Why Healthcare Organizations Must Rethink Data Protection

Bad actors show no signs of slowing their efforts to access sensitive health information, emphasizing the need for healthcare organizations to have a data protection strategy capable of safeguarding against new and emerging cyber threats.

Ransomware, in particular, has emerged as the preferred method for hackers. Recent research points to a disturbing trend in the form of increased ransomware attacks over the past month.

And bad actors are seizing upon the current public health crisis as an opportunity to target healthcare organizations whose focus has been directed on keeping their businesses in operation and serving the health needs of their patients.

In late June, the University of California’s School of Medicine revealed the organization was a victim of a ransomware attack that ultimately led to paying hackers $1.14 million in exchange for a tool to unlock encrypted data stolen from their servers. On the other coast, Rhode Island-based Care New England (CNE) was forced to bring in outside IT security firm to recover from a cyberattack that hit its servers earlier in the month and led to its EHR system and website going offline.

 “Nefarious people like to do their work in the most difficult times when people's focus is in other places,” says Josh Gluck, Vice President of Global Healthcare Technology Strategy at Pure Storage.

“With healthcare organizations focused on supporting increased capacity and a remote workforce at an unanticipated speed and scale, their defensive posture is reduced,” he adds. “This situation has created a perfect environment for bad actors to do their work.”

To protect mission-critical systems and sensitive data, healthcare organizations must think long and hard about their current data protection strategy, especially as it pertains to business continuity and disaster recovery.

According to Gluck, numerous organizations are taking the necessary steps to back up their digital environments only to discover that their restoration capabilities are time- and labor-intensive. Much of these delays come down to the platforms data protection programs are running on. But by moving to a modern data platform that supports an organization’s data protection partner, they can reduce restoration activities to hours or minutes.

“Data protection plays a significant role in day-to-day operations,” he maintains. “And there is a huge advantage to being able to stay with a data protection partner but run that technology on infrastructure that superchargers an organization’s ability to exceed its restoration targets and get back to business as quickly as possible,” he observes.

With healthcare organizations focused on response, reopening, or recovery efforts, it is now time for IT and security leaders to key in on three components to protect their systems and data from unauthorized access.

First is identity management.

“It's highly complex to get an identity management program into place, but it is highly beneficial, especially in times like this,” Gluck advises. “Knowing who the people are in your organization, what roles they have to do, and what data they need to access to fulfill those requirements becomes extremely important to weeding out what is good versus what is suspect.”

Second is multifactor authentication, which tends to be more straightforward with one exception. "It can become complex when legacy systems may or may not support it, but there are ways to implement that as well.”

Lastly, the third component healthcare organizations must consider is data life cycle management.

“Having the right data in the right place and knowing where it is can also help an organization understand when data is maybe moving out of a system that it shouldn't move out of or it's living in a system that it shouldn't live in,” Gluck explains. “This is especially important when staff aren't in the office and a system that shouldn't contain protected health information is sitting under somebody's desk.”

With the healthcare industry moving quickly to adapt to the changing circumstances, organizations must remain vigilant about health data security and privacy. By choosing strategic partners that can provide the most current data protection capabilities, these organizations can reduce the burden of cybersecurity and keep their focus on supporting providers and patients.