- Healthcare organizations are still hesitant to migrate to cloud-based HIT infrastructure systems because of security concerns stemming from storing PHI in an off-premises location.
The recent WannaCry ransomware attack reiterates that fear, which makes it important for entities to understand what cloud service providers can offer in the face of malware and DoS attacks.
Trying to consume cloud services in a way that does not break the existing model for network security is one of the biggest security obstacles healthcare organizations face when it comes to cloud, according to Webair CTO Sagi Brody.
“Healthcare organizations shouldn’t have to compromise on network security or standards in order to consume cloud services,” said Brody. “It shouldn’t be an exception to the rule.”
“Cloud providers should provide their services in a way that conforms to whatever existing security regulations are in place,” he continued. “A successful deployment means that the organization’s CSO and the IT department have a lot less work to do. They consume a service that is wrapped around what they’ve already built, rather than have to change what they’re doing.”
Once entities understand what they require from a cloud service provider, they need to consider data security and how they are going to utilize cloud services to provide better data security.
Brody finds that many healthcare organizations focus on proactive security solutions that do not provide an answer when an organization is under attack from ransomware or any other type of malware.
Healthcare cybersecurity and managed service providers are generally focused on monitoring the environment to look for potential hacking attempts. Many do not offer reactionary services, which can devastate a hospital where patients are depending on their clinician to use their IT infrastructure tools.
“When organizations are hit with the ransomware their data is unavailable, but more importantly their systems are down, their applications are down,” said Brody. “They cannot function. Having off-site backup will help organizations recover their data long term, but they need to have a reactionary capacity in place as well.”
“If and when they do get hit with ransomware, cryptolocker, or malware, they can hit a button and experience no service interruption, and be back up and running in minutes.”
READ MORE: Top 10 Cloud Data Storage Companies
Many cloud service providers only prevent cyber-attacks, Brody explained. This one-dimensional approach leaves originations extremely vulnerable when a hacker does get past the defenses. The data needs to be protected and it has to be done as quickly and seamlessly as possible.
“In order for an organization to be fully protected they need to have a preventative and reactionary security solution in place,” Brody stated. “They need to have a proactive monitoring solution to prevent hacks and break ins, but they also need to have pre-planned, pre-configured, pre-tested reactionary capability to bring the organization back up and running instantly.”
Organizations need a recovery solution that allows them to hit a button on their interface to prevent further damage from a cyber-attack. Entities also need to bring applications back online seamlessly so clinicians and patients are never interrupted during an attack.
“A lot of organizations thinking about protection for ransomware and disasters are only thinking about copying data off-site and replicating data,” he continued. “The replication is the easiest part. The thing to really consider is that when the button is hit to cut over, the applications need to be consumable to the end users in the same way the production infrastructure was."
“When they’re logging into the EHR, it needs to look and feel exactly how it did before IT needed to hit the button to cut over.”
Organizations must test the solution frequently, ensuring that it will work properly during a real cyber-attack, to successfully deploy a recovery solution for data and applications. Testing each application’s recoverability is a large task, which is why Brody suggested organizations seek a solution that allows IT to hand off testing responsibilities to the app users.
“Healthcare IT departments have to manage 30 to 40 departments including radiology PACS, and MRI systems among others,” said Brody. “They aren’t exactly the best source to tell if things are working properly at the recovery site because they’re not the ones who use the apps and tools every day.”
“By providing a capability for the application owner to be responsible for testing the reactionary solution once a month, or once a quarter to be sure that it’s working properly, the IT department can focus on all of the other things they need to do,”he added
Entities that do not test their recovery solutions consistently can be faced with a system that does not work correctly and may leave organizations worse off than the initial attack.
“Ransomware recovery testing and disaster recovery testing need to be done often so organizations have the confidence to hit the button,” Brody advised. “If organizations do not have a recovery strategy that works, they may be in a position where paying a $10,000 ransom is an easier solution than pressing the button and not really knowing what’s going to happen.”
Healthcare organizations also have HIPAA rules and regulations to adhere to, which separates them from other major industries. Brody also noted an aspect of HIPAA that many organizations often overlook.
“Many organizations like to focus on the security aspect of HIPAA and making sure data doesn’t get stolen” explained Brody. “However, there are two other components concerning HIPAA to consider. There needs be data integrity, meaning when a user goes to look up data from six months ago it’s there, and the data has to be available. Systems being down and offline, and data being inaccessible is just as big of a HIPAA violation as a data breach.”
“Organizations are allocating budgets for HIPAA compliance to deal with the security aspects of it. Those are the same budgets that should be allocated to ensure that data is available when needed.”
Many organizations don’t compensate for data and application recovery when building a data backup plan, which can get them facing HIPAA violations.
“A lot of organizations try to adopt a phased approach” said Brody. “This is particularly difficult for healthcare because overall, the industry isn’t in a great position security-wise. Some organizations only have their data within their organization and nowhere else. They at least need to copy their data off to somewhere else so if there’s some kind of disaster or attack, at least the data exist somewhere else.”
“Many organizations stop their backup and recovery process at phase one, just copying the data,” he continued. “It’s not just about copying data somewhere else, it’s about applications running from recovery sites in a way that is seamless to the user and there is no loss of service.”
It is possible to manually configure and recover data copied to another location after an attack. However, the way networks and hospitals are physically interconnected and physically tied in with third-party service providers and firewall systems makes reconstructing and integrating the affected infrastructure very difficult.
After an organization is attacked, the cloud takes days or weeks to get back up and running if copied data is the only backup and disaster solution in place. Copying data helps in the event of a disaster, such as a fire or an earthquake, but it isn’t very effective against ransomware.
Each health IT infrastructure is unique and Brody suggested that organizations look to cloud service providers that can provide a custom cloud environment to meet unique infrastructure needs.
Every organization has disparate and legacy IT systems making up their infrastructure. Organizations need to be sure that the cloud is scalable and will connect to third party EHRs and other IT systems, to guarantee they will be recovered during an attack.
“The interoperability demand and the interconnecting of different services, coupled with the merging of systems creates an interesting storm,” explained Brody. “There’s also a lot of legacy solutions involved that organizations don’t want to turn off that provide roadblocks preventing them from using different types of systems.”
Brody added that healthcare organizations should consider cloud backup and recovery from an ownership and accountability perspective. Organizations need to ask themselves if they have the resources to manage recovery on their own, or if it is something they want provided and managed with a contract and a business associate agreement.
If an IT staff member makes a mistake, he or she can be fired but the organization still doesn’t have the data.
If the data is outsourced to a service provider, then it’s backed by a contract and maintained by a managed service provider with all the protection tools needed. Service providers are able to shoulder the data recovery burden.
“Using a cloud managed service takes responsibility off of IT teams that are already stretched thin," said Brody. “Organizations get someone on the hook not only for copying data, but also to do things IT departments simply don’t have the time to do, such as testing data integrity monthly and testing that the disaster recovery actually works. Organizations are presented with a report telling them that their backup and recovery solution work and can be trusted in an attack.”
Organizations can achieve a lot of fringe benefits by using a cloud service provider, Brody pointed out. Healthcare organizations tend to have patchworked IT infrastructures and a cloud service provider is likely willing to provide customized setups unique to each entity.
Service providers need to be flexible and be able to work with old and tired infrastructure systems, making them recoverable in the event of a malware attack.
Healthcare organizations are facing the reality of a potential malware attack. Simply defending against the attack isn’t enough.
While many entities are still hesitant about cloud security, there are many benefits available for recovering data using cloud backup and disaster.