HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Reducing the Impact of Healthcare-Focused WannaCry-Style Ransomware Attacks

by Sean Masters, Worldwide Programs Manager, Services & Support, Zerto

Starting with a major attack on the UK’s National Health Service (NHS) several weeks ago, the WannaCry ransomware attack has now spread to more than 150 countries, producing tens of thousands of infections and causing worldwide data havoc.

Healthcare organizations like the NHS are often prime ransomware targets, because the hackers behind the attacks know that healthcare data is among the most crucial of data types. They take advantage of this fact in the most vicious way possible.  In fact, according to a 2016 Ponemon Institute report, 79 percent of healthcare organizations say they were hit with two or more data breaches in the past two years.

This number is especially striking when you consider that data attacks on hospitals literally put lives at stake. Yet so many healthcare organizations, evidenced by the damages of the WannaCry attacks, are not prepared to address and recover from a disaster when it strikes. In today’s data-reliant environment, if your recovery times are being measured in days or even hours, the damage can be catastrophic from both a corporate asset and patient care perspective.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

And, sorry to say, ransomware is not going anywhere. Hackers are only going to get more sophisticated, equating to an increase in both the frequency and severity of attacks. As a result, organizations are increasingly concerned about the cost of defending against attacks. Many are even stockpiling funds to pay ransoms and keep things quiet.

On top of this, healthcare reform is ever-changing and the shifting compliance requirements are hard to keep up with. Now, healthcare organizations must be able to recover data after an outage, like one resulting from a ransomware attack, and demonstrate that they have conducted an annual disaster recovery test.

If a health provider is able to do this successfully and efficiently, it will eliminate the need to pay the ransom when ransomware strikes. A solid disaster recovery plan will help them restore an infrastructure back to just before the attack.

As if looming attacks and audits aren’t enough, on the front-end side, patients have become more demanding and engaged – they expect to be able to view their data online or through a mobile app – which further exposes IT to external threats. Not to mention the numerous self-inflicted issues all types of organizations experience with incidents like a new staff member accidentally shutting down a server, or an incorrectly configured program. One of the more troubling causes of interruptions is regular, routine software patching and upgrades, which are sometimes not of the highest quality and very often exceed the capacity to adequately test an environment.

While IT is a crucial healthcare asset, it’s also creating a stronger dependency on data to keep operations running as normal. With this ever-increasing dependence on data, healthcare IT organizations must put strategies in place to ensure there is never any downtime. One way to achieve this is by leveraging a cloud-based approach that allows for dramatically simpler disaster recovery that makes non-disruptive testing possible, at any time.

Leveraging a hybrid cloud infrastructure, especially, as part of a disaster recovery strategy, introduces certain efficiencies not otherwise available, allowing healthcare IT organizations to accelerate service levels and maximize uptime in the event of an attack or disaster. Lower costs and access to a wide breadth of services offered by using the cloud, can also enable businesses to run tests more easily, a crucial aspect of a sound disaster recovery plan.

Testing the Disaster Recovery Plan Frequently

Non-disruptive disaster recovery testing is key here. You need to be an expert in the event of an outage, and if you’re practicing only once per year, you might not be as on point as you thought when it comes time to bat. Frequent testing is very important – each quarter is ideal. The point of testing is to ensure that each part of the disaster recovery plan is functioning seamlessly.

Testing is extremely important. It doesn’t matter what’s on paper, real scenario testing brings up issues that may have been overlooked. Until testing takes place, on a consistent basis, there is no way to see whether plans will work effectively, especially with today’s increasingly complex systems.

The Impact of Downtime

When most organizations hear the word downtime, the primary concern is the financial impact on the business. According to stats released by healthsystemCIO.com, almost 40 percent of global healthcare organizations experienced a costly unplanned outage in 2016. With an average cost of $432,000 per incident, and at least three incidents per year, downtime costs quickly approach the millions of dollars range.  But in healthcare it’s about so much more. We also must account for the potential detriment to the quality of patient care. This is of course harder to quantify in terms of a dollar amount, but is certainly the highest-priority factor to consider.

Thwarting Cybercriminals

When it comes to cybercrime, Plan A is to keep hackers and malicious actors out. Securing the network and educating employees on the risks is essential to this plan. However, a hacker only needs to be right one time while the corporate IT department has to be right all the time in order to keep hackers out. Therefore, IT needs to also have a Plan B. What happens if hackers do get in, as they did in the case of WannaCry? What is the recovery plan?

Every healthcare organization should be asking themselves these questions if they haven’t already. Ransomware is not always going to be avoidable, but experiencing downtime from it is. The only way to achieve zero downtime (or very close to zero) is to, first, admit that preventative security measures are not enough. Then, with cloud-based tools, put in place a disaster recovery strategy that makes both testing and recovery exceptionally simple and automated. From there, test, test, test and test again.

Follow these steps and the next time a global cybercrime crisis hits, you’ll not only be thankful you did, but you’ll be moving your company forward while others struggle to recover data and avoid downtime.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.