healthcare is as follows:

• Insider Error: Probability: 29.95 percent, cost: $73.6 million 
• Insider Misuse: Probability: 24.99 percent, cost: $47.2 million 
• Basic Web Application Attacks: Probability: 9.19 percent, cost: $42.1 million 
• System Intrusion: 4.83 percent, cost: $5.4 million 
• Social Engineering (Phishing, etc.): Probability 3.80 percent, cost: $6.6 million 
• Denial of Service (DoS): 2.19 percent, cost: $7.5 million 
• Ransomware: 3.85 percent, cost: $929.9 thousand

In quantifying the risk, healthcare organizations can better calculate their risk appetite and allocate spending more efficiently to bolster security where needed. This not only will increase overall cybersecurity, it also will reduce wasted spending on protecting infrastructure that isn’t as vulnerable or may not need as strong measures as other areas. 

Bolstering cybersecurity 

In order to prevent falling victim to a cyberattack and avoid being entangled in costly lawsuits, organizations should foster a strong cybersecurity culture and be aware of the risk to which they could be exposed as well as the potential value associated with it. In addition to increasing overall visibility over devices on and connections to the network, expanding cyber threat awareness training for staff and implementing multi-factor authentication, organizations should know their risk. 

What does this mean? Understanding risk can best be done by quantifying its value. By using an international standard, such as FAIR (Factor Analysis of Information Risk™), organizations can estimate their risk financially, which allows them to better implement cybersecurity strategies according to where higher risk exists.  They can allocate budgets and understand their risk appetite more thoroughly as it allows them to see how much different risks could cost the business. 

Ultimately, quantifying risk would allow organizations to understand what’s at stake and to prepare and invest accordingly. 

About Bryan Smith

Bryan Smith is the CTO of RiskLens, which helps organizations make better cybersecurity and technology investment decisions with software solutions that quantify cyber risk in financial terms. Smith is a broad technologist with over 20 years of software engineering experience. His expertise includes building enterprise scale web applications, cybersecurity, and big data. Smith led the development of RiskLens’ enterprise cyber risk quantification and management platform. Prior to RiskLens, Smith helped build the nation’s first digital archives enabling it to scale 3400% over five years.

Not many of us remember a time when there weren’t interstates widely available to help us get to where we need to go. Winding roads and sleepy towns can be nostalgic, but they’re not great time savers when time is of the essence.

At a macro level, The Trusted Exchange Framework and Common Agreement (TEFCA) promises to be the interoperability superhighway for healthcare data, speeding information on patients from care facility and care provider — regardless of location or healthcare entity — to where it’s currently needed. That could be a routine visit with a new provider or it could be a life-and-death situation where an unconscious patient is wheeled into the Emergency Department with no family member present to provide any context about the patient, co-morbidities, or prescriptions.

But the superhighway of anything isn’t without hazards, unless careful planning occurs, as happened with the U.S. interstate system. When building began on the interstate system in 1956, the death rate per 1 million miles driven was 6.28. Today, that figure is 1.46 deaths per 1 million miles — a testament to diligent efforts to build continually safer highways, design safer cars, adopt speed limits, and provide ongoing oversight.

A similar effort will be needed for TEFCA to fulfill its promise to free patient information from the siloes where it currently resides without compromising the privacy and security of that data, which points to the utility of accreditation and certification among those who exchange data to help keep privileged information safe.

Exploiting the weakest link

Safeguarding information is always a matter of the weakest link. The most secure data network or hospital system can be undone by a third-party vendor with lax security controls that has network access through an API or some other method. Likewise, the tightest security controls can be breached through a phishing or social engineering attack that compromises a single individual, then attempts to move through the network to gain more control.

As the saying in cybersecurity goes, bad actors only need to succeed once to infiltrate a network, which means that hospitals, health systems, providers, care centers, business associates, and other third parties must adopt and implement stringent security protocols and good cybersecurity hygiene to keep data safe.

Interoperability will undoubtedly increase the number of risk vectors that exist at every exchange point. Now, instead of the security of a single system, with all of its individual connections, it will be thousands of systems, each of which has hundreds — if not thousands — of individual connections.

Large vendors and state and multistate health information networks (HINs) have already expressed interest in making application to the Recognized Coordinating Entity (RCE) contracted by the Office of the National Coordinator (ONC) to gain designation as qualified health information networks (QHINs), which will serve as the communications hub of the network to route queries, responses, documents, and more among those who are exchanging data. Those already announcing their intentions to apply to become QHINs include EHR vendor Epic, ambulatory EHR and practice management solution vendor NextGen Healthcare, the CommonWell Health Alliance, clinical data exchange network Kno2, and CRISP Shared Services, which provides the infrastructure for five statewide HIEs.

Healthcare must get a handle on cybersecurity

The Office of the National Coordinator (ONC) for Health Information Technology named The Sequoia Project as the recognized coordinating entity (RCE) responsible for developing the common agreement for TEFCA and setting baseline technical, legal, privacy, and security requirements to fulfill the promise of interoperability.

Sequoia will designate and monitor QHINs to ensure they are collaborating effectively and abiding by the terms of the common agreement. The details of the common agreement will include technical specifications and minimal security standards for QHINs and others to participate in data exchange. The stakes are high — healthcare providers and business associates continue to be hit by ransomware attacks and data breaches. The healthcare industry incurs the highest costs to remediate breaches, at more than $10 million per incident, almost double the second most-affected industry.

Given healthcare’s poor record at keeping protected health information (PHI) safe, security experts fear that interoperability will increase the number of attacks, undermining the intended purpose of making data more accessible among providers, patients, and care facilities.

A recent survey of CIOs and CISOs across industries showed that 80% reported a breach within the past 12 months that started with a third-party vendor. In fact, the average respondent reported they had been breached 2.5 times in this manner in the last year. 

What’s clear is that many entities operating in the healthcare ecosystem still lack the needed tools, experience, and cyber rigor required to significantly reduce the risk of a cyberattack.

Trusted Network Accreditation Program

EHNAC and HITRUST have long promoted the secure exchange of healthcare data through accreditation and certification programs. The organizations have teamed up to offer the Trusted Network Accreditation Program (TNAP), designed to comply with TEFCA regulatory standards to address security and privacy requirements. The HITRUST R2 has been named as part of the Security Standard Operating Procedure (SOP) for those entities that make application to the RCE seeking QHIN designation as a QHIN. There may be other certifications named in the future, but the HITRUST R2 certification, required as part of TNAP, is currently the only security certification designated by the RCE to meet the requirements of the common agreement.

The TNAP program is designed to accommodate stakeholders that will exchange data, including QHINs, other health information networks, health information exchanges, accountable care organizations, data registries, labs, providers, payers, vendors, and suppliers. It requires the HITRUST R2 Validated Assessment and a third-party assessment against EHNAC’s TEFCA-specific requirements outside of just information security.

As TEFCA regulations change, the accreditation program will be updated to keep pace and maintain a laser-like focus on the security and privacy of data within a network and during transmission, while also monitoring business practices and management of human and physical resources.

Data interoperability has been an objective since the first electronic healthcare records systems came online in the 1960s, and the concept picked up the pace about 30 years ago. After many stops and starts, the ideal of true data interchange is closer than ever. But healthcare organizations must recognize that the industry does not have a stellar track record of safeguarding protected health information, which makes certifications and accreditation programs vital and required to ensure confidence in interoperability.

About Lee Barrett

Lee Barrett is the Commission Executive Director of DirectTrust, and includes contributions by Michael Parisi, Vice President of Adoption, HITRUST.

The healthcare industry has always been a prominent target for cybercriminals worldwide. They can access high-value patient PHI/PII data and use it maliciously to disrupt the patient’s treatment routine and bring down uptime, which is critical. It has repercussions on patients, doctors, hospitals, and everything associated with the healthcare ecosystem.

Information security is a reason for concern for all organizations, including those that outsource key business operations to third-party vendors (e.g., SaaS, cloud-computing providers). Rightfully so, since mishandled data—especially by application and network security providers—can leave enterprises vulnerable to attacks, such as data theft, extortion and malware installation. SOC 2 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider.

1. What is SOC 2 compliance?

SOC 2 compliance is a component of the American Institute of CPAs (AICPA)’s Service Organization Control reporting platform. Its goal is to make sure that systems are set up, so they assure the security, availability, processing integrity, confidentiality, and privacy of customer data. SOC 2 is both a technical audit and a requirement that comprehensive information security policies and procedures be written and followed.

2. Who does SOC 2 apply to?

As we mentioned above, SOC 2 applies to technology-based service organizations that store customer data in the cloud. That means it applies to pretty much every single SaaS, PaaS and IaaS organization and any organization that uses the cloud to store its customers’ information (which today is quite a few organizations). SOC 2 is one of the most common compliance requirements that technology-focused companies must meet today.

3. What does SOC 2 require?

First and foremost, SOC 2 requires that you develop security policies and procedures. These need to be written out and followed, and auditors can and will ask to review them. The policies and procedures should encompass security, availability, processing integrity, confidentiality, and privacy of data stored in the cloud.

4. What must I monitor for SOC 2?

Meeting SOC 2 compliance means establishing a process and practices that guarantee oversight across your organization. Specifically, you want to be monitored for any unusual, unauthorized, or suspicious activity. Often this takes place at the level of system configuration and user access. You need to be able to monitor for both known malicious activity (like a common phishing scheme or obviously inappropriate access) and unknown malicious activity (like a zero-day threat or a new type of misuse). To find these “unknowns,” you must establish a baseline of normal activity in your cloud environment because this will make it clear when abnormal activity takes place. The best way to do this is with a continuous security monitoring service.

5. SOC2 for Healthcare Organizations

Healthcare organizations can now effectively assert too many of the mandated provisions of the HIPAA Security Rule by undertaking annual SOC 2 assessments by an auditor. SOC 2 was introduced with the explicit purpose of addressing the need of companies to externally validate and communicate their state of security using the AICPA’s TSC (Trust Services Criteria) as the measuring stick. TSC includes security measures such as encryption, access controls, two-factor authentication, and firewalls.

At the end of the auditing process, the SOC 2 auditor issues a report. This report provides detailed information about a service organization’s security, availability, processing integrity, confidentiality, and/or privacy controls.

Achieving SOC 2 compliance is a significant accomplishment for any service provider in healthcare. But the full value of SOC 2 can only be realized if it is built upon an effective HIPAA compliance program. One crucial difference between SOC 2 Compliance and HIPAA Regulations is that HIPAA’s requirements are not voluntary. They carry the full force of federal law, and failure to comply with HIPAA rules can expose a company to severe civil and even criminal penalties.

One of the primary reasons HIPAA was enacted was to protect the privacy and security of patient health information. HIPAA regulations identify 18 items classified as protected health information (PHI) that must be protected, whether in physical form or electronic format (ePHI). This information is generally created by covered entities such as healthcare providers, insurance companies, or healthcare data clearinghouses. When covered entities use vendors to store, process, analyze, or use PHI and ePHI, those vendors are considered to be business associates under HIPAA regulations.

The regulations require any covered entities or business associates who possess HIPAA information to be fully HIPAA compliant. It also requires business associate agreements (BAAs) to be signed before PHI is transmitted to business associates. These BAAs should clearly define the responsibilities of each party regarding the appropriate measures to safeguard protected health information and electronically protected health information. PHI is more narrowly defined than SOC 2 “consumer data” standard. While there will likely be overlap between the two data groups, you cannot assume that SOC 2 will automatically treat PHI in a fully HIPAA-compliant manner.

One other key difference between HIPAA and SOC 2 is that there is no such thing as a “certification” of HIPAA compliance. Instead, Compliancy Group provides third-party verification to all our clients through our “Seal of Compliance” when they have successfully met all seven elements of HIPAA compliance as defined by the Department of Health and Human Services.

As incidents of cybercrime increase, forward-thinking healthcare organizations and the companies that support them are looking for ways to minimize the risk of becoming a victim of these illegal activities. SOC2 is one of the trusted frameworks to implement controls that are audited to ensure that healthcare organizations build deterrence against data breaches, ransomware attacks and cybercrimes.

About Ankit Kumar Agarwal

Ankit Kumar Agarwalis the Director of IT Delivery Services at NewWave Telecom & Technologies Inc. collaborating with some of the best minds in the industry to establish health IT Interoperability standards across the United states to improve patient’s health outcomes and to reduce healthcare waste.

Cyber attacks on healthcare organizations are by no means just as simple as hackers going after healthcare data for the sake of obtaining critical data of patients, their families, or the organization’s employees. A growing number of these attacks are executed by nation-states and other organized criminal organizations, which have the financial resources and the expertise to launch ever-more sophisticated and costly assaults against these organizations. Some of these attacks have been traced back to advanced, persistent, and well-known threat groups from countries such as China and Russia.

With the advent of ransomware-as-a-service combined with a lack of resources to investigate attacks in-house for healthcare organizations, elaborate and devastating cyber attacks against healthcare, specifically through business communication channels are likely to increase in scale and sophistication. 

The U.S. Department of Health and Human Services Office of Information Security noted in a 2022 report on health sector cybersecurity, that threat actors continue to evolve and become more sophisticated and effective in their attacks. They are increasingly using distributed attack vectors and compromising managed service providers, supply chains and open-source software in healthcare.

New tools such as remote health services and the use of intelligent medical devices have aided care professionals in their ability to stay in touch with colleagues, patients and families, as well as improve patient treatment.

But they have also expanded the attack surface at these organizations and increased the level of risk and vulnerabilities that could result in direct loss of proprietary information, direct financial damage including theft and fraud, and potential loss of life (in addition to regulatory fines and brand damage) the healthcare sector faces.

In addition to ransomware attacks, the healthcare sector must be wary of incidents such as phishing and spear-phishing attacks, data breaches involving their own systems and those of business partners, insider threats, and Invoice Fraud, which is becoming more and more common in healthcare settings. One reason for that is that third-party billing companies are a common and vital partner for many healthcare organizations. Threat actors can pose as third-party billing providers and notify an organization that supplier payment details have changed and say that providing alternative payment details is necessary. Funds stolen in this way are often quickly transferred so recovering money from this type of incident can be extremely difficult as well. 

In fact, according to data, Invoice Fraud as a whole has accounted for $43 Billion in losses over the last five years for organizations across several sectors.

The Challenges to Meeting Compliance Regulations

Among all of the challenges healthcare security programs face, one of the biggest is the fast-changing regulatory compliance environment combined with the lack of visibility and consistency in cybersecurity training. Enforcement of security communications in the clinical setting is the foundation for an argument that increased visibility is key to successfully managing security for an organization without impeding operations and staying compliant.

Compliance with regulations is nothing new for the industry. For example, organizations have had to comply with the Health Insurance Portability and Accountability Act (HIPAA) for years. But in recent years there has been an overall push to protect the privacy of consumer data, and this certainly extends to healthcare providers.

Regulations can be strict and complex, and in many cases come with stiff penalties for non-compliance. This is why healthcare providers need to adopt a security and compliance strategy to protect all of the sensitive information they hold. They must find a way to enable their patients to communicate with them any way they want, without putting their information at risk.

At the same time, organizations need to allow teams to communicate with patients and each other through secure and compliant business communication channels while avoiding threats such as social engineering and various cybersecurity attacks.

Jumping Over the Compliance Hurdle

The key to successfully addressing compliance hurdles is streamlining security and compliance oversight. This can reduce the business communication risk profile for healthcare organizations, and is the path toward defending against the cyber threat landscape many of them face today as well as meeting compliance requirements.

Indeed, to maintain healthcare cybersecurity and comply with the legal and regulatory rules governing data security and privacy, healthcare organizations need to find a way to enable patients to communicate with them any way they want, without putting their data and information at risk.

At the same time, they must also enable their teams of healthcare professionals to communicate with patients and each other through secure channels, lest they risk vulnerability to tactics such as social engineering and malware attacks.

The healthcare industry continues to embrace change, such as the growth of telehealth services and remote workers. But with this change comes underlying digital threats that increase healthcare cybersecurity risks and compliance challenges.

The Benefit of Cybersecurity and Compliance Solutions

A compliance violation is a security event that normally leads to a breach or loss of critical data of patients, their families, or the organization’s employees. The only way to protect organizations from this is to adopt healthcare cybersecurity and compliance solutions that drastically enhance risk mitigation and provide newfound agility that other healthcare organizations have never enjoyed before.

Such solutions can deliver a number of benefits. They can provide automated security and compliance policy supervision for all digital communications; and full archiving of all communication contents, including videos, chat, shared files and even audio transcripts.

In addition, they can provide enhanced security including data loss prevention (DLP) and advanced malware analysis through automation and machine learning capabilities. Yet another benefit is the ability to auto-roll back account security violations and deactivate suspicious logins.

Healthcare providers that deploy these tools can gain greater insights into all the communications within their organizations. This makes them better able to detect unencrypted emails and phishing emails that made it past a spam filter. They can know who their highest-risk personnel are, catch social engineering attacks, and make other discoveries that create risk.

Improving cybersecurity in healthcare is vital to providing excellent services to patients, including communicating and sharing data. The way hospitals and other medical institutions can protect themselves and at the same time be compliant with regulations is to adopt tools that dramatically enhance risk mitigation.

About Rusty Carter

Rusty is the Chief Product Officer at SafeGuard Cyber, providing strategic direction for the company’s digital risk protection platform and solutions that secure human connections. He possesses over 15 years of cybersecurity and product leadership experience in delivering growth and long-term value to venture, private equity, and publicly traded companies that have led to multiple successful outcomes, including acquisitions. Rusty has held product leadership positions at several cybersecurity companies, where he has overseen new product introductions, line expansions, and exponential growth in enterprise and consumer security products. 

Artificial intelligence can do amazing things for patients, providers and the healthcare business — but only if the right cyber safeguards are in place.

For more than a decade, a cybercrime syndicate known as Evil Corp has tormented organizations around the world with malware and ransomware attacks. And now, it seems, the group has designs on healthcare companies. 

“Evil Corp should be considered a significant threat to the U.S. health sector,” the Health Sector Cybersecurity Coordination Center (HSCCC), an arm of the U.S. Department of Health & Human Services, declared in an alert issued in late August. Evil Corp is one of many bad actors spread across the globe that are launching cybercrimes to gain access to private data essentially and sometimes to disrupt operations—ultimately threatening healthcare systems worldwide patient care.

As the HSCCC notes in the alert, the healthcare sector is “an enticing target” for hackers because of the vulnerabilities in its technology infrastructure, as well as the potentially immense value of the data and information residing within or adjacent to that infrastructure. With the ongoing digitalization of the healthcare business, and the health sector’s growing interest in sophisticated technologies like artificial intelligence (AI), those vulnerabilities are set to multiply, dialing up the pressure on organizations to implement sophisticated security strategies to address them.

The possibilities for securely employing AI algorithms in everything from patient care to drug development and back-office processes are indeed promising, if not yet wholly practical. AI can speedily parse vast amounts of data to help identify patient risks, diagnose patient conditions and inform clinical decision-making. It can power robots in the laboratory and in the surgical theater. It can drastically reduce the expense and time required to develop and produce new drugs. And it can help organizations manage massive amounts of patient and business data, employing technologies like natural language processing (NLP) and data annotation.

But each promising application for AI represents a potential surface to protect from a cyberattack. As DeepMind, a Google-owned AI company active in healthcare, asserts on its website, “AI systems can only benefit the world if we make them reliable and safe.”

The HIPAA Journal called 2021 “the worst ever year for healthcare data breaches,” and there’s been little sign of a let-up in 2022. Ransomware and malware attacks, distributed denial of service (DDoS) attacks and data breaches continue to compromise sensitive patient and organizational information, causing widespread collateral damage that includes data loss, revenue and reputation losses as well as the potential for patient harm. As AI makes its way into the healthcare IT and operational technology (OT) mainstream, more risks—such as tampering with a robotic device that’s used in surgical procedures—will ultimately impact patient outcomes and lead to delays, cancellations and possibly even remote takeover of medical procedures.

Countering risks like these requires a comprehensive, intelligent approach, one that future-proofs a healthcare business and protects its data and digital assets so it can take full advantage of AI and other fast-maturing intelligent digital technologies. Where to begin? The following three steps are a good starting point:

1. ASSESS your organization’s threat preparedness. Conduct a thorough evaluation of your organization’s network communications and overall IT and OT infrastructure, and the security policies and procedures in place to protect it. “Vulnerabilities in software and hardware platforms, some ubiquitous and some specific to healthcare, continued to keep the attack surface of healthcare organizations wide open,” the HIPAA Journal warns. For an independent perspective, consider bringing in a third-party network security expert to help identify vulnerabilities and assist your team with mitigation and prevention actions going forward.

2. UPGRADE outdated legacy network and communications systems. Not only can sticking with aging network communications software and systems invite additional cyber risk, it also may limit an organization’s ability to integrate AI and other intelligent technologies into their operations. On the network side, we see more healthcare organizations moving to a cloud-based software-defined wide area network (SD-WAN) because it better suits their business and because it comes with more sophisticated security measures designed to combat today’s ever-shifting cyber threats. 

3. DEPLOY multiple layers of security. Cybercriminals are constantly poking and prodding different surfaces for vulnerabilities. It could be the AI-powered NLP system an organization is using to analyze clinical notes, an operating room schedule, the hospital cafeteria credit card system or the connection with research facilities that could be targeted. Or maybe that surface is a central data repository (on-premise or in the cloud)  to which multiple data sources—patients, members, providers, researchers, life science/pharma companies, public agencies, etc.—are connected.

The best safeguard against the risks these and other AI applications may pose is a multifaceted security strategy that incorporates not one but several of today’s most effective measures for protecting digital communications infrastructure and assets. In this era of remote work and amorphous, rapidly changing network contours, it’s especially important for organizations to ensure that their network has strong endpoint protection in order to thwart a potential incursion via an AI-powered device used for in-home patient care, for example. It’s also worth considering security strategies like data loss prevention (DLP) to protect critical information, patient data and intellectual property (DLP also supports regulatory compliance for PCI and HIPAA). 

Combine DLP with other layers like zero-trust network access (ZTNA),  cloud access security brokers (CASBs), secure web gateways (SWGs) and an intrusion-prevention system (IPS), and the result is a broader, interlaced security fabric known as Secure Access Service Edge (SASE). SASE essentially forms a unified connectivity framework built to intercept, inspect, secure and optimize all traffic across a network.

The healthcare industry has only begun to tap the vast potential of AI and other intelligent digital technologies that are for improving patient and business outcomes. But with money reportedly pouring into new healthcare AI ventures and companies across the healthcare landscape embracing digital tools for drug development, patient care, business operations and more, there’s no better time than the present to begin taking the necessary steps to protect those promising new applications from the cybercriminals who even today are testing them.

About Mike Frane
Mike Frane is vice president of product management at cloud-enabled connectivity and communications provider Windstream Enterprise, where is responsible for the company’s overall SD-WAN and security strategy, as well as the network and LAN service portfolios.

Hospitals and other critical healthcare systems face skyrocketing risks as ransomware attacks—which most commonly target IoT devices—continue to escalate. In 2021 alone, IoT ransomware attack incidents targeting healthcare organizations increased by 123%. 

While most healthcare systems have a healthy respect for the importance of securing the myriad Internet of Medical Things (IoMT) devices humming within their facilities, many harbor misconceptions that hamper their abilities to implement optimal IoMT security protections and best practices. These misconceptions, and the stark realities that healthcare organizations should instead understand and base their practices upon, include:

1) “Traditional IT security tooling will suffice.”

Healthcare systems too often make the mistake of believing that all device security is the same—and that the protections they have in place for standard IT devices, such as servers and laptops, can also effectively protect IoMT devices. 

Traditional IT security cannot reliably secure IoMT devices for a number of reasons. First, many traditional security tools leverage active scanning to detect threats. But a high percentage of IoMT devices can’t withstand active scans and will crash, potentially impacting patient health. Tools designed to secure traditional devices are also unlikely to reliably discover and inventory IoMT devices, and cannot protect what they don’t know is there. Such approaches also lack any ability to assess or contextualize risks associated with non-connected IoMT devices.

The better approach is enlisting a security strategy intended for the task at hand. Effective security will leverage IoMT-specific data, frameworks, and MDS2 manufacturer disclosure statements to understand and mitigate known vulnerabilities. IoMT security also requires a thorough understanding of each device’s connections and surrounding ecosystem: these details are essential to determining whether IoMT device vulnerabilities represent true threats that actually need to be addressed. 

2) “Adding IoMT-specific security is beyond our budget.”

IT and security decision-makers within healthcare organizations are inherently budget-conscious—and need to be. However, the real potential for attacks to impact patient health and for security shortcomings to result in six or seven-figure regulatory penalties strongly supports the argument that they can’t afford not to invest in IoMT security. 

Much like in the healthcare industry itself, an ounce of IoMT security risk prevention is worth a pound of cure. And implementing effective IoMT security enables further cost controls by eliminating much of the existing spending needed to identify and fix device vulnerabilities (as well as vastly increasing efficiency by flagging the vulnerabilities that do and do not pose an actual risk). IoMT security insights can also enable more efficient device procurement, offering greater visibility for maximizing the ROI of a more comprehensive security strategy.

3) “Data collection for IoMT security purposes increases HIPAA violation risks.”

Certainly, healthcare systems must prioritize the security of protected health information (PHI) and adherence to HIPAA regulations. This doesn’t just protect patients, but also avoids both fines and reputational damage. To continually achieve compliance, IT and security teams carefully enforce data sharing restrictions upon any information transmitted to vendors or the cloud. 

However, the notion that collecting data to inform secure IoMT practices raises the risks of violating HIPAA is false. IoMT security analysis focuses on network traffic data, which doesn’t include PHI data. Security safeguards can also apply filters that prevent transmission of PHI over the cloud, and the cloud itself can be made HIPAA compliant. Using a fully on-premise IoMT infrastructure can effectively prevent outside data transmission and risk as well.

4) “IoMT security deployments require months of effort.”

While deploying a new electronic health records system might take an organization a full year to complete, IoMT-specific security implementations are an entirely different path forward with a much swifter process. IoMT security enlists many cloud-based safeguards, which require none of the hardware procurement or lengthy production deployments that drag out implementations in other areas. IoMT security systems that do rely on edge devices can still be implemented in just hours. In general, there’s nothing overly cumbersome or drawn out about deploying IoMT-specific security.

The truth: IoMT-specific security is within reach.

If current trends continue as predicted, ransomware and other attacks on IoMT devices will only become more frequent. For healthcare systems, avoiding breaches that expose data and the business itself to costly fines and crushing reputational damage is crucial. Attackers would love for IT decision-makers to continue believing that the IoMT is far too complex and challenging to secure properly. Fortunately, the expense and difficulty of adopting highly effective IoMT-specific security measures aren’t nearly as daunting as the still-common misconceptions suggest.

About Dinesh Katiyar
Dinesh Katiyar is Head of Business Development at Asimily. His career in technology has included leadership roles at Glassbeam, SnapLogic, and Informatica, among others.

According to the World Economic Forum, hospitals produce around 50 petabytes of data per year. And with 6,039 hospitals in the US alone, that amounts to a sizeable amount of data requiring secure storage. Data consists not only of confidential patient medical records but also of operational data retained by US hospitals such as personal and financial information. 

This ever-increasing amount of patient data and growing risks associated with its loss, mean the stakes have therefore never been higher for hospitals. The need to store and manage their data in a way that is sustainable, cost-effective and secure is therefore ever-present.

Hospitals are sitting ducks. Research by Sophos highlighted that hospitals are more likely to be targeted by ransomware attacks, less likely to be able to prevent such attacks, and less likely to backup their data. This means they are much more likely to have to foot the bill for some eye-watering recovery costs to rectify the situation. So it is not just the cost of a potential ransomware payment itself that needs to be taken into account. 

The far greater financial expense is actually the cost of downtime, network and device costs, and the number of man-hours spent on data and system restoration. Indeed the larger medical centers are often required to fork out millions for such remedies – even if the encrypted data can be recovered without paying a ransom. 

In fact, the AAMC Research and Action Institute calculated that when the University of Vermont Medical Center was hit by a ransomware attack in 2020, it cost $50 million in lost revenue alone. Meanwhile, electronic health records (EHRs), payroll, and other critical applications experienced weeks of downtime. 

Modern security threats require modern data storage strategies. With the sector accounting for 79% of all reported breaches in 2020 (a 45% increase on the previous year), and the attacks themselves becoming more dangerous, the need to backup and protect patient data with modern storage solutions has never been more acute. Research by Sophos showed that across all sectors, 57% of organizations whose data was encrypted were able to restore their data from backups – however, this drops to just 44% in healthcare. So even if a ransom is paid, hospitals are still unlikely to be able to retrieve all of their data, due to inadequate storage strategies.

The role of immutable backups in protecting against ransomware. There are backups and backups, however; with immutable backups being the strongest risk management play out there. These are essentially backup files that can’t be altered in any way, and can be deployed immediately to servers in the event of ransomware attacks or critical system failures that may also bring about the loss of sensitive personal data and patient records. Modern object storage and immutable backups are therefore needed to manage these risks. 

How immutable backups work. An immutable backup is basically a tier data backup that can’t be deleted or modified for a set period of time, typically held on-premise, at an off-site storage facility, or in the cloud. It differs from data replication (where backups are continuously overwritten, therefore with the potential to overwrite healthy data with encrypted files in the event of a ransomware attack). Immutable object storage makes encryption impossible and therefore offers a much higher level of data protection. 

In order for hospitals to successfully leverage immutable object storage, however, a formal strategy is needed to ensure adequate data protection, risk management, and cost control. Here are some key considerations. 

1. Plan for growth to keep costs under control

There has been an evolution in storage from file storage, to block storage, to object storage. While it may be tempting to look at object storage in a similar way to other forms of storage and seek to move it to the cloud, the public cloud can be inflexible and the costs are difficult to manage for the large data sets that object storage so successfully harnesses. So hospitals will need to explore solutions that are not only scalable but also affordable, to avoid creeping costs. 

Furthermore, managing these workloads optimally across different cloud environments becomes increasingly challenging, meaning the benefits of standardization on a single platform are lost. Hence object storage and immutable backups are therefore much more likely to be held in on-site facilities or in the private cloud.

2. Use cross-site replication for better security

One of the great things about object storage is that it is possible to copy data across multiple sites and locations. Data can easily be replicated within nodes and clusters among distributed data centers for additional backup on-site, off-site, or even across geographies. The flip side of this however is the need to ensure that complex storage environments are not more vulnerable to attack or slower to react to a server failure and get systems back up and running. 

Cross-site object storage applications, therefore, need to be [adequately integrated?] in order to immediately switch from a failed server to a redundant server, in the event of a system failure to avoid disruption and data loss. This is critical to ensure business continuity in the event of a critical incident by ensuring that data from immutable backups are immediately diverted to the end user as required. So in the event of a ransomware attack, immediate retrieval of immutable backups, held in multiple locations, offers maximum protection and system redundancy. 

3. Think access control to ensure data security and protection

Like any system, object storage applications need to have safeguards in place to ensure against malicious or inadvertent configurations by users that manage and access that data. Access control offers an important degree of protection, meaning that any user interacting with the object storage is authenticated and authorized to perform the requested action. Unlike ‘hot’ data storage such as file storage which is used for active or ‘live’ data, object storage is more frequently used for archiving or data backups in what are called data ‘buckets’, which may not be in use by the majority of clinicians and support staff on a day-to-day basis. This in itself reduces the risk of the end user inadvertently clicking on a link that opens the door to ransomware, but even with an access policy, authorized users are still able to potentially alter the object store, or leave it vulnerable to alteration at a later date. Again, this is another reason why holding object storage and immutable backups on-site may be preferable to the public cloud, where different cloud providers have more flexible and complex data management and access use cases. An overarching access control policy for the object store is therefore advisable to offer further protection and the ability to tailor the approved system configurations. 

Access control policies outline the restrictions imposed on users during the creation, use, or deletion of data, hence preventing users from potentially opening up public access to the object store. Firewall configurations can additionally be put in place to ensure access requests are only approved when they come from the hospital’s own private cloud. 

Conclusion

Object storage and immutable backups are essential components of secure, agile healthcare IT infrastructure. But it’s a responsibility that needs to be taken seriously, and architects need to continuously adapt to evolving threats. The crucial need for object storage and immutable backups in preventing or recovering from a ransomware attack cannot be overstated, nor can the need for integrated, multisite redundancy and failover, resulting in immediate data recovery, and a continuation of the provision of patient care. 

About James Loveday

James Loveday is a Healthcare Specialist and #ADCHero at Loadbalancer.org, guardians of uptime, and experts at load balancing object storage applications, using clever, not complex, load balancers that put hospital IT teams in control. Find out how they keep hospitals flowing here.

When it comes to protecting patients from the impacts of ransomware, the time has come for the healthcare sector to rethink the way it approaches cyber resilience — starting with Zero Trust strategies. 

The unprecedented wave of ransomware attacks on the healthcare sector has upended long-held assumptions about network security. Confidence in traditional methods alone and the philosophies behind them, have been undermined. The ransomware era has become a time of reckoning – particularly for healthcare organizations. 

It’s time to rethink the way we approach modern cybersecurity, in order to meet today’s evolving ransomware threats and safeguard the nation’s hospitals. Already, decision-makers from the highest levels of business and government have reached the same conclusion as they search for more effective and innovative solutions that provide the resilience healthcare organizations need.

Last year, President Biden signed an Executive Order laying out timelines for federal agencies to develop plans for implementing a Zero Trust Architecture – a cybersecurity best practice predicated on minimizing implicit trust. Many chief information security officers (CISOs) received the government’s message loud and clear and are now following its lead. At the HIMSS Global Health Conference & Exhibition held in Orlando last April, the Zero Trust presentations were standing-room only. Research from ESG validates that security professionals are turning to Zero Trust en masse – 90 percent of survey respondents stated that advancing Zero Trust strategies is one of their top three security priorities this year.  

The rallying cry in security now is to find solutions that effectively limit the impact of ransomware attacks. Zero Trust has become a marquee name in healthcare because it achieves exactly that, and because many healthcare facilities have found that the security status quo is no longer a viable option.     

Healthcare Needs a Better Approach to Security

Rising ransomware attacks have challenged the industry’s traditional approach to secure critical infrastructure. It’s hard to understate the potential impact of a breach on the healthcare industry – an unstopped attack can leave lives hanging in the balance. 

At a high level, ransomware is malware that blocks access to either a computer system or to stored data via encryption — enabling criminals to take control of sensitive and critical information and even block access to important equipment. Then, criminals typically demand large sums of money to unlock or decrypt trapped information. If they don’t receive payment, they’ll often destroy or disclose the data to the public (sometimes both). 

According to some estimates, victims paid $600 million in ransom last year alone. Reuters recently reported the number of ransomware attacks nearly doubled in 2021 from the prior year. Breaches in healthcare organizations are the most expensive out of any industry and have been for over a decade – with the average breach costing more than $10 million this year, up 41.6 percent from last year. Scores of attacks have resulted in hospitals and other care facilities losing control over network-connected equipment, putting healthcare operations and patient well-being at risk. In a lawsuit filed last year, a woman alleges that a 2019 cyber-attack on a mobile, Alabama-based hospital prevented her doctors from accessing fetal heartbeat monitors for three weeks, including the day the woman gave birth. 

In the most recent setback for those healthcare organizations dependent on traditional security methods, Bloomberg reported that “several cybersecurity experts have noted a decline in attacks” during the second quarter of the year. On the surface that may sound like something to celebrate, but the experts interviewed by Bloomberg attributed the slowdown in attacks to ongoing efforts by law enforcement to curb the ransomware epidemic, a general wish by the criminals to lower their profile and evade detection, and the splintering of some of the larger and more successful ransomware gangs due to infighting. 

What’s most pertinent about the Bloomberg piece is this: Although we may be witnessing a ransomware slowdown for the time being, nowhere in the story is there any suggestion that the latest wave of ransomware attacks is over. These attacks are sure to continue.

Zero Trust and Zero Trust Segmentation are the Way Forward

In the past five years, the attack surface has grown dramatically. The connection of an increasing number of medical devices to EHR systems has removed the isolation of individual functions and made the rapid movement of ransomware a threat. While traditional security models were largely based on identifying what is bad and keeping it out, Zero Trust takes a more modern, pragmatic approach. It assumes that a breach is inevitable or has already occurred. This shifts the mindset to be more proactive and focus on only letting in what is allowed. With Zero Trust, all network traffic is viewed as untrustworthy by default, and continuous authorization and verification are required, thereby, shrinking an organization’s given attack surface.

This is where Zero Trust Segmentation comes into play. Traditional security is like a castle, with moats and walls, whereas Zero Trust Segmentation is more like a hotel with electronic key cards. The system works seamlessly because workers and guests only receive access to the precise areas where they need to go: their rooms, the gym, etc. 

One of the first steps in applying Zero Trust Segmentation is to identify the most critical areas and functions within your organization and the potential risk. For hospitals, those frequently include intensive care units, PACS, and operating rooms. Identifying the most vulnerable functions that would have the greatest impact if compromised and then mapping the communications with those systems will provide visibility into where policies should be applied for the greatest protection.

By separating high-value assets like these away from the larger network, hospitals can ensure that should one area come under attack, the threat is contained to that device or network segment. Other departments are unaffected and can continue to provide patient care. 

Additionally, by restricting bad actors’ ability to move unchecked across an organization, a hospital has more time to employ other tools — such as endpoint detection, antivirus, or whatever it uses to ferret out ransomware code and remove it. For example, research from Bishop Fox that examined the effectiveness of Zero Trust Segmentation found that Zero Trust Segmentation stops attacks from spreading nearly four times faster than detection and response capabilities alone. Zero Trust Segmentation helps cover endpoint detection and response (EDR) blind spots – illustrating the importance of using both technologies in tandem. In short, Zero Trust Segmentation is designed to help organizations “assume breach”, control impact when a breach does occur, and boost organizational resilience.  

Bracing for Fires, Floods and Breaches  

While putting an end to ransomware is not feasible, there are steps that healthcare organizations can take to bolster their operational resilience – to ensure that even in the event of an attack, damage and downtime is limited, and patient care remains unfettered.

Particularly as attacks on the healthcare sector increase, there’s no denying the gravity of their impact — detracting from patient care, modernization efforts, and undermining the well-being of healthcare organizations overall.

When I talk to CISOs working in the sector, too many say they don’t have a seat at the table. But in order to properly prioritize patient care, healthcare organizations must also prioritize cybersecurity at the highest levels. 

My advice: Focus on protecting your high-value assets first. Ring fence them, so even if part of your organization is compromised during an attack, essential patient services can continue unencumbered. By shifting to a resilience-based security approach, one that proactively accounts for breaches and prioritizes Zero Trust practices, the healthcare sector will be better prepared to manage the onslaught of breaches to come – ensuring that even during the worst of times, patient care can remain their top priority. 

About Trevor Dearing
Trevor Dearing is the Director of Critical Infrastructure Solutions at Illumio. Trevor is an experienced technology expert, who has been at the forefront of new technologies for nearly 40 years. From the first PCs through the development of multi-protocol to SNA gateways, initiating the deployment of resilient token ring in DC networks and some of the earliest use of firewalls. Working for companies like Bay Networks, Juniper and Palo Alto Networks he has led the evangelization of new technology. At Illumio he is working on the simplification of segmentation in Zero Trust and highly regulated environments.

Maintaining patient data integrity is more complicated than ever; cybersecurity threats loom, patients are taking more ownership of their care (self-registration, for example) and health system merger activity is on the rise. It can make the quest for the ever-elusive 1% maximum duplicate rate seem, at times, unattainable.

But a secure, accurate, and duplicate-free MPI/EMPI can be achieved. It just requires a multi-pronged approach to protect data throughout its journey into a health system and at every touch along the way.

Duplicate problems

AHIMA points out that hospitals face an average duplicate record rate between 5% and 10%. However, this figure likely underestimates the true scope of the problem, given one recent study that put the duplicate rate at 18%. Coupled with duplicate rates that suggest as many as 20% of all records are incomplete (up to 40% of demographic data was missing from commercial laboratory test feeds for COVID-19), the problem balloons from what on the surface appears to be relatively innocuous into something much more severe.

In its white paper “A Realistic Approach to Achieving a 1% Duplicate Record Error Rate,” AHIMA notes that duplicate patient records lead to misidentification errors and administrative inefficiencies. In addition, missing data within the record can reduce contact tracing, vaccination, and public health reporting.

The financial toll is equally severe; misidentification costs the average healthcare facility $17.4 million per year in denied claims and lost revenue. Further, while progress is being made on both fronts, the lack of patient identification standards and a unique patient identifier exacerbates the overall problem.

Cybersecurity risks

Along with increased opportunities for duplicate and overlaid records, healthcare organizations face growing cybersecurity threats from all sides. The FBI’s 2021 Internet Crime Report revealed that the healthcare sector dealt with the most ransomware attacks in 2021 of any critical infrastructure sector, with the Internet Crime Complaint Center (IC3) receiving 148 complaints of healthcare ransomware attacks.

HIMSS, in its 2021 Healthcare Cybersecurity Survey, found that phishing (45%) and ransomware (17%) are the most significant security threats and financial information is the primary target. Among survey respondents, 67% indicated that their healthcare organizations experienced significant security incidents in the past 12 months, with 32% stating the security level was high and 12% considering it critical.

The threat is severe enough to have prompted the introduction in the Senate of the bipartisan Healthcare Cybersecurity Act, which would establish a partnership between HHS and the Cybersecurity and Infrastructure Security Agency (CISA) with the goal of improving cybersecurity in the healthcare and public health sector. The Act mandates a study by CISA on the risk facing the healthcare industry that also explores strategies for securing medical devices and EHRs, and how data breaches impact patient care. It also calls for the agency to work with information-sharing organizations and analysis centers to create healthcare-specific resources and promote threat-sharing information and educate healthcare asset owners and operators on managing cybersecurity risks.

End-to-end protection

The first step of every patient encounter is choosing the right patient record. While that’s obvious, it doesn’t always happen in the given moment. However, getting it right at the outset is a critical moment for eliminating medical errors, unnecessary costs, and safety issues associated with an MPI tainted by duplicate records.

Clean patient records at registration prevent downstream contamination into other departments – from clinical to imaging to billing, and enhance revenue cycle efficiencies to reduce AR and decrease denials. Positive patient identification also enables digital transformation across the healthcare system, leading to improved interoperability, patient engagement and even improved patient access.

Because of these drivers, health systems are increasingly aware of and using technology to address patient data integrity issues where they can control them. For example, according to Johns Hopkins Hospital, more than 90% of patient record errors begin at registration. These errors lead to duplicate record creation. In addition, health systems protect against front-end contamination of the MPI/EMPI.

In an end-to-end protection model, mismatched records are prevented and mismatches are caught upfront. However, most EHR patient lookup requires specific processes and data to be entered the field by field, in just the right way. If even one detail is off, a search will yield invalid results and can lead to the creation of a new, duplicate patient record. Current dynamic patient lookup solutions return instant patient results as they are typed into the system search bar, just like a web browser. Everyone involved in the patient matching process can narrow and refine results as they type to achieve positive patient identification.

Such a solution is critical when uncontrolled factors, like a health system merger, AHIMA notes. In these instances, duplicate rates can rise to 20% or more. Conducting data and record clean-ups before merging records or health systems can eliminate patient misidentification. Patient lookup technology can help rectify duplicates, getting about the effort of patient engagement much more quickly.

AHIMA notes that technology that conducts ongoing monitoring can identify and eliminate duplicate records and ensure errant records are eradicated before they can contaminate downstream systems, particularly important during mergers, especially if patient registration and identification issues are addressed early on or from the onset.

Combined management and clean-up ensure accurate patient identification anywhere along the patient journey and at any point in the care continuum. These dual approaches also can protect patient medical records from unauthorized user access, breach, or attack, thus securing all patient information and minimizing the ongoing costs of maintaining quality patient data.

How It Works

Resolve patient misidentification issues by leveraging biometrics to collect images and patient information, creating the patient record within the MPI. Then, that data can be analyzed, cleaned, and returned with a copy of the patients’ photos and corresponding medical record numbers.

Such an approach to MPI/EMPI protection operates in multiple environments. For example, the patient’s photo is taken and attached to their unique medical record during on-site registration. During remote registrations or remote visits, the patient is sent a text message with links to take and submit a selfie-and photo of their driver’s license. The system uses this information to search for any record matches before assigning biometric credentials to new patients.

When integrated into the EHR, healthcare organizations can prevent duplicate record creation during patient registration, ensure remote patient data capture and authentication, and clean patient data across the care continuum. The result is improved patient safety, reduced misidentification-related medical errors, fewer write-offs and denied claims, and reduced cybersecurity threat risks.

In the end, end-to-end EMPI/MPI management and patient identification require a multifaceted approach to tackle one of healthcare’s most prevailing problems and reduce the volume of duplicate medical records while securing patient information and minimizing the efforts required to maintain quality patient data.

About Lora Hefton

As Executive Vice President, Lora oversees all aspects of Harris Data Integrity Solutions, including its vision, strategy, controls, procedures, development, distribution, support, as well as ensuring it has the people to deliver quality services and solutions to healthcare entities while maintaining growth. She joined Just Associates in 2010 and, prior to its acquisition by Harris Computer, served as Chief Operating Officer working closely with its founders to expand the solutions and services offered by the business.

In recent years, the world has become aware of the effects and nature of a far-reaching virus. Biologically, a virus is something that inserts itself into the body and can replicate itself enough to infect the host. While this is true for living things, technology can also be exposed to viruses. – codes that can replicate themselves using different methodologies with the ultimate goal to destroy data, hold it for ransom, or breach security.

By some counts, there are more than 2,200 cyberattacks per day, amounting to one every 39 seconds. As data is a critical need of businesses, infrastructure, financial institutions, and more, these organizations must require a plan in the face of a worst-case scenario. Cyberattacks can affect all, regardless of the preventative measures or plan in place. There is no 100% guarantee when it comes to cybersecurity. When it comes to protecting sensitive data, a concept to consider is immunity. 

A World of Consequences 

In the initial years of the COVID-19 virus, much of the world was shut down and at the mercy of quarantine to avoid spreading the virus. Without any form of pre-exposure or protection, everyone rightfully feared the intense consequences of the virus. Most of the world had not been exposed to the virus before. This meant that the immune systems of the infected would take longer and more effort to learn how to fight it, so the best thing to do not to overwhelm the world with the disease was to completely shut down and stop the spread as there were no defenses.

Similarly, in the event of a ransomware attack, a company with no protection in place will find itself playing out a dance of potential consequences. To pay the ransom will mean dedicating the time and resources to retrieve critical business data from attackers. Still, it will mean that those resources are lost and cannot be allocated elsewhere in the company. On the other hand, should an organization refuse to pay or acknowledge the fee, sensitive data could be leaked, an organization’s reputation could be ruined, and lawsuits could result. 

Yet, if the organization decides to pay the ransom, there is still no guarantee that the systems will be released by the cybercriminals and/or that they won’t leak the data they’ve collected.. With these scenarios and uncertainty, it is essential to have a preventative plan to help organizations avoid ever being in a place where they have to make that choice. 

A Solution to Combat Future Consequences

One of the worldwide solutions to prevent the spread of COVID-19 was to create a vaccine. Then, the virus could still be contracted and would continue to affect individuals. However, with vaccinations, the antibodies from the shots and boosters were recognized by the immune systems once a person was infected. In this sense, pre-exposing people to the virus in tolerable doses was a plan that worked to fight the virus. And once more people were given the full dose of the vaccine, hospitalization rates soared down for those who had been pre-exposed. Tragically, in the subsequent waves of the virus, those who were not vaccinated were more often left vulnerable, and the ones who continued to fill hospital beds and get very sick. While there was never guaranteed protection once a person got a shot, the numbers proved to be in favor of those who did their planning and got the appointments to stay on top of getting vaccinated and boosted. 

Immunity as a Solution to Cyberattacks

This is similar to having a cybersecurity solution in place that promotes immunity to sensitive organizational data. To exist in the technological world with sensitive data means the business is at risk. There is no guarantee that an organization or company will not contract a virus or get attacked. Motivated cybercriminals will continue to find loopholes in every system and hack away as that is their way of doing things.

However, while there is no way to make the viruses completely go away, a group can acknowledge they are at risk and then find a plan to boost their immunity. By raising their defenses against the potential implications of the viruses, the system is at better odds for when, not if, a ransomware attack occurs. This is similar to how those with the vaccine in their bodies generally fared better in the subsequent waves of the pandemic.  

To seek immunity, cybersecurity solutions should fit what the organization needs to protect. Sensitive client data for a business may need to be protected differently from a regulated vertical agency.

When there is a backup plan in place, and the organization has made an effort to think through what will happen in a ransomware attack, the effects of an attack will be less severe as there is some defense in place. While there is never a guarantee in cybersecurity, as the criminals’ entire motivation is to break down the solutions in place, having some form of a solution in place is better than nothing. Thus when an attack happens, organizations will not be at the mercy of ransoms or what the attackers choose to do with highly sensitive data but can feel less of the effects and move on.   

About Arti Raman

Arti Raman is the CEO and Founder of Titaniam, a cutting edge data protection company that enables enterprise data to become immune to ransomware attacks, insider threats, or misconfigurations. Prior to founding Titaniam, Raman served as an executive at Symantec where she focused on product strategy for the enterprise business, managing UX for the company and also founded and lead the competitive intelligence group. She is a strong supporter of women in security and STEM for girls.

If ransomware is not a topic of conversation around any healthcare organization’s boardroom table, directors and senior executives may be exposing the organization (and themselves) to considerable risk. Here’s a guide to ransomware trends for 2022 and steps healthcare leaders can take to help protect their organizations.

Ransomware trends in 2022

The risk of a ransomware attack in 2022 is substantial, with gangs specializing in targeting the healthcare sector. Last year saw dozens of ransomware attacks on hospitals and healthcare institutions for a total of 1,203 individual sites affected. This year, ransomware groups are targeting mid-sized victims to reduce government scrutiny, so no healthcare system should consider itself too small to worry.

While the incident rate is down over 2020, disturbing new trends are expected to increase in 2022. Ransomware attacks are on the rise against business associates that, in turn, affect healthcare organizations. And ransomware attackers are diversifying their approaches to extorting money after they’ve encrypted victim networks. They threaten to (1) release sensitive information that was stolen prior to encryption, (2) disrupt internet access or (3) inform partners, stakeholders and suppliers about the incident — demanding ransom at each step. 

Ransomware attacks can cost tens if not hundreds of millions of dollars, even if no ransom is paid. Network resources including EHRs, scheduling systems, and email can be offline for days or weeks. Care can be compromised, exposing the organization to legal action. Revenue is lost when surgery procedures or other healthcare visits can’t occur, and reputational consequences may be significant. 

Mitigating ransomware risk

Directors and senior executives are used to reviewing financial, legal, and operational risks and assessing mitigations. IT security may be viewed as a cost center that’s always after a bigger budget. In reality, adequately funded and effectively run IT security operations mitigate the risk of ransomware attacks and data breaches. 

Part of the protective effort is having enough budget to keep up with the basics of patching and user education. However, there are another reason Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) ask for additional security funding. Ransomware gangs and cybercriminals change tactics frequently, requiring ever stronger defenses and new security measures like Zero Trust Networks and Multi-Factor Authentication. 

Mitigating risk starts with understanding the current environment. Healthcare leaders don’t have to become cybersecurity expert to gain a core understanding of an organization’s security posture and level of ransomware risk. Cybersecurity is everyone’s responsibility, from the front lines of healthcare delivery to the boardroom. Here are five questions to ask a CISO or CIO to get started with assessing protections and mitigations that are in place.

1. Who is responsible for your organization’s cybersecurity? Is it all handled in-house? 

There is no right or wrong answer to this question. Some organizations handle cybersecurity completely in-house. Others, particularly smaller IT operations, supplement their in-house resources with managed security services. Find out if the responsible parties are taking both strategic and tactical approaches to layered security and if standards from bodies such as the International Standards Organization (ISO) and the National Institute of Standards and Technology (NIST) are being met as well as rules and regulations affecting your operations, such as HIPAA for data privacy and PCI DSS for credit card payments. 

2. How are endpoints protected, including devices used by employees working remotely and contractors?

When it comes to preventing ransomware attacks, there are no silver bullets. But there is power in understanding how endpoints — PCs, laptops, tablets, and mobile devices — are protected. Ransomware is most frequently introduced via endpoints, and through them gaining access to your network and systems. 

Today’s cyberattacks can be multi-pronged, and the firewalls and anti-virus software that offered protection yesterday are no longer adequate. Make sure any and all endpoints, both on- and off-premises (for example contractors or employees working from home), are properly protected.

Good answers to this question should touch on solutions that use advanced technologies like AI or machine learning to constantly scan for and detect anomalies in user behavior. These technologies automatically stop apparent attacks and pass filtered, critical indicators of threats up the “security stack.”

3. Does your organization have detection and response capabilities to rapidly shut down ransomware, data breaches, and other cyber threats? How are alerts managed and by whom? Do you have a 24/7 Security Operations Center (SOC) staffed by cybersecurity experts to handle your alerts?

Hackers use lateral movement to infiltrate an organization’s network. Find out what tools the security operations team uses to monitor infrastructure and stop threats before the damage is done. Best practices will include some form of detection and response that looks at all the security alerts coming in (and there are thousands of them), then filters and analyzes that data using AI and machine learning technologies. The challenge is to identify the real threats and issue alerts. 

4. What is the recovery plan for your facility in the event of a ransomware attack?

Assume a successful ransomware attack. Now, what do you do? Do you pay up? How is your data protected? What will your staff and patients experience? How long will operations be disrupted? One of the most noteworthy attacks in 2021 was a ransomware attack on San Diego-based Scripps Health, which resulted in system outages for nearly a month and $112.7 million in costs. Can your healthcare operations survive that? 

The IT security team should have a ransomware response plan in place that documents specific actions to be taken and assigns responsibilities to specific team members. The first steps should include identifying the malware, stopping its spread across the network and systems, and removing it from infected devices. Only then should the plan move to the recovery phase.

Having a rock-solid data backup and recovery plan that includes immutable backups is at the heart of any ransomware recovery plan. Any health care organization should be able to restore a very recent, clean version of its data in minutes, protecting against having to pay a ransom to get the data back. 

5. Does IT security have an anti-phishing training program for all the people in the organization? Does the program include drills and test emails to help them recognize phishing?

Employee anti-phishing training and simulated phishing tests are an increasingly important security layer that any healthcare organization should have in place. Phishing is how hackers target human vulnerabilities. Some phishing attacks are laughably crude, but others are very sophisticated. The goal of training is to help employees recognize phishing emails and prevent malware attacks by not clicking on those malicious links or opening suspicious attachments.  

Act now to understand your organization’s ransomware risk

Addressing these critical questions with IT leadership could very well protect an organization from paying up in the long run and exposing patients’ personal and health information to theft. Cybercriminals pay well for that information when ransomware attackers put it up for sale on the dark web. The resulting loss of reputation and trust in the organization may be the highest price paid.

Security maturity is a journey, and your organization may have some or all of these capabilities in place. To properly secure the sensitive and valuable information entrusted to any organization, healthcare leaders must identify any weak points. For a deeper dive into what ransomware protection requires, consult these mitigation guidelines from the multi-national Cybersecurity & Infrastructure Security Agency.

Get started by working with IT leadership to conduct a vulnerability or risk assessment of your organization’s IT infrastructure, ideally conducted by a neutral third party. When it’s completed, the findings should clearly illustrate the risk level so the Board of Directors or senior executives can understand the level of investment required for cybersecurity risk mitigation. 

About Aaron Biehl

Aaron Biehl, the SVP for Meriplex, has been in the technology industry for over 25 years helping healthcare organizations and banks develop a solid foundation for their IT and security. Aaron is passionate about exploring innovative options and solutions for companies and enjoys helping businesses utilize new methods to grow and prosper.

Healthcare is a cyber criminal’s dream. It presents the intersection of a data treasure trove, weak security posture, limited resources, complicated supply chain, and patient care delivery. When faced with having to pick a priority to optimize for, healthcare will, of course, always pick delivering healthcare. This means that when tradeoffs must be made and resources are limited immediate patient care is prioritized over anything else. 

A great example of this is looking at how connectivity evolved in medical devices. Initially, devices got an ethernet port because providers could enhance care delivery with limited connectivity across functional islands. These newly connected devices were isolated in a trusted network maintained by the healthcare delivery organization (HDO). This evolved into more complex and cross-organizational data sharing, workflows and systems to support care delivery, eventually spreading into the cloud and electronic health record (EHR) integrations. 

Cloud and connected systems beget big sharable data, which in turn enable artificial intelligence applications, which in turn need more data. With COVID, the push for telehealth and remote patient monitoring has taken many of these devices beyond the walls (and protective network) of an HDO and into the hands of consumers. Healthcare went from large islands of information to highly integrated within a decade.

These innovations greatly enhanced patient and provider experience. But they also introduced a variety of cybersecurity considerations that were generally not solved because this had never been done! 

State of Cybersecurity Affairs 

While HDOs have increasingly been building cybersecurity competency, it’s really hard for the consumer (i.e., the HDO)  to legally, technically, and in the context of a complicated IT infrastructure, conclude on the efficacy of a device’s cybersecurity posture, challenging their willingness to accept a higher price of a more secure device. This comes full circle as medical device manufacturers (MDMs) cannot justify investing in cybersecurity, when the market does not reward their incremental costs. 

Given technical, regulatory, and legal limitations, HDOs effectively inherit MDM security decisions for devices procured, creating a dependence on MDMs publishing/facilitating updates, while the HDO is expected to  continue to deliver safe and effective care.  

This problem persists beyond the recommended shelf-life of a device. In a hypothetical HDO, if a $1 million device has reached the end of software support, but continues to be clinically effective, the HDO is faced with a decision: purchase a new device that’s supported, apply (with restrictions) security measures external to the device, or delay until clinical impact warrants investment into a replacement device. 

And as noted above, HDOs optimize for healthcare delivery and patient outcomes, as they should. Therefore, it can be difficult to shift procurement, budget, staffing, and operations to prioritize software updates or device replacements in absence of the immediate clinical need or taking a life-sustaining device out of operation to upgrade for any period of time.  

In 2016 when the FDA released their postmarket cybersecurity guidance, it stipulated the collection of so-called cybersecurity signals. This indicates that at a future date we will have access to more telling technical insight to assess the impact of device information integrity on clinical outcomes. It also indicates that at this time, most ‘live’ devices were never architected to capture security log data – reinforcing that evidence of security incidents is difficult to obtain.

Last year saw an increase in cyber attacks on HDOs, including ransomware attacks, which previous studies demonstrate have an impact well beyond the “resolution” of the incident.  This is further exacerbated by COVID, as substantiated in a recent study from CISA.

All signs indicate we are not sufficiently cyber-secure for the way healthcare wants to deliver care. The global pandemic complicated this as healthcare workers were rapidly deployed home and asked to work remotely in rapidly established environments. As some hospitals noted, it accelerated the digitization of operations by at least 10 years. Considering this in the context of increasingly moving care delivery to patient homes, this effectively eliminated the inherent protection of the hospital network. Furthermore, being outside of the hands of providers, the ability to do routine maintenance/security updates became increasingly difficult. 

Practical Advice 

The roles of HDOs and MDMs are complementary, and both need to cooperate to sustain a cyber-resilient posture.  

HDOs and MDMs alike need consistent and transparent regulatory requirements and enforcement. Regulators are working hard to generate new guidance and seeking authorities to be able to implement consistent and transparent regulation. 

Meanwhile, the HSCC has combined resources across HDOs to propose contract language to aid with cybersecurity assessments as part of the procurement process, while cybersecurity leader Mayo Clinic publishes their risk assessment criteria for public consumption. Engaging with a group drives activities, whether through industry collaboration or even group purchasing organizations (GPOs) that are assessing cybersecurity risks, seems like a practical and scalable starting point. 

MDMs need to build products that meet a security baseline, are patchable, and are likely to get patched. In other words, secure at birth and securable thereafter. To do so, MDMs not only need technical capacity to identify threats and design security controls, they need to transform their organizations to establish the capacity and knowledge to produce secure products at scale.

MDMs need to assess that capacity (e.g., measure maturity with the JSP), identify gaps, and fill the gaps. They need to develop new processes around SBOMs (generation, identification, disposition, and disclosure). Incorporate threat modeling (cite FDA’s playbook) across the entire lifecycle of a product. All of this needs to be done with strong signals from executive leadership with clear lines of accountability for pre-and post-market risk.

Acknowledging there are three main groups of devices, each requires a unique cybersecurity strategy: 

– New devices: Begin the design with security considerations outlined, leverage tools to actively address as device innovation evolves, and don’t go at it alone.

– Devices still under support in the field: Risk-rank where to start in the portfolio, and tackle with operational support prioritizing uptime and security concerns. 

– Legacy devices: Determine a strategy to end of support what’s in the field, and work with HDOs to prioritize moving onto the next generation.  

Path Forward 

Healthcare’s reliance on technology will never go away — it has improved diagnostic capabilities, given us new treatment options, reduced time, effort, and risk for patients. Therefore, we must make the security component of this process a positive experience for the user and/or patient, as that can mean the difference between the success or failure of a cyber-criminal.

With every additional connected point, a potential new risk is introduced which must be understood, mitigated as necessary, and managed over time.

About Vidya Murthy

Vidya Murthy has worked in security for 15 years, with emphasis on healthcare and medical devices for the last 8. As Chief Operating Officer at MedCrypt and MedISAO, Vidya has supported more than 70 device manufacturers in maturing their product cybersecurity programs. During her tenure at Becton Dickinson, she established the protected health information security program, embedded it into device operations and operationalized it for compliance and risk reduction across multiple product lines. Her direct interaction with health systems informed a global strategy for supporting medical device sales. 

At some point, the chances are high that ransomware will pierce the defenses you have tried to put in place at your healthcare organization. When that occurs, your healthcare organization needs a ransomware recovery strategy, which enhances your typical backup and recovery processes. Below is a three-step program for ensuring that you can recover from an attack.

Step 1 – Frequent Backups

Ransomware, unlike any other disaster, can strike anywhere. No data center is safe. It can also hit at any time, with no warning. Traditional once-a-night backups can mean losing eight hours or more of data. The first step in a ransomware recovery strategy is ensuring that the frequency of backups increases on all data. Modern backup-server software enables IT to execute backups more frequently thanks to block-level incremental backups, significantly reducing that backup transfer payload. Unfortunately, legacy backup storage targets can’t handle the IO load of potentially hundreds of virtual machines or applications sending BLI backups simultaneously. The backup storage target becomes the bottleneck forcing IT to select only a few VMs or applications for this level of protection. A modern solution needs to provide high-performance to ingest hundreds of simultaneous BLI backups while maintaining a low cost.

A few vendors are proposing an all-flash backup appliance. While using a flash-only backup appliance does, for now, resolve the ingest performance issue, it significantly adds to the cost of the backup infrastructure. Despite these vendors’ claims that flash is reaching price parity with hard disk drives (HDD), the reality is HDDs continue to enjoy a 10X price advantage over flash drives. However, the value advantage of HDDs is only realized if the backup storage target can properly support high-density (16TB, 18TB, 20TB) hard drives without forcing the healthcare organization to suffer through a week-long recovery from media failure (RAID rebuild) times.

A modern backup solution needs to blend flash and hard disk drives to create a flash-first backup appliance. Maintaining this balance requires using high-density flash drives and extracting maximum performance from those drives, allowing the solution to rapidly ingest hundreds of BLI backups, maintaining them on the flash-tier for weeks, and automatically moving them to a cost-effective hard disk tier as the backup data ages.

Step 2 – Backup Immutability

Backup data is as vulnerable to a ransomware attack as any other data set, potentially more so because bad actors are now specifically seeking out the backup data set first. Also, many healthcare organizations defy best practices and mount their backup storage repositories as an SMB mount point. Backup-server software is doing an excellent job of detecting ransomware, but backup storage must protect backup data from an attack. The answer is immutability. The backup storage target needs to store each backup job in an immutable state and roll back to any version of the backup data, not just the latest.

Again, a few vendors provide immutable backup storage, but most of these are object storage vendors that leverage the immutable nature of the protocol. This protocol inflexibility requires healthcare organizations to shift from SMB, NFS, or iSCSI mounting of their backup storage to the new protocol. Object storage is not known for high performance, so it won’t keep pace with the high-performance ingest requirement above, forcing the organization to potentially require two backup storage targets for their ransomware recovery strategy.

A modern backup storage target needs to provide 100% immutability of each backup job and have the ability to roll back in time to any version of those backup jobs. Given the sophistication of recent ransomware attacks, the rollback capability must span months to even a year. The immutability needs to be available across all protocols, not just object storage, so the healthcare organization can maintain its current protocol preference, even if it is SMB. The modern backup storage target should also provide its immutability with no impact on performance, regardless of immutable backup depth, so it can continue to meet the requirements of step one.

Step 3 – True Instant Recovery

Once ransomware infects an organization, IT is in a race against time. IT must determine what part of the data set the malware is infecting, identify the backup data not infected, recover that data, reverify one more time, and bring applications back online. Even under ideal circumstances, the process will take some time.

The good news is that most modern backup-server software can instantiate the virtual machine’s or application’s data on the backup storage devices, saving network transfer time. The process is often called instant recovery. Some backup-server software solutions go so far as to scan the instantiated data before making it available.

The first two steps are critical in making instant recovery practical for ransomware recovery. First, IT needs to have a recent copy of data before the attack to avoid losing multiple hours or even days of new and modified data. Second, IT needs to have confidence that they can access versions of backups that are immune to the attack.

The third and most critical element is ensuring that IT can return users and applications to operation quickly. In theory, instant recovery-like features should help; the problem is, again, the backup storage target. Legacy backup storage offers performance that is so much slower than the production equivalents that they are unusable. Also, their poor performance slows down the inspection process of making sure no malware is resident on the recovered data.

A modern backup storage target needs to, once again, leverage its flash tier to solve this problem. The flash tier has to extract the maximum performance from eight to twelve flash drives. If it can, then the flash tier will provide the performance the backup-server software needs to rapidly validate the data and make it available to the production virtual machines or applications directly.

The modern backup storage target also needs to provide enterprise-class high availability and data protection so that IT gains the benefit of time. The IT team can take the time to make sure that they eradicate the malware from the entire infrastructure before they start moving the dataset back to its original location. This benefit of thorough malware eradication is only possible if the modern backup storage target can provide a production-class environment from which to host the healthcare organization’s data while this eradication is underway.

About George Crumphas

George Crumphas over 25 years of experience in the storage industry, holding executive sales and engineer positions. Before joining StorONE, he was the founder and lead analyst at Storage Switzerland.