In this data protection and cybersecurity blog series, Steve Matheson, Product Manager for BridgeHead’s RAPid™ Data Protection solutions, explores some key themes around backup, disaster recovery, and business continuity as it pertains to healthcare, kicking us off with some practical advice on how hospitals can leverage technologies they already have in place to insure themselves in the event of a cyberattack.
I was recently re-reading IBM’s 2023 Cost of Data Breach report and was impressed (once again) at the stellar job the team did in providing context on the impact of cyberattacks. They broke down their research by industry and, as you would expect, I honed in on healthcare. According to the report, the average cost of a data breach in healthcare increased in 2023 to $10.93 million – the most expensive for any industry. Healthcare has a couple of data characteristics that make it a prime target for unscrupulous bad actors. The obvious one is the valuable, detailed personal and ancillary information you would naturally associate with patients. But, also the requirement for making that data available to many both inside and outside a hospital.
What makes healthcare organizations a high value cyber target?
A typical healthcare patient record application is a treasure trove of data about any one individual. It includes personal information that goes well beyond a credit card or a bank account number. For example, you will find data, such as, the patient’s date of birth, mother’s maiden name, mobile and home phone number, address, physical and mental health information, and family contact details. If you were looking for a single place to learn about an individual, a patient record is a great place to start. Providers of healthcare can do their best work on behalf of the patient when they can access the patient’s data, not only from their local electronic health record (EHR) system, but from the EHRs of any other provider from whom the patient has received treatment. While that adds significant benefit to patient care, it increases the points of vulnerability for stealing patient data.
Cyberattack – it’s not ‘if’, it’s ‘when’!
There is a multi-billion-dollar industry completely focused on preventing cyberattacks with a massive array of solutions to choose from. If you are a provider of healthcare today, I’m confident you have at least one or more of these vendor’s products and/or services deployed at your sites. The problem we see across our healthcare customers, both large and small, is that even with all this advanced technology it is not a matter of ‘if’ your hospital or clinic will be successfully breached, but a question of ‘when’. If your organization falls foul of a breach, you will need processes and procedures that reduce the impact of that breach. In most cases, servers and storage are shut down. Networks are turned off. Hardware is either replaced or ‘scrubbed’. Then begins the long, arduous process of assessing which backup copy of the data you plan to restore from – clearly, you have to identify one that was created before the cyberattack took hold (especially given that hardware snapshots are often corrupted during the attack). This requires you to think about each application as its own domain. Within that domain you must recover the application footprint as well as the data stores (databases and files) that it depends on. A common backup methodology is the 3-2-1 data protection rule: 3 copies of data, 2 different media types, and 1 offsite copy of the data. I want to focus on the 2 different media types.
Media matters for disaster recovery
Many hospitals use an on-premise disk-based storage solution for one media type. Cloud is considered by many as its own media type as well as the 1 offsite copy location. It makes sense due to the convenience and economics of Cloud. Two caveats. That same report from IBM highlights that 82% of the data breaches in the report involved data stored in Cloud environments. Further, the capacity of the communication connection to your Cloud location can be a bottleneck when you are attempting to bring back many application domains all at once.
I suggest a modified methodology: 3-3-1. If Cloud is to be considered as its own media type, the use of tape should come into play as a third media option. To utilize tape, you do not need to go back to the ‘old days’ when you had to navigate large tape inventories, stored onsite and offsite, and at great expense. Consider tape as your predictable and likely safest data store. Tape has the most rigorous barrier to date against cyberattack – it provides an air gap between your data and the cyber intrusion. Hospitals that use our RAPid Data Protection solution might remember how easy it is to copy a backup saveset from one media type to another. This easy, inexpensive method could be carried out weekly once you have created your full backups. You simply keep 4 weeks of tape-based copies; then reuse the 1st week’s tape on week 5. This approach provides a predictable recoverable copy of each application should all else fail. Tape isn’t the only air gapped solution, there are a growing sets of storage-like air gapped appliances. However, tape technology generally is one many hospitals already own or could acquire at a low cost. In my view, tape still has a place in your data protection strategy – sometimes bringing back low-tech, dependable technology makes the most sense.
Steve Matheson is BridgeHead Software’s Product Manager for its RAPid™ Data Protection solutions.
Steve has previously held leadership roles in high profile organizations focused on data management and data protection, with global experience covering both hardware and software. These include Vice President of Channel Sales for CommVault, Vice President of Sales at Cambridge Computer Systems, and Senior Director of Channel Sales at EMC.