In an age of expanding and evolving cyberthreats, hospitals and health systems with traditional data protection and cybersecurity strategies are sitting ducks.
The majority of healthcare organizations — 61 percent — say their cybersecurity protocols are focused on prevention, according to IDC Research. Despite this preventive focus, 37 percent of healthcare organizations have experienced a ransomware attack. More than half of those firms that suffered an attack required "days, weeks or longer" to recover and 65 percent had to revert to data that was days or weeks old.
"There is no such thing as 100 percent prevention of cyberattacks," said Peter Gerr, senior product manager at Iron Mountain, during a workshop at Becker's Hospital Review 4th Annual Health IT + Revenue Cycle Conference in Chicago in fall 2018. "Healthcare CISOs need to admit that they are not going to prevent 100 percent of cyberattacks and figure out how to protect and recover their most critical and valuable data assets like personally identifiable information."
With the rapid evolution of cyberthreats, especially those from insiders, rogue employees or individuals with stolen credentials, hospitals and health systems cannot focus on prevention efforts alone. Instead, they must devote energy, time and resources to improve their cyber-resilience, which is the ability to protect their most critical data assets and to swiftly respond, recover critical data and resume normal business operations quickly when a cyberattack strikes.
Traditional data protection isn't enough
Traditional data protection strategies call for a combination of archiving, backup and offsite disaster recovery to protect data. However, archiving data and backups offer no protection from data loss or corruption, and recovery can be slow. Even disaster recovery, which is a more complex and costly protection strategy for site recovery after a natural or manmade disaster, offers minimal protection of critical assets from data loss or corruption from cyberthreats.
"The goals of cybercriminals are really to obtain credentials. It's not necessarily to do a brute force attack," Mr. Gerr said. "Cybercriminals used to hack in; today they log in. When the threats are coming from inside the organization, or from those with insider access using stolen credentials, you have to modernize your strategy."
Take the 2014 Sony Pictures hack for example. A hacker group leaked an unreleased Sony film, personal information about employees, emails and salary information. They then wiped nearly half of Sony's computer servers and desktops. "Part of the forensics on the Sony attack that was not widely publicized was that the intruder got in and, in addition to stealing email and publishing that … [they] compromised the credentials to the backup server. They logged onto it and deleted backup images," said David Edborg, portfolio manager for Dell EMC Business Resiliency Services.
Hospitals are not immune to this type of attack. In 2017, Buffalo, N.Y.-based Erie County Medical Center suffered a ransomware attack that shut down 6,000 computers. There, too, the hackers deleted backup data, according to Mr. Edborg. It cost the medical center $10 million to fully recover from the attack.
Not every data set calls for the same protection strategy
As the threats to businesses have evolved, so too do the data protection strategies needed to address them. Fortunately, new tools and solutions are emerging to address the "cyber gap" left by traditional data protection. The gap in protection hospitals face can be closed with a strategy called isolated recovery for an organization's most sensitive data. "If we were talking about robbing a bank, the bank robbers come in and they're not going to steal the lollipops and the calendars. They are going right for the most valuable assets, which are stored in the vault, the most secure place," said Mr. Gerr.
In a hospital, this is patient health information. PHI requires more than the standard layers of protection such as archiving, back up and disaster recovery. This mission-critical information also needs isolated recovery, which creates an "air gap" or an electronic vault. Critical data is encrypted and isolated in a secure digital vault that is disconnected from active networks. It can quickly connect to those networks, only when necessary, to sync data at regular intervals or connect as a backup in the event of a cyberattack.
Mr. Edborg and Mr. Gerr recommend using this kind of physical segregation, coupled with randomized network disconnection, to protect data from planned attacks. Best practices include regularly testing recovery procedures and using a dedicated secure offline environment to test and validate copies online. For hospitals that choose to enlist a managed service provider to help with isolated recovery or other data protection services, Mr. Edborg and Mr. Gerr recommend close evaluation of the contract to ensure it is sustainable. Oftentimes recovery testing and other services, like egress fees, are excluded from the monthly cost, they warned.
Conclusion
Only about 18 percent to 20 percent of hospitals and health systems employ isolated recovery solutions. However, as Mr. Edborg noted, hospitals may soon be mandated to do so under the NIST cybersecurity framework, which government agencies, like HHS, are required to follow by 2019. It is likely these requirements will trickle down to hospitals through CMS shortly thereafter. Even so, with reputation, resources and critical information at stake, it is time hospitals make cyber-resiliency a priority.
"The risk posed by modern cybercriminals isn't solely a technology problem; it's also business problem." said Mr. Gerr.
More articles on cybersecurity:
ACA sign-up portal back online after 75K-record breach
Hack on ACA sign-up portal jeopardizes 75K records
FDA releases cybersecurity guidance