Updating Ransomware Protections– A Three-Part Prescription

By Candida Valois, field CTO, Scality
Twitter: @scality
Twitter: @CandidaValois

The Biden administration’s national cybersecurity strategy underscores the imperative for healthcare organizations to make bold changes and significant improvements in health data protection. A study by the Journal of the American Medical Association (JAMA) found that from 2016 to 2021, the number of cyberattacks on healthcare organizations more than doubled. This exposed the sensitive health data of over 42 million patients.

Not only do cyberattacks cost healthcare organizations significant money and time, but they can also result in disruptions to patient care. JAMA found that 44.4% of ransomware attacks on the organizations in the study group disrupted the delivery of healthcare – including electronic system downtime (41.7%), appointment cancellations (10.2%) and the need to divert ambulances (4.3%). Just over 8% of these attacks led to operations disruptions lasting over two weeks. The recently updated Health Industry Cybersecurity Practices (HICP) framework says it plainly: cybersecurity is patient safety.

Data backup alone is insufficient protection from ransomware, since backup repositories were targeted in 94% of attacks, according to the Veeam 2022 Ransomware Trends study. In 72% of these cases, cybercriminals were at least somewhat successful. What’s worse is that only about 20% of healthcare organizations were able to restore data from backups.

Building a better backup strategy

When it comes to protecting healthcare data, organizations need more than cyber resiliency. To develop a stronger, better protected backup system, teams must update their backup strategies to attain ultra-resiliency – with having immutable, air-gapped or offline copies of data – to truly secure mission-critical data. In the event of a ransomware attack and the need to restore data, it’s critical to have a copy of backup data that satisfies at least one of these requirements, if not more.

The importance of immutability

Immutability is the linchpin of data recovery. With immutable storage, once data has been stored, it cannot be deleted, modified, overwritten or encrypted for a time period specified by the administrator. This shields data from criminal or careless human behavior in addition to ransomware attacks. Nowadays, it’s widely regarded as essential for fighting ransomware.

Immutability has become table stakes to the degree that a single system component can no longer be responsible for immutability – the entire stack must be immutable. That includes the backup management application, the underlying storage system, and the related components such as servers and networks.

Object Storage

Immutability support is now a feature of many storage technologies. Due to its simple access protocols, object storage offers immutability in a way that block and file storage cannot. Block storage has no concept of what a file is, or which blocks are in which specific files – so it cannot apply immutability to a specific file. While commercial network attached storage (NAS) and file storage systems apply snapshots as an answer to immutability, snapshots are inherently point-in-time, read-only views of the underlying file system; protecting against ransomware requires so many as to be impractical.

Object storage also is API-driven, which means that ransomware scripts can search for and automatically encrypt files the way they could on a Windows Server. However, to be able to find the data, an attacker would need to know the individual APIs for that particular object storage solution, which is extremely unlikely.

Although ransomware is the main topic of discussion when it comes to the need for data immutability, using immutable object storage can also shield data from accidental or deliberate deletions and overwrites.

Air Gapping and Offline Copies

It’s also wise to complement immutability with the use of updated approaches to air gapping that set a separate security domain between sites, both the admin user interface and the replication data traffic itself. Many providers consider the use of physically disconnected storage as air-gapping, but most have shifted to a more multi-layered approach. Some organizations establish remote replication to two or more data centers in a rotating “tick tock” manner. One site remains air-gapped while the other receives newer data, then vice-versa.

In practice, immutable object storage can achieve 99% of the benefits of these physically air-gapped approaches without the inconvenience and with the additional advantages of offering faster restore capabilities.

Protecting healthcare data

Ransomware is an ongoing, harsh reality in healthcare that is becoming both more commonplace and sophisticated – with backup in its crosshairs. The challenge of protecting against ransomware is compounded with demands that IT teams do more with less. They are tasked with making sure that more data is stored securely and is accessible, but often with fewer resources to do this.

Given that the complexity of applications and the value of data are both increasing due to digital transformation, IT teams need to build a better backup strategy. Incorporating immutability is key to ensuring a highly resilient backup system that keeps data safe.