Best Practices for Secure Backups in Healthcare
The following are some strategies healthcare organizations can explore to keep backups secure.
Immutable Storage: Immutable storage means that data cannot be erased except within the data protection solution where it was created.
“Using immutable storage is a way to make sure attackers are not able to modify previously backed-up images,” Shi says. “These are basically air gaps for them to not be able to operate and disrupt, something that you need in recovery mode.”
Multifactor Authentication: This technology uses an additional form of authentication such as a push notification or a token match in addition to a username and password to gain access to a system.
“It’s basic to make sure you have MFA for your administrators who have access to your backup tools,” Shi says.
Shi recommends using token matches because push notifications can be easily gamified.
If bad actors lack access to a phone SIM card associated with a phone number, they cannot pass through the next level of authentication, Lundberg says. Additional authentication factors could be paired with VPN credentials, he adds.
Active Directory: This database resides in Windows Server and enables identity management, authentication and access control. AD also lets health IT managers maintain network security.
“It’s also about limiting the permissions users have and being smart about what systems they can access,” Lundberg says. “Not everybody in the organization needs access to everything. You are the CEO, but you do not really need the gold key to the IT department or the HR records?”
Lundberg notes that AD itself has become a target. Healthcare organizations should therefore implement similar data protection and login challenges for Active Directory.
Organizations should apply a zero-trust strategy for access to applications rather than granting broad permissions, Lundberg says.
Network Time Protocol Authentication: Also called a monotonic clock, this strategy prevents hackers from time jumping and requires authentication of a server before changes are made locally.
However, bad actors can spoof an NTP server and change the domain name, Shi warns.
Even if an organization has chosen which folders on users’ machines to back up, the software will not run in the case of a ransomware attack because the NTP is being spoofed, Shi says.
“Have storage and backup systems that run their own tamper-proof internal clocks,” Lundberg advises.
If some network time servers are set seven years in the future but an internal clock is set for today, it will prevent an attack from impacting the backup systems, he explains.
“It won’t allow things to happen,” Lundberg says. “It will notify a system administrator that your time protocol servers are not in agreement with my internal clock.”
READ MORE: How can healthcare organizations grow with smarter backup strategies?
Working with a Partner on Data Backup and Security
When managed service providers help healthcare organizations implement Backup as a Service, they gain cloud security as well as email and data protection, Shi notes.
“Having tools is one thing, but also having the knowledge, experience and the type of threat intelligence we have to support these efforts makes things easier,” Shi says.
A vendor can also operate a security operations center on behalf of customers to operate backup tools. It allows IT to huddle with hospital staff and clinicians on security events so hospitals gain peace of mind that an MSP has their data security needs under control, Shi says.
Partners allow IT staff and physicians to focus on what they do best, such as making an EHR platform work better or optimizing use of an MRI suite, Lundberg says. They enable healthcare organizations to prioritize which services to back up as a service based on their operational budget. For example, emergency room systems may get backed up before the billing systems.
“The value that partners bring is the technology expertise and business model coaching, so it really just becomes more of a discussion of how to operate better as a healthcare organization,” Lundberg says.