This hospital/healthcare problem where patient records are being held for ransom (ransomware!) and hospitals are paying criminals to return their data is embarrassing.
Read that again: Hospitals are paying criminals!
How is this happening?
Where are the people in charge?
If I asked a hospital CEO to tell me if their data was backed up, they’d say “yes!”
But that’s not that answer we need.
When we ask a CEO “Is your hospital’s data backed up?” what we need to hear is:
“Yes, our patient data is stored in-house on 8 HIPAA-compliant servers. Those 8 servers are replicated every 30 minutes to 8 other servers in the cloud.
We test this replication every 60 days by bringing 2 of the 8 in-house servers offline and bringing online the same 2 servers in the cloud. During our last test we were 100% running on the cloud servers in 13 minutes.
And our data backup, ah yes. The in-house full backup runs @ midnight. Additionally, incremental backups are saved 4 times/day. The backup storage cannot be overwritten so malware cannot delete/encrypt it.
Full restoration of our entire data store takes about 4 hours.
Likewise, we backup offsite once per day. That backup is encrypted and inaccessible to malware. We use this offsite backup as a worst-case recovery (i.e. if the building burned down etc.).
When it comes to protecting patient data, I’m never content. So, twice a year, I “move” about 10GB of data from one folder to another private folder (that only I have access to). I then call IT and tell them I’ve lost data and need it restored. I time the recovery and once completed I have I.T. run a file comparison to prove that the data they restored is identical to the data I “deleted.” In every case, the restoration has been 100% successful within 10 minutes of my phone call.
As an aside, we spend a good chunk of our time developing methods to avoid malware and data loss. While our backups are solid, we’d prefer proactive avoidance as opposed to reactive restoration.”
If you’re the CEO of a healthcare organization and you can’t give an answer similar to that, you owe it to your patients to explain why not.
Businesses must be proactive in protecting their networks from evolving ransomware threats. Healthcare organizations we trust with our most confidential records, doubly so.
Efficient, tested backup strategies that encompass multiple levels of redundancy are the cornerstone of any business continuity plan.
If you would like help implementing security, backup and business continuity strategies for your organization, please call us: 603-458-7190 or email firstname.lastname@example.org.