The COVID 19 pandemic has magnified cyber attacks on healthcare institutions. Huzefa Motiwala, Senior Director, Sales Engineering, Commvault in an interview with Viveka Roychowdhury explains what healthcare institutions should do to protect health data
The COVID-19 pandemic has seen WFH increasing but also hacking into teleconferencing apps like Zoom. Have there been cases of healthcare institutions being victims of data theft hacking during these times? Kindly share details
With patient data being so plentiful and abound across the globe, the threat of malicious activity has never been greater on the healthcare domain. As data volumes continue to grow tremendously, keeping everything under control has become almost impossible for many healthcare institutions, leaving them ill-equipped to recover critical information in a timely manner.
COVID-19 has evidently magnified the ransomware threat on the healthcare sector to manifolds. In fact, Google threat analytics group has also recently reported that healthcare organisations, public healthcare agencies, and the individuals who work there are becoming new targets for cybercriminals as a result of the pandemic.
Cyber attackers are becoming more notorious and are unabashedly targeting governments, healthcare bodies and healthcare professionals alike. World Health Organization (WHO) has recently revealed a fivefold increase in the number of cyberattacks directed at its staff, since the start of the pandemic. In India, Kerala government’s e-health portal faced a similar data theft attempt in the month of April.
Ransomware is no longer just a cyber threat; it has become one of the biggest security nightmares for businesses and economies ever. It comes as no surprise that authorities including, WHO, FBI, Interpol, and United Nations have issued ransomware warnings across the globe, specifically aimed at healthcare institutions.
After a ransomware attack, tensions are high, and the hospital is on the clock to make a decision. Saying it is not the best time to make an optimal decision is a huge understatement. Only by addressing the issue in advance, can healthcare bodies rationally think through both scenarios so they can quickly make the right call during an attack. Ultimately, data is your worst foe but also your best friend. If the healthcare system can ensure that there is a daily data backup stored off-site, it can immensely increase the likelihood of recovering critical patient data without paying.
While other sectors have invested in securing their data, have hospitals kept pace globally and in India? If no, why not?
In 2017, Commvault, in partnership with HIMSS Analytics, conducted a study which revealed that less than half (48 per cent) of surveyed Healthcare IT professionals expressed confidence in their organisation’s overall level of cybersecurity, with only 37 per cent claiming to be using cutting edge technology. Unfortunately, the situation has worsened since then, with data breaches costing the healthcare industry a whopping $4 Billion in 2019 alone.
As we continue the struggle amidst COVID-19, there are three fundamental truths regarding healthcare data – it is growing, it is siloed, and it is under attack. As seen by the recent spike in ransomware attacks targeting healthcare organisations in India and the rest of the world, the security of patient information is at constant risk. Apart from the immediate impact of a data breach (downtime, data restoration, potential ransom payment), healthcare entities are at risk of damaging their operations by losing the confidence of their customers.
While none of the industry has seen significant use-cases of digital technologies and growth like healthcare, their digital readiness is far from ideal. On one hand, innovative technologies such as cloud computing, artificial intelligence and machine learning are dramatically changing the way patient care is delivered, on the other hand, it is also creating a deluge of data – data that has to be accessed in new ways and protected to secure privacy and protect quality.
Unfortunately, health systems’ focus on patient care continues to outpace investments in cutting-edge IT. Combine that with ongoing reliance on legacy IT systems and the high value of patient data on the black market – and the result is a prime target for hackers.
Moreover, multiple forces – including growing mission-critical data volumes, stricter regulatory requirements, high-costing legacy picture archiving and communication systems (PACs), increasing industry consolidation and shrinking IT budgets – are further increasing the complexities, along with a lower downtime tolerance.
Addressing the negative impacts of a disjointed approach to data management ultimately comes down to implementing a unified approach to data management – that delivers the security healthcare organisations require, plus the infrastructure that scales easily and cost-effectively to keep the critical applications and database environments protected.
How are medical institutions more vulnerable to ransomware and cyberattacks?
Healthcare industry has always been a favourite among cybercriminals. Who doesn’t remember the infamous WannaCry ransomware and how it cost UK’s National Health Service (NHS) a massive £92million monetary losses due to downtime? With the global healthcare market standing at a whopping $11.9 Trillion, it is a very lucrative choice for cybercriminals to ignore.
Though it’s only been just a few months since the devastating COVID19 pandemic swept the globe, the virus has inadvertently fuelled the ever-present danger posed by cybercriminals and the increasingly sophisticated tools and methods they employ.
The healthcare sector has been hit particularly hard, where stories are emerging from actual patients and caregivers who had been directly impacted by the attack: fake contact tracing apps, postponed COVID-19 treatments, delayed medication administration, hindered medicine research and so much more.
Clearly the industries that are investing the most, are those that are less negatively affected by COVID-19, such as healthcare. But it’s actually these verticals that are often the least progressed in their digital transformation journey. As the World Health Organization (WHO) is currently experiencing, cyber attackers will forever be one step ahead of threat detection software. In fact, a recent report by Microsoft highlights that cybercriminals are capitalizing on people’s fear to carry out more COVID-19 themed cyber-attacks.
As there is no surefire way to prevent vulnerability to cyberattacks (“it’s not if, but when, you will become a victim”), data backup and management play a critical role in an overall cybersecurity defence strategy. Ultimately, the best insurance plan against ransomware is a centrally managed backup solution that prevents the infection from entering backed up files, ensuring these can be recovered in a crisis. As the healthcare industry continues to fight off cyber criminals while it battles worldwide spread of COVID-19, this is a good lesson for all organisations to get their data protection strategy in place, before the disaster strikes.
What are the consequences of such attacks in medical institutions both from the institution as well as patient point of view?
To get back up and running from a ransomware attack is largely dependent on individual trust and the systems the healthcare organisations have in place. For instance, most hospitals run around 300 to 350 applications but do not have a central platform to manage them. In addition, the hospital’s IT departments control a majority (but very rarely all) of the data management requirements of these applications. The other applications not controlled directly by IT have to be manually checked and backed up randomly. It is, therefore, easy to see how the attack took hold and spread very quickly.
The challenge is that, without the right budgets or resources, very few healthcare entities make back-up or cybersecurity a priority and therefore with disparate systems, they will potentially be struggling to get operational again quickly. Even when the immediate threat of ransomware attack is neutralised, those that have got a single platform, universally consistent backup solution in place will be in the safest place as it will only take them a few hours at most to cleanse their systems managed by IT up and running quickly. For entities with a fragmented data system, it could take them several days, weeks or even months to get back up and running, with a lot of uncentralised data loss for good.
Especially in the light of this sustained threats, data replication alone is no longer sufficient to protect medical images and related patient data. Medical imaging data should be afforded the same level of protection, with a proper backup and recovery solution, which is already applied to the sensitive patient data contained within the electronic health record (EHR). With EHR continuing to remain a favoured target of cybercriminals, a weak defence line could lead to loss of data that is vital to delivering effective patient care, managing billing and budgets, and upholding the public’s confidence in your organisation.
What are the best practices that healthcare institutions can adopt to better manage and protect their data?
For many healthcare organisations, the threat complexity is compounded by the fact that many of their key business applications might be running on older, sometimes unsupported and unmatchable operating systems, which lack the necessary security updates to stop the spread of potential attacks. To overcome this, organisations need a powerful, unified data management and protection platform, such as Commvault, that not only covers core enterprise, private and public cloud environments, but also one that can extend to Endpoint Protection. A platform that can store immutable, real-time copies of all these environments to ensure the system is able to recover data rapidly – should disaster strike.
Building on our experience of working with some of the biggest healthcare entities in India and around the world, such as John Hopkins Medicine, Centre for Sight, and Prime Healthcare to name a few, we’ve developed a list of best practices that organisations should follow to protect and recover from ransomware attacks:
- Develop a programme that covers all of your data needs: You must identify where your critical data is stored, determine your workflows and systems used to handle data, assess data risks, apply security controls, and plan for evolving threats. If it is not protected, it cannot be recovered.
- Use proven data protection technologies: You need solutions that detect and notify of potential attacks, leverage external CERT groups, identify and prevent infection, maintain a ‘GOLD’ image of systems and configurations, maintain a comprehensive backup strategy and provide a means to monitor effectiveness.
- Employ Backup and Data Recovery (DR) processes: Don’t rely solely on snapshots or replica backup. Your backup process data could just as easily be encrypted and corrupted if it is not stored in a secure way where a ransomware attack cannot get to it. If your process or vendors don’t offer ransomware protection that addresses the proper way to store your data, then your backup plan is a major risk!
- Adhere to a unified clinical data archiving: Majority of hospital data comprises of medical imaging that is spread across disparate, legacy PACS applications. By having a unified archiving platform, such as Commvault Clinical Archive in place, healthcare systems can easily search and restore medical imaging data directly from medical imaging software. In fact, Commvault is one of the only few players which ensures that even if the primary system data is infected with ransomware, the archives remain completely secure and readily accessible.
- Educate employees on the dangers of ransomware and how to secure endpoints: Train your staff on all DR and data security best practices to get endpoint data protected within your Information Security Program. Most breaches are from good people making simple mistakes.
- Have a business continuity plan: One of the reasons healthcare systems pay a ransom is the urgent need to get up and running to care for patients. By having a detailed plan for exactly how to handle an attack, as well as how to restore data from a backup, healthcare systems can feel confident in their ability to quickly recover from an attack.
Regardless of whether the ransom is paid or not, ransomware attacks are costly to healthcare systems in terms of data loss, system downtime, and time spent in recovering data. In addition, there is the potential cost of losing the patient’s trust after the news of an attack becomes public.
Evaluating the current ransomware threat readiness and applying these key steps will ensure that healthcare institutions are in the best position possible– not having to pay the ransom in the first place.