The Cyber-war on Healthcare

Introduction

The healthcare industry has been hit hard by cyber-criminals. Health IT Security lists the ten biggest Healthcare data breaches in 2019, exposing over 30 million records, so far:

  1. AMCA Data Breach: 25 Million Patients, Investigations Ongoing
  2. Dominion National: 2.96 Million Patients
  3. Inmediata Health Group: 1.5 Million Patients
  4. UW Medicine: 973,024 Patients
  5. Wolverine Solutions Group: Estimated 600,000 Patients
  6. Oregon Department of Human Services: 645,000 Patients
  7. Columbia Surgical Specialist of Spokane: 400,000 Patients
  8. UConn Health: 326,629 Patients
  9. Navicent Health: 278,016 Patients
  10. ZOLL Services: 277,319 Patients

Sadly, the trend is increasing because health-related data brings in big bucks on the Dark Web. One complete medical record is worth a thousand dollars or more. Now you can see why healthcare companies, of all sizes, are targeted. Even a few stolen records can mean a big payday.

Healthcare companies of all sizes are obligated to keep patient information confidential and safe.

Physical records are being digitized

Healthcare regulations are evolving and, to meet new industry standards as well as Federal and State regulations, healthcare businesses are digitizing their medical records. It makes sense, digitized records are portable and can be shared when needed to deliver the best care. They can also be stolen.

So, it’s no surprise that entire systems have fallen victim to ransomware, locking healthcare providers out of important patient data or being stolen and sold on the dark web. Even small providers like doctors and dentists are not immune. As stated previously, even a few hundred records are money in the bank to cyber-criminals.

A false sense of security

Larger healthcare organizations know that frequent backups are vital to security. However, they and smaller organizations make the mistake of backing up data as little as once per day using a data backup solution; doing so is no longer sufficient for several reasons:

  • If you’re not actively monitoring your backup system and it fails, you’re not protected.
  • If you only back up your files once per day, you stand to lose an entire day’s worth of critical data if your systems are breached.
  • If you’re not actively monitoring and validating your backups, you can end up with useless data preventing you from restoring your systems in the event of a breach.
  • If you only back up your raw data, rather than all your application and server configuration files, it could take days to weeks, depending on the severity of the incident, to restore your practice – because you will also have to rebuild your servers, operating systems, applications, etc., BEFORE you can use backed up data.

If you’re one of the companies described above, think about this: US businesses lose $12 billion annually due to data loss, and over 90% of companies that lose their data for 10+ days file for bankruptcy within one year.

Best practices for Healthcare Companies

  • Establish and strictly enforce a clean desk policy at all times:
    • Physical company and patient records shouldn’t be left out in the open and must be locked up when not being used.
    • Medical ID numbers, social security numbers, credit card data, etc. should never be written down and left on desks where employees and other patients can see them.  Personnel should securely shred all such papers immediately after use.
    • Never leave sticky notes with passwords, ID numbers, etc. on PC screens, desks, etc.
  • If you have an internal IT department, consider outsourcing your Business Continuity Disaster Recovery (BCDR) operations to a Managed Services Provider (MSP) that specializes in Disaster Recovery as a Service (DRaaS). You’ll free up present IT personnel so they can concentrate on day-to-day operations and get a state of the art backup solution that is managed by experts with the time and expertise to actively monitor, manage and maintain your BCDR system and assist in recovery efforts when needed.
  • If you don’t have an internal IT department, then outsource your IT management to an MSP with the expertise and resources to manage your network and BCDR while providing security and helpdesk services.
  • Perform timely hardware and software updates, maintenance, and backups. If you’ve contracted with an MSP or have an internal IT department, these should be covered.
  • Establish, review, and maintain office and system security. Your MSP or internal IT department should guide you accordingly.

Straight talk on cyber-threats

The plain truth is that there is no one solution currently available that can 100% guarantee that you, or any company, won’t get hacked. There are just too many variables. The biggest vulnerability is your personnel. The most frequent way cyber-criminals gain entry to company systems is through social engineering. People are the weakest link in security.

That is why having an internal IT department or a Managed Services Provider (MSP) managing your network is so important. You cannot put a price on experience and knowledge in this area.

However, even though you can’t 100% prevent a cyber-attack, you can position your company to recover from one, quickly, and completely with A Hybrid-cloud BCDR Solution.

The better way: Business Continuity

Business continuity describes a complete solution for backup and disaster recovery. A true business continuity solution will protect data on-premises and in the cloud. Whether data is on servers or in SaaS applications, it needs to be backed up. Business continuity goes a step further and offers you the ability to restore your data, which we call disaster recovery.

Whether a business is faced with a natural disaster or one man-made, a strong solution will have you up and running in minutes. Solutions that leverage the Hybrid-cloud can guarantee a quicker restore time. Here’s why:

  • Local backups are great to keep data stored on local devices, but if something happens to that device, then you’ve lost all of your data.
  • It is very hard to verify the viability of data only backups unless you perform a data restore on all of your files.
    • In contrast, a Hybrid-cloud BCDR system takes snapshots of an entire server, saves it to an onsite appliance, and simultaneously to two geographically dispersed data centers in the cloud. Each snapshot can be “spun up” into a virtual server in minutes. A BCDR system will automatically “spin up” an image daily to ensure the backup is viable.
  • Cloud-only solutions, on their own, are not as good due to bandwidth issues. Yes, you have your data, but depending on the size of your data, it can take days to download when restoring systems, but if the operation is interrupted, you’ll need to start the download all over again.
  • A hybrid model works to alleviate the vulnerabilities of cloud-only backup by implementing both processes (onsite and offsite) to fill in the gaps. This is called intelligent business continuity, and it works extremely well.

Conclusion

Cyber-attacks on the healthcare industry and companies of all sizes are on the rise. Just because you are a small medical practice does not mean you’re safe. Medical data is very valuable, and even a small number of stolen records can mean thousands of dollars to a cyber-criminal.

ALL medical practices, large or small, need to protect themselves properly. Using anything short of a Hybrid-cloud Business Continuity solution is foolhardy.

A final warning to small medical practices: don’t make the mistake of operating in today’s cyber-environment without IT guidance. There is too much at risk. One cyber-attack could spell disaster for your company and your patients.

 XSolutions is an Elite Partner of Datto, the world leader in Hybrid-Cloud Business Continuity solutions whose systems protect 460+ Petabytes of data with over 1400+ employees and 9 offices around the globe. Call (845) 362-9675 and let us introduce you to the ultimate defense against data loss—whatever the cause. Backup & Disaster Recovery | Business Continuity | Data Risk Assessment