HEALTHTECH: What are you seeing in the cybersecurity landscape from a ransomware perspective?
HALEY: Unfortunately, it’s not great news. It is getting worse. One of the things that we continually see is that a lot of the attacks come in from the end-user environments. Once the attackers get into the environment, they go in and compromise the production apps, the production servers, and in many cases they’re trying to compromise the data protection environment. We’re seeing a significant increase in the number of attacks.
We’re also seeing a significant increase in the impact of the attacks. In 2020, we were looking at a new ransomware attack every 14 seconds. That’s accelerated to an attack every 11 seconds. The average downtime per attack was 12 days in 2020, and it’s increased to over 19. We’re also seeing a disturbing trend where the attackers are lurking or lingering in the network longer. They’re searching for breadcrumbs and trying to understand where sensitive data is, where the compliant data is and where the data protection is so that they can dismantle those as part of the attack.
It’s a huge challenge for organizations, and it’s a continuing challenge. What we’re seeing is well-funded, well-organized cyberattack businesses — and they really are treating this like a business. We’re seeing a huge number of organizations that are needing to dramatically change the way they think about preventing a disaster.
Another thing that’s interesting is that for years we’ve been building out disaster recovery and business continuity plans. I think organizations have never been closer to disaster in the form of a cyberattack than they are now.
If we think about the different attack vectors that we see right now, the attackers are trying to dismantle the production backup or the data protection and disaster recovery architectures. One of the attacks that we’ve seen several times is that the attackers get in and try to exfiltrate sensitive data, such as patient data. The intent there is they say, “We’ve got your compliant data, and if you don’t pay the ransom, we’re going to leak it and put you potentially in breach of compliance.” Then there could be a financial penalty or even a loss of patient trust and reputation.
We’re also seeing a few organizations that have paid the ransom because they didn’t know how long it would take them to recover. I mentioned the 19-day average, but in many cases I’ve heard stories of months. It’s a big deal. Every day in the news, we hear about another organization that has fallen victim to attack. What you don’t typically hear about is the ones that have successfully navigated the attack and recovered without disruption.
The White House came out with an executive order in May 2021, and it said, “Business leaders, we urge you to reinforce your defense against cyberattacks.” When you look at what they’re recommending, they’re talking about data protection and operational processes to test your recovery and your ransomware or cyberattack recovery plan. It’s important to understand and have experts validate that your team has done well.
HEALTHTECH: How can health IT teams get their organizations to move away from a place of fear in the wake of these threats?
HALEY: The first thing to do is to have a plan and test the plan so you know it works, but don’t rest on the plan. Attack vectors are continuously evolving. We’re working diligently to make sure that we’re helping organizations understand what these threat vectors are and helping them prepare so that they have solutions.
There are places for the tried-and-true technologies, but in many cases it’s about modernizing the architecture. What we started with was this hyperconverged scale-out architecture. It could be run as software, it could be run as hardware, it could be run in the edge in the data center or even in the cloud — all of these are scalable architectures that we can use for multiple different data services.
We started with data protection as our core data service, but we’ve expanded that to things like file and object, test and dev, and even disaster recovery. We also manage this through a “single pane of glass” Software as a Service console called Helios. So, when you start to look at an architecture that solves multiple different use cases, it starts to create flexibility in an organization to be able to do more things with data. Many organizations that I talk to are straddling that hybrid cloud architecture of workloads that are on-premises, workloads that are in the edge and even workloads that are in the cloud, but they need a data management architecture to assist and standardize on.
Click the banner below for CDW resources to dig deeper into security and incident response planning.