Tips for Healthcare Organizations to Prevent and Respond to Data Breaches

HEALTHTECH: What are you seeing in the cybersecurity landscape from a ransomware perspective?

HALEY: Unfortunately, it’s not great news. It is getting worse. One of the things that we continually see is that a lot of the attacks come in from the end-user environments. Once the attackers get into the environment, they go in and compromise the production apps, the production servers, and in many cases they’re trying to compromise the data protection environment. We’re seeing a significant increase in the number of attacks.

We’re also seeing a significant increase in the impact of the attacks. In 2020, we were looking at a new ransomware attack every 14 seconds. That’s accelerated to an attack every 11 seconds. The average downtime per attack was 12 days in 2020, and it’s increased to over 19. We’re also seeing a disturbing trend where the attackers are lurking or lingering in the network longer. They’re searching for breadcrumbs and trying to understand where sensitive data is, where the compliant data is and where the data protection is so that they can dismantle those as part of the attack.

It’s a huge challenge for organizations, and it’s a continuing challenge. What we’re seeing is well-funded, well-organized cyberattack businesses — and they really are treating this like a business. We’re seeing a huge number of organizations that are needing to dramatically change the way they think about preventing a disaster.

Another thing that’s interesting is that for years we’ve been building out disaster recovery and business continuity plans. I think organizations have never been closer to disaster in the form of a cyberattack than they are now.

EXPLORE: What do you need know about ransomware crisis planning?

If we think about the different attack vectors that we see right now, the attackers are trying to dismantle the production backup or the data protection and disaster recovery architectures. One of the attacks that we’ve seen several times is that the attackers get in and try to exfiltrate sensitive data, such as patient data. The intent there is they say, “We’ve got your compliant data, and if you don’t pay the ransom, we’re going to leak it and put you potentially in breach of compliance.” Then there could be a financial penalty or even a loss of patient trust and reputation.

We’re also seeing a few organizations that have paid the ransom because they didn’t know how long it would take them to recover. I mentioned the 19-day average, but in many cases I’ve heard stories of months. It’s a big deal. Every day in the news, we hear about another organization that has fallen victim to attack. What you don’t typically hear about is the ones that have successfully navigated the attack and recovered without disruption.

The White House came out with an executive order in May 2021, and it said, “Business leaders, we urge you to reinforce your defense against cyberattacks.” When you look at what they’re recommending, they’re talking about data protection and operational processes to test your recovery and your ransomware or cyberattack recovery plan. It’s important to understand and have experts validate that your team has done well.

HEALTHTECH: How can health IT teams get their organizations to move away from a place of fear in the wake of these threats?

HALEY: The first thing to do is to have a plan and test the plan so you know it works, but don’t rest on the plan. Attack vectors are continuously evolving. We’re working diligently to make sure that we’re helping organizations understand what these threat vectors are and helping them prepare so that they have solutions.

There are places for the tried-and-true technologies, but in many cases it’s about modernizing the architecture. What we started with was this hyperconverged scale-out architecture. It could be run as software, it could be run as hardware, it could be run in the edge in the data center or even in the cloud — all of these are scalable architectures that we can use for multiple different data services.

We started with data protection as our core data service, but we’ve expanded that to things like file and object, test and dev, and even disaster recovery. We also manage this through a “single pane of glass” Software as a Service console called Helios. So, when you start to look at an architecture that solves multiple different use cases, it starts to create flexibility in an organization to be able to do more things with data. Many organizations that I talk to are straddling that hybrid cloud architecture of workloads that are on-premises, workloads that are in the edge and even workloads that are in the cloud, but they need a data management architecture to assist and standardize on.

Click the banner below for CDW resources to dig deeper into security and incident response planning.

One of the things that we’ve seen from traditional architectures is that most organizations have the same virtual machines. They have physical servers and databases that have grown so large that they can’t protect them inside their window. In many cases, they have NAS architectures, which they’d traditionally protect using native NAS tools, but they don’t necessarily provide the same level of recovery or separation from cyberattacks.

To protect these different workloads, traditional architecture had different parts and pieces, whether it was something like a master server or media server, and these server-based operating systems with applications installed on them send data to different storage devices. In many cases, we’ve seen these servers be compromised as part of a ransomware attack.

At Cohesity, we took all these different parts and pieces and consolidated them into a single hyperconverged architecture. Effectively, we run all those services inside our cluster as logical entities. That clustered approach gives us several big advantages. The first is that we distribute the workload across all the nodes. This allows us to back up and recover much more quickly than the traditional architectures.

The platform architecture itself gives us the ability to rapidly recover data, which is a key concern. Because it’s a node-based architecture, it doesn’t have any things like disruption for upgrades, forklift upgrades or outage from software upgrades. We can add or remove nodes all while it’s up and running. We have a whole host of ransomware protection that’s built into the platform, and we have storage efficiencies to help organizations reduce the amount of data that they have to store to drive down the cost.

READ MORE: Layered security is essential to healthcare systems’ incident response planning.

HEALTHTECH: How can healthcare organizations defend data protection platforms from these attacks?

HALEY: We built an architecture designed with security in mind. It starts with a hardened architecture, where we built a platform so that it leverages technologies like encryption and immutability and has capabilities for things like write once read many (WORM), even architectures to support technologies like air gap. We’ve also done a whole host of technologies to maintain and restrict access, and so we have granular role-based access control. Not everybody needs to be an administrator. We can give people the rights they need to do what they need to do without making everybody have too many rights.

We also support technologies such as multifactor authentication. My No. 1 recommendation to everybody professionally and personally is to enable multifactor authentication on everything. Anything that you care about, you should turn it on. It’s a huge deterrent from several of the credential compromises we’ve seen. Multifactor authentication is a huge defense against attack. In addition to protecting the data, we also help people detect anomalous activity.

HEALTHTECH: How can Cohesity help alert IT teams to security problems?

HALEY: We have a platform built into our Helios single pane of management consult. What we’re doing is looking at every object that we protect and creating a trend line for each object. The trend line shows how much data is backed up every day, how much changes and which files are being added, changed or deleted. We also look further into it so that we can understand how compressible the data is, or how eligible it is for deduplication.

What we’re really doing is looking for the signatures of a ransomware attack as it relates to data. The idea of creating a trend is that we understand what a normal day, a normal week or even a normal month looks like for every object in the environment. As part of the anomaly detection, whenever we see something that’s out of trend, we’ll alert you to it. We also show you the last clean backup. So, we’ll show you where we detected the anomaly, and we’ll show you the last nonanomalous protection point as well as a list of the files that we discovered that were affected by this.

Generally, if you see this as a challenge, you can initiate recovery right from the detection panel. If it’s something that you expected — maybe you installed a service pack or you updated an application on the system — you can simply ignore the anomaly. We’ve also set this up so that it can send an alert directly to the Cohesity mobile app. It’s just another set of eyes looking at the data, and we’re trending it using artificial intelligence and machine learning.

DISCOVER: Learn how infrastructure upgrades helped an organization survive a ransomware attack.

HEALTHTECH: What can healthcare organizations look for to help them recover quickly from cyberattacks?

HALEY: We index all the data that we store. We build a searchable index. We also have an index and an inventory that’s globally searchable for all the objects that we protect. We have tools in an actionable methodology. We can search for something and then act right when we find it. So, we have these to help organizations understand all the data that’s being protected. If you think about it, the data protection architecture becomes an aggregation point for all the data in an environment. It’s like a central repository for the data. These tools provide a great deal of power.

Our architecture is a multinode cluster, but we have this idea of the Cohesity marketplace, the idea that we can run apps and services natively on the architecture, and they spin up as Kubernetes containers. We run apps and services on the architecture that you could download and install directly into the cluster.

One example is a data classification architecture. Instead of indexing the file, server and database names, it can actually index the contents of files. Imagine being able to go through all the files you’re protecting and look for patterns. Understanding where that sensitive data is allows you to better understand how to secure it.

However, sometimes you get to a place where you have to recover. Our architecture, because it’s a multinode scale-out cluster with embedded data protection software, also has native NAS protocols. We can speak a native SMB or NFS. This is part of our default recovery methodology.

For example, in a VMware environment, it’s common that we see backups that go to a traditional deduplication appliance. Those appliances are optimized for ingest and not recovery, so people often experience slow recoveries.

There’s this rehydration process that they have to go through, even for a single virtual machine. A virtual machine could take 45 minutes to an hour. With our architecture, we take the data, clone it and then present that clone over a NAS protocol directly back to the VMware environment. We begin to boot the virtual machine while the data still lives on the Cohesity platform.

We can leverage this recovery methodology for a whole host of different restore scenarios. As you can imagine, a lot of organizations facing a ransomware event or a cyberattack go into quiet mode. They can’t talk about it. We helped one healthcare organization recover and withstand the attack, so they didn’t have to pay the ransom. They were so pleased with the way our technology performed that they did a public reference for us and a case study. They even cited that their PACS architecture or their medical imaging was compromised by the attack, but they were able to leverage an instant recovery from Cohesity to make that data instantly accessible, rather than not be able to use their medical imaging.

HEALTHTECH: What are your top recommendations for healthcare organizations looking to implement these concepts and technologies?

HALEY: My top recommendation is to keep in mind that we have the capabilities to harden the architecture. It starts with things like best practices and a lot of common sense, such as making sure you’re never using default passwords and that you have a hardened authorization process like multifactor authentication. I also recommend using an external single sign-on provider, because in many cases, we see that active directory get compromised. But then you layer in the solutions to make sure we’re protecting more aggressively and frequently so that in the event of impact, there’s less disruption to business and care delivery, and more options for recovery.

As was mentioned in the White House brief, it’s about following good security best practices and leveraging technologies that allow you to simplify your architecture so that you’re aggressively future-proofed with less configuration variability.