Here is the third blog in this cybersecurity series where Steve Matheson, Product Manager for BridgeHead’s RAPid™ Data Protection solutions, explores the nature of cyberattacks in healthcare; some of the new, emerging threats, focusing on ‘data manipulation’; and discusses what providers can do to ensure the continued, safe delivery of patient care and hospital operations following a successful cyber event.

The complexity of business and data reconciliation during a designed disaster

Over this past week, the researchers at Proofpoint published an alert as to how cyberattacks succeeded by “integrating credential phishing and cloud account takeover (ATO) techniques”. It is a clear and well-written article that can help you understand and better prepare for the sophisticated methodologies being used by cyber criminals, today. One of the topics it raises, which I’m particularly focused on at the moment, is that cyberattacks are designed downtime events that require data reconciliation and recovery. In healthcare, this is essential to ensure the continuance of clinical and business operations.

If you have followed my recent blog posts, you’ll know that I contend that a cyberattack creates a downtime event that is unique to all others. Let me summarize my three main points…

#1 Cyberattacks are designed to create operational chaos

If you are in the cyberattack business, the more chaos you can create, the better. And if you are targeting a healthcare organization, the greater the negative impact to clinical and business operations, the happier you are. This is true whether the systems are held to ransom or the data is stolen for resale, and sometimes both. For healthcare targets, being unsure whether the data you are looking at is valid certainly creates the intended chaos.

#2 Cyberattacks are complex and often protracted

Cyberattacks are often initiated by one or more purpose-built attack-agents and methods, thus you can have cascading outages that occur asynchronously across many digital systems over an extended timeline. Compare that to other disruptive events, large and small, that create digital system downtime outages, e.g., hurricanes, floods, fire, earthquakes, telecom or computer infrastructure failures. These events tend to have a visible cause creating a very visible effect. And most are single-threaded occurring within a finite timeline.

In the case of cyberattacks, healthcare organizations have to work hard to identify the root cause of a typical purpose-built attack outage. Their effects can be both visible and invisible. For example, you can eventually pinpoint that an application administrator’s account password has been compromised, but it will likely take a much bigger investigation of time and effort to understand that the attackers registered their own multi-factor authentication (MFA) methods to maintain persistent access.

#3 Cyberattacks are increasingly difficult to detect and resolve

As cyber criminals continue to develop more sophisticated cyberattack architectures and methodologies, it becomes increasingly difficult for the target organization to discover and neutralize the cause of the intrusion, and the resulting damage can be hard to predict and, thereby, rectify. Today, we base our responses to a cyberattack upon our assumptions that the motivations for the attack are financial, i.e., getting paid a ransom demand or the money gained from selling stolen data on the ‘illegal market’. But what happens if the motivations evolve from personal gain to malicious intent? And how can we validate whether the data has been manipulated or altered in subtle ways across our digital systems?

If you use these three points as the context for your future designed cyber downtime event, you’ll come to the same conclusion I have… the timeframe for full data reconciliation, remediation, and recovery is likely months.

The importance of data reconciliation after a cyberattack

Healthcare providers have well-understood and documented processes for multiple, daily reconciliations of clinical data. A common example is medication reconciliation. This is a process of comparing a patient’s medication orders to all of the medications that the patient has been taking. The idea is to determine whether there are any anomalies, such as data being lost (omitted) or corrupted (duplications, dosing errors, drug interactions). Medication reconciliation is usually carried out after a patient-related event (a patient context), such as a transition of care where new medications are ordered or existing orders are rewritten.

An analogous process in the IT world is data reconciliation after a significant event, such as a computer hardware failure (an IT context). In this case, a process is conducted to determine whether data is lost or corrupted. If so, then a reconciliation of the specific ‘corrupt’ or ‘lost’ data is carried out followed by a process of data recovery utilizing an appropriate method (e.g., storage snapshots or backups). Ultimately, the aim is to reconcile all data back to a known, good point.

For healthcare providers, successful cyberattacks are, by nature, a significant event in the IT context. However, they are also significant events in the clinical context.

A new cyber threat – data manipulation in healthcare

Data manipulation is a new method of cyberattack. In specific vertical industries, data values can be crucial to the validity of a finding or a conclusion. In healthcare, consider the vast array of data used when consulting with, diagnosing, treating, and/or referring patients. This could range from scans, blood panels, biopsy results, and medication dosages right the way to patient demographic information (e.g., are the right records assigned to the right patients?).

If successful, these types of cyberattacks change data element values following which the cyber criminals make a ransom demand in order to reveal the data that has been manipulated. The challenge here is that these cyberattacks are more subtle and, thereby, much more difficult to identify and rectify.

Imagine this… your healthcare organization has fallen foul to a successful cyberattack. With the aim of reducing the impact of the intrusion and to ensure the continuance of both clinical and business operations, two methodologies need to be employed, where appropriate:

1) Data recovery

This is a well-understood and recognized method that most healthcare organizations will have a plan and/or process for. Following a cyber event, if there is proof that a digital application has been compromised, the best course of action is a complete data recovery of the system to a prior, known good state (a recovery point). Although it can be time and resource consuming, it is a safe and sensible method to get your digital systems back up and running

2) Data reconciliation

This one is more challenging. Of course, a healthcare provider would like the assurance that all of its patient, clinical, financial, and operational data is intact following a cyberattack. But, if there’s no obvious, current proof, how are you to know if a digital system has or hasn’t been compromised? And, assuming it has, it could be your team simply hasn’t yet identified the problem – again, referring back to the ever-increasing sophistication of attacks or, perhaps more concerning, that the compromise event may have been manipulation of your data. So, in this scenario, what is the best course of action?

Navigating a successful data manipulation cyberattack

In my view, a strong approach to addressing a cyberattack that has manipulated your healthcare data is to create a secondary, read-only system of record for your business and clinical information – in effect, a business and clinical reconciliation repository.

The repository can exist outside the healthcare provider’s IT domain, on a separate, secondary network with its own, independent single sign-on (SSO). Your teams would be able to utilize browser-based viewers to provide a read-only view of information to staff, independent of their location.

Data is regularly read and transferred from the production business and clinical digital systems (your primary applications) to the data repository via the more secure mechanisms of healthcare approved application programming interfaces (APIs), such as DICOM, HL7 and FHIR.

Each time data is generated in your primary systems, that data is not immediately added to the read-only repository. Instead, it flows through a series of filters, such as you would find in products that offer a deterministic security analysis environment – ‘AI-ish’ technologies that screen for undetonated ransomware. Essentially, every batch of newly generated data has to pass multiple tests before it can be added to the repository to ensure its integrity. This is critical – after all, you must be able to 100% trust this data if it’s to be put to immediate use following a cyberattack. Each new batch of data that is transferred to the repository creates an additional recovery point, all of which can be retained using lifecycle best practices to optimize your clinical and business downtime processes.

By implementing a business and clinical data reconciliation repository, you are effectively providing a safety checkpoint – what I term ‘practical reconciliation’. End-users, whether clinical or operational staff, are prevented from any modification to the data – it’s held in an immutable environment. Their access is simply to view the data for comparison to the value in the digital system as a human spot check mechanism when something seems very much amiss. Further, if a pattern of data changes are discovered, stealing the line from the New York’s Metropolitan Transportation Authority, “See Something, Say Something.”  There are many staff members in every provider environment that know when data values seem incorrect. Even though the task of monitoring data is enormous, practical data reconciliation is currently the best option available to give you the peace of mind that you can keep your healthcare business running, your clinical staff operational, and, most importantly, your patients safe.

Photograph of Steve Matheson, Product Manager for RAPid Data Protection solutions at BridgeHead Software (mid shot)


Steve Matheson is BridgeHead Software’s Product Manager for its RAPid™ Data Protection solutions.


Steve has previously held leadership roles in high profile organizations focused on data management and data protection, with global experience covering both hardware and software. These include Vice President of Channel Sales for CommVault, Vice President of Sales at Cambridge Computer Systems, and Senior Director of Channel Sales at EMC.

To learn more about the value of implementing a clinical and business data reconciliation solution to ensure the continued, safe delivery of patient care and hospital operations following a successful cyberattack…