Why Storage and Backups Are a Key Component of Healthcare Cybersecurity

Martin Littmann, CTO and CISO, Kelsey-Seybold Clinic, emphasizes the importance of a holistic approach to data storage throughout an organization's IT environment. Photography by Phoebe Rourke

They also managed to restore individual files from backups so everyone could continue to work. By the end of the day, they had everything running again, almost as if the event had never happened. “We survived, but it did lead us to change the way we approached data protection moving forward,” Littmann says.

Littmann’s team relies on both ­on-premises and cloud-based storage, and has used a range of storage products from different vendors over the years. Currently, Kelsey-Seybold works with NetApp and Pure Storage for file storage and block storage, respectively.

RELATED: Discover 7 email security strategies to keep patient data safe from evolving cyberattacks.

“From a storage perspective, we’ve always tried to stay with leading-edge, top-tier enterprise solutions,” Littmann says. His team turned to Pure Storage FlashArray, in large part because it supports the organization’s Epic electronic medical records system as well as its virtual desktops.

One big difference today is the use of immutable backups, which the team creates with a Pure tool called SafeMode. But most important, Littmann says, is the focus now on protecting the network and endpoints — the weak spots that hackers usually like to target.

“Protecting your data is not just about the quality of your storage systems or how you handle backups and recovery,” Littmann says. “It’s everything you do across your organization; it’s how you manage your house.”

Click the banner below to discover healthcare-related security best practices and tips.

Create Stronger Data Protection Strategies for Disaster Recovery

In January 2020, Enloe Medical Center faced its own cyber incident right after New Year’s Day. But it was clear to the organization’s IT team that it had what it needed to keep operations up and running.

One reason for the team’s confidence: the disaster recovery capabilities of Enloe’s storage arrays.

The Level II trauma center in Northern California had just upgraded its aging HP storage system to an approach that combined several solutions, including two new HPE 3PAR storage systems, as well as two HPE Nimble systems. At the time of the 2020 incident, IT hadn’t yet put the Nimble systems in place, but the 3PAR systems were good to go.

“Looking back,” says Technology Director Christopher Webb, “the things that we did with those 3PARs saved us.”

With about 300 beds, 600 virtual machines and 20,000 devices on its network, Enloe Medical Center “is probably the biggest thing north of Sacramento as far as IT infrastructure and technology go,” Webb says. His team installed a four-node 3PAR in the organization’s ­on-premises data center and then put a separate two-node system in a colocation facility in Nevada.

“Those arrays are like Swiss Army knives,” Webb says. “They support fast provisioning for virtual desktop infrastructure, which is really important for us, but then they’re also great when it comes to things like medical archiving and data replication.”

The 2020 ransomware incident “brought that versatility to the forefront,” Webb adds. When the team installed its new storage systems, it also turned to a HIPAA-compliant archiving software from Germany-based iTernity. Critical applications across the facility, including its medical imaging systems, send all data to the iTernity solution before it goes to storage.

“The iTernity software takes that data and essentially does a dual writeup to both of our data center locations,” Webb says. It also uses a variety of techniques to guarantee data is protected against manipulation and deletion. “It’s a way to ensure the integrity of your data, that it’s never changed from its original version.”

Data protection and restoration is similarly facilitated through automatic volume snapshots and by the backups they make using software from another vendor.

When Enloe’s IT services were degraded in the wake of the cyber incident, it was these tools, the work of his team and the support they received from HPE that ultimately kept the organization from shutting down, Webb says.

“It wasn’t an easy time,” he says, “but we made it because we were prepared.”

EXPLORE: Learn why AANA moved its on-premises data center to the public cloud.

Mitigating Cyberthreats Requires Meeting Storage Needs

Years after Kelsey-Seybold’s and Enloe’s separate ransomware experiences, the cyberthreats against healthcare are only getting worse. Healthcare organizations, however, are finding ways to fight back, in part through initiatives to modernize their storage systems.

According to a 2021 HIMSS survey, 67 percent of healthcare cybersecurity professionals said their organization had experienced a “significant” security incident that year. Among those that had experienced an attack, 56 percent said it had disrupted their operations, including business functions (32 percent), IT capabilities (26 percent) and their ability to provide clinical care (21 percent).

Worldwide, an IBM report found that the average cost of a healthcare data breach in 2021 was $9.23 million.

“The major shift over the past couple of years has been ransomware,” says Henry Baltazar, research director for the storage practice at 451 Research, which is part of S&P Global Market Intelligence. At the same time, rapid data growth in the industry, in concert with healthcare digitization, has meant there’s more at stake than ever. “It’s forced people to change their game, to upgrade what they’re doing storagewise.”

With that in mind, Baltazar says, most organizations have made public cloud storage an important part of their data strategy, and they’ve settled on a multipronged cybersecurity approach.

“First, there’s the protection part,” he says, which includes data encryption, for example. “But then there’s also the part where you say, ‘Well, if we’re going to get hacked, we’d better have a strong recovery methodology.’”

Just a few years ago, Baltazar says, “almost nobody thought that backups were important.” That’s no longer the case today. “Now, people are worried about holes in their safety nets. They’re looking at their backups and asking what they can do to protect those as well.”

The answer often involves things such as data bunkers, multiple storage sites and ensuring that backups are air-gapped or immutable, Baltazar says. “You can’t just be thinking, ‘We’ve backed up, so if worse comes to worst we’ll fall back on that.’ The people who have been doing ransomware and doing it successfully, they know that’s the playbook.”

Ensure Healthcare Data Availability with Storage Solutions

Marc Hrzic, senior director of IT at Pittsburgh-based UPMC, is aware of that fact. “There are bad people out there trying every day to get in at your weakest point,” he says.

UPMC today has about 49 petabytes of allocated storage and more than 13,000 virtualized servers, Hrzic says. “We’re a heavily automated, hybrid organization where we have a lot of workloads that run in the cloud, but we also have a lot running in our data center.”

UPMC’s storage protection strategy is “multilevel,” he adds. “The challenge is that we have to do everything right all of the time, but the perpetrator only has to get in once to cause an extreme amount of damage.”

DIVE DEEPER: Understand CDW's strategies for cloud, flash array backup and recovery data storage.

Given that, UPMC uses monitoring solutions designed to detect malware before it can launch. The organization also relies on IBM Spectrum Storage and Dell EMC tools and on the IBM FlashSystem platform.

“From a block storage perspective, we’re 100 percent flash storage in the data center,” Hrzic says. The IBM system takes 49 petabytes of data and reduces it to 34 for storage purposes, he says, and UPMC uses synchronous replication under a global namespace to ensure data availability across multiple data centers in different geographical locations.

“At the end of the day, everything we do is about the patient and delivering applications to frontline clinicians,” Hrzic says. “But that all starts with having a solid foundation for data protection and security.”