September 19, 2019

Healthcare data protection goes beyond cloud backup

Cloud backup is essential medicine for healthcare data protection. However, backing up your data regularly won’t be effective if you’re not taking a holistic approach to information security.

Having redundant, offsite copies of your data and applications that can be easily recovered before patients even realize you’ve got the digital hiccups can be the cure for many disasters. But some threats healthcare data are much more virulent than accidental deletions and other human errors.

Ransomware can poison your cloud backup

For healthcare organizations, ransomware has become increasingly contagious of late, going beyond infected emails and malicious websites—your endpoints are increasingly being targeted with ransomware that could spread to your cloud backup.

This summer a new strain of file-locking malware called eCh0raix was determined to be particularly harmful because it went after a certain type of network-attached storage (NAS) devices as these endpoints are see by threat actors as easy targets. Worse still, these NAS endpoints are frequently used to back up critical data in healthcare organizations, but often not as well protected as primary storage. Further, even if that data is backed up via the cloud to a third-party provider, it’s possible for malware to lock you out of any and all cloud backups.

Taking preventative medicine to protect data on NAS endpoints isn’t enough, either. You need to think about other endpoints such as multi-function printers and proliferating Internet of Things (IoT) devices too.

Healthcare data protection maladies start small

As much as it’s important to keep major enterprise systems and applications healthy, as well as endpoints common to a wide array of businesses, medical devices are increasingly a cybersecurity headache.

Just like NAS devices for secondary backups, medical devices are considered low hanging fruit for threat actors, as they’re easier to infect than servers and laptops. And just like your printers, medical devices ranging from handheld ultrasounds to heart monitors are often on the same network as the rest of your data and applications.

Today’s healthcare organizations need to be aware there are especially vulnerable to ransomware and malware threats, and the side effects are more than just data loss.

Regulatory fines are a tough pill to swallow

Privacy legislation in general, such as the General Data Protection Regulation (GDPR) and updates to Personal Information Protection and Electronic Documents Act (PIPEDA), as well as more healthcare-specific legislation—HIPAA in the U.S., for example—all flare up when an organization suffers a data breach.

Patient records qualify as Personally Identifiable Information (PII), and while technology is making it easier for healthcare professionals to collaborate because they access to a single source of data, if it’s compromised the legal and financial ramifications can be potentially huge for healthcare organization.

Around the world, there are initiatives and organizations working to improve healthcare data protection, such as The Health Information Trust Alliance, which has designed a framework to improve risk management and security, while ISO standards can also be a source of cybersecurity remedies.

An ounce of prevention is worth a pound of healthcare data protection

Your data hygiene should include network segmentation, so systems and data are compartmentalized as much as possible. Glucose monitors don’t need to be on the same network as your HR system, for example. If you do get infected with any kind of malware or ransomware, segmentation can contain the threat.

Similarly, you want to make sure your data backups don’t catch the same bug. Healthcare organizations should store multiple copies of patient and critical business data in redundant, offsite locations with the help of a cloud backup provider that practices as rigorous data protection regimen as you do.