The recent WannaCry ransomware attack, which paralyzed many hospitals in the UK, has moved ransomware attack risk reduction to the top of most healthcare organization’s IT priority lists. Though the WannaCry attack could have been fairly easily thwarted if hospitals had ensured their operating systems were up-to-date with recent security patches, the fact that it led to ambulances being diverted from some UK hospitals and the cancelations of procedures and appointments at others highlights the danger such attacks present to patient health and safety. This incident, along with other recent security breaches, are leading healthcare organizations to focus more on security, as demonstrated by a recent survey finding that 81 percent of US healthcare organizations plan to increase their information security spending in 2017. As they consider how to best invest these new IT security resources, it is likely that most healthcare CIOs (if not CEOs) are asking themselves what they need to do to stop such attacks, or at least minimize the damage from these attacks and quickly recover from them when they are successful.
Unfortunately, the answer to this question is not simple – another firewall, employee training session, or new data backup process by itself will not bulletproof an organization from a ransomware or similar cyberattack. Rather, healthcare leaders need to ensure that they have developed and deployed a holistic data protection and management strategy for their organization if they hope to minimize both the chances of a successful attack and the damage such an attack can cause. Such strategies need to combine powerful perimeter security systems with comprehensive employee education policies, strong information governance practices and comprehensive backup and recovery processes. Only then can healthcare organizations feel confident that they are fending off or avoiding as many ransomware attacks as possible, limiting the data exposed to successful attacks, and are able to rapidly restore any data that is encrypted or destroyed by an attack. Many healthcare organizations have, or are in the process of, building and rolling-out such strategies. In doing so, they can make these strategies more effective by making sure to keep three key best practices in mind: do not overestimate the effectiveness of employee education in protecting you from attacks, approach security and data management planning in a holistic, proactive manner rather than a reactive manner, and create a dedicated backup set of their data, one that is isolated from the rest of their network.
Educate and Train Employees on Ransomware Identification and Mitigation
Employee education is an essential element in any healthcare organization’s data management and protection strategy. Such training is particularly effective when it does not just involve teaching employees what they should do when they receive emails from unknown senders with suspicious attachments or links, but also includes “fire drills” where IT sends employees fake phishing to ensure that they are actually following the best practices taught in the class. However, healthcare organizations need to avoid letting employee education provide them with a false sense of security. Even if a healthcare organization’s perimeter security systems and employee education stop 99.7 percent of attacks on their organization, the few attacks that do find their way can still grind healthcare operations to a halt. Healthcare organizations need to plan for the worst case, and not just focus on minimizing the chances of a successful attack occurring. They need to expect that an attack will one day be successful, and be ready to respond in a way that minimizes any disruption and damage caused by the attack.
Adopt a Proactive Approach toward Data Management
The importance of planning ahead is also illustrated by another best practice healthcare organizations should adopt to better protect themselves from ransomware – taking a proactive approach toward not just creating an IT security plan, but a comprehensive holistic data management and protection plan. Such a plan should be written down, routinely tested and updated or modified as and when needed. Security is an important component of such a plan – but just one component, along with disaster recovery, data privacy, and process to activate the organization’s data to improve business outcomes. This can be difficult — as healthcare organizations IT budgets get squeezed, they often find they don’t have the resources they need to proactively develop a data management and protection plan or for reviewing and updating their current plan. As a result they find themselves focusing only on immediate IT priorities. The situation is further complicated whenever a healthcare organization adds a new system to its infrastructure – be it an EHR or another clinical or business application. In these cases they often fail to synch this new system’s data security and other data management measures with their data management plan, trusting in the vendor’s promises. However, unless the new system’s vendor fully understands the healthcare organization’s overall data management strategy, security and other gaps can result from adding the new system. When an organization decides to add a new system, they should begin an immediate review of their data management and protection plan to ensure the new system’s data is incorporated. Such a holistic proactive approach, rather than reactive approach to data management and protection, will significantly improve healthcare organizations’ ability to prevent or respond to the increasingly sophisticated ransomware and other attacks being launched by cybercriminals around the world.
Make Sure You Backup Off Network
A third best practice healthcare organizations should follow to minimize their ransomware risk exposure is to ensure that they have a full set of their mission-critical and other key data backed up, and that it is isolated from the rest of their network, yet also easily accessible for recovery. For example, many organizations might think they have a data backup because they use data mirroring, believing if one of their datacenters goes down, data mirroring allows them to use data located at the other datacenter instead. But such a strategy is not a real backup plan. For example, it does not account for a ransomware attack, where an infection in one datacenter can easily be transferred to the other, locking an organization out of all of its data. To support quick and comprehensive recovery from a ransomware attack, organizations need to have a full backup of their data, and not expect a data mirror to act as a backup. In addition to having a full, dedicated backup, organizations need to make sure this backup is located off their on-premises network – on the public cloud, a private cloud, on an isolated disk storage system or (though recovery is slower) on tape. Then, if their network is compromised, they can rebuild their data completely from their backup copies.
Following these three best practices are just a first step for healthcare organization as they seek to implement holistic data management and protection strategies that minimize their organization’s risk exposure to ransomware attacks. As health organizations adopt holistic data management and disaster recovery strategies, they will also find they will help them activate their data in ways that create more value for their organization and patients. So as healthcare organizations move forward in creating or updating their data management and protection strategies in the wake of WannaCry, they should remember that such strategies will not just help them avoid a data disaster that threatens patient health, but also help them use their data in ways that improve their patients’ health as well.