The latest security survey confirms what many healthcare executives already know and fear: the healthcare industry has become a top target for ransomware attacks.
“Cyberattacks of the last few years have become more ruthless and sophisticated,” wrote ZDNet recently, with ransomware a primary cause for concern.
Healthcare is especially vulnerable, due in part to the nature of the data that can be held hostage. Estimates vary, but the value of a patient’s medical record far exceeds their credit card information. The going rate for a Social Security number is about 10 cents, while credit card numbers fetch about a quarter a piece, according to Mariya Yao, CTO of Metamaven. On the other hand, a single electronic medical record can be worth hundreds of dollars.
A million breaches and counting
That financial lure means cyberattacks on medical data will continue to rise — and so will costs to the industry, in the form of business disruption, patient safety risks and the impact to a company’s reputation in the marketplace. According to the Protenus Breach Barometer report, well over one million patient records were breached in the first quarter of 2018 alone.
It is now clear healthcare organizations must operate under the assumption that it’s no longer a matter of if, but when they will be breached — and that means committing to robust disaster recovering planning. Because whether it’s a hurricane, phishing attacks or a ransomware threat, an organization’s preparedness can mean the difference, literally for this industry, between life and death.
As Forrester recently noted: “In ransomware attacks, having a clean, uninfected version of the backup is the only weapon infrastructure and operations executives and security and risk professionals have to recover their data without paying the attacker.”
The complexity of creating, or more likely updating, such a plan is exacerbated by the explosion of data in healthcare. For providers, it’s every digital device and huge EMR data files, while payers need to be concerned with claims data — more than one billion are filed annually. For life sciences and pharma companies, huge dollars are at risk with confidential clinical trials data. So not only is data extremely valuable, there’s a whole lot of it.
Security in the cloud
Regardless of the type of data you’re trying to protect, best practices are emerging. One of those gaining traction today is storing data in the cloud. Cloud storage offers better security primarily because of scale; it’s simply not practical for individual organizations to maintain the sophisticated tools and expert staff needed to stay ahead of cyberthieves in on-premise data centers.
And while it’s easy to say “just move to the cloud,” the almost endless array of public, private, and hybrid cloud options mean that can be an overwhelming directive to implement.
Questions to ask
To get started, organizations must begin with a thorough assessment of their needs; begin by answering some basic questions.
- Planning coordinator: Who will lead this effort and how? Not clearly defining this role can undermine the entire project. While there are many ways to structure the effort, I recommend a project manager-type position, with that person driving development of the plan, but relying on the organization as a whole to develop processes and documentation.
- Recovery targets: It’s also critical to understand what level of disaster recovery access you’ll need. “Hot site” solutions offer immediate recovery through a fully redundant data center configuration that mirrors your production systems. “Warm site” solutions synchronize your systems and data regularly, giving you near-time recovery in just hours. “Cold site,” on the other hand, stores backups at a disaster recovery location, ideal for non-mission-critical apps or organizations requiring budget-friendly recovery.
- Cloud options: While the lure of simply using public cloud is strong, the truth is many organizations will find a multi-cloud solution makes more sense, for economic and security reasons. Private cloud, for example, may be a better choice for patient data or other highly regulated data, while public cloud may be a better choice for less sensitive and non-mission-critical data.
- Storage: How much storage is necessary? Over time, massive amounts of data can really add up — and data backups get costlier the more you choose to archive, so its critical to really understand the amount of data you must archive, then make decisions about “nice to have” archives based on your business model and costs. Moving to the cloud is an opportune time to rationalize what is worth archiving and what is not.
- Security and compliance: Are you storing protected health information (PHI)? If so, HIPAA compliance is a must, as the Office for Civil Rights has demonstrated with recent HIPAA settlements that organizations can be held liable for potential violations. According to Health IT Security, “OCR has said that as healthcare technology continues to evolve and organizations implement new tools to improve patient care, there is more potential risk to the privacy and security of individuals’ health information.”
A trusted advisor
If tackling those questions (and the inevitable follow on decisions from each) sounds overwhelming, you’re not alone. Many organizations, recognizing the speed at which technology options are moving, seek a trusted advisor to guide them through the process.
At Rackspace, we guide customers through this maze of options every day. We’ve built the industry’s broadest portfolio of managed IT services and expertise, along with managed hosting and colocation. Thanks to the breadth of our portfolio and expertise, we have no incentive to push a one-size-fits-all solution. We instead seek the best fit for each customer’s unique needs.
For disaster recovery, that means helping your organization answer the questions above, then tailoring a solution to fit your needs, regulatory requirements and budget.
And because cybersecurity is built into everything we do, we layer in security measures and compliance services as we go. From architecture design to proactive patching to identity and access management. Security, like our fanatical customer service, is part of our DNA.
Free, on-demand webinar
Want to learn more about disaster recovery as part of larger business continuity planning? Join our experts for our free, on-demand webinar, “Minimizing Data Disruptions Through Business Continuity Planning.”
During this webinar, our experts will:
- Define the scope of data continuity, including disaster recovery and mitigation
- Discuss common causes of service interruptions
- Show you how to identify the right data continuity solution for your organization
- Define tiers of disaster recovery, including multi-tenant DR and full-featured solutions
- Share strategies for handling complexity and other DR issues