There are two basic forms of ransomware. One type prevents users from logging into the system, and the other encrypts the data; some attacks involve both kinds of malware.
McMillan says the crypto-ware version is the more dangerous of the two. “If a hospital is attacked by malware that locks the system up, it can survive that if it has good recovery procedures and an alternate site that IT people can use to reconstitute the environment. But once your data is encrypted and you no longer have access to your data, and if you don’t have the ability to recover quickly and reconstitute and provide your data from a backup, it’s very complicated to recover from that.”
Data backups are the key to surviving ransomware attacks. But some hospitals and physician practices don’t back up their data at all. This lack of security awareness puzzles McMillan. “It’s possible is that security is still not seen as a critical business function” in those organizations, he suggests.
Even if a hospital or a physician group does back up its data, it might do so only on a nightly basis. So, if a ransomware attack occurs and the organization uses its data backup to continue operations, the database will be missing everything that has been entered into the system since the previous evening, notes Gibson. That’s much better than nothing, but it will still send clinicians scrambling.
Many hospitals do near-real-time backups of data on mirrored servers. In case one server goes down, the other can take up the slack. “But if you have near real time backups, those backups will be vulnerable to attacks, because they’re online and available [to malware] on the network,” Gibson points out.
McMillan agrees that this poses a challenge. “You want to make sure you have good access controls and good separation between those two systems so that if malware breaks out in the first system, you can sever the connection between that and the backup very quickly,” he says.
Both experts concur that adding a second backup system could help organizations recover in case of a ransomware attack. Gibson suggests using a backup system that is offline most of the time and backs up the main system “every so often.” He’d also segment the redundant server to allow security controls to ferret out “malicious activities that can affect the backup.”
McMillan observes, “Cloud backup can be advantageous, because often, cloud vendors will back up data in multiple locations. And as soon as you know that something has been infected, you can sever that and make sure not all your backups are infected at the same time. Also, cloud vendors have good malware detectors and filters, so even if it doesn’t get caught in your environment, they may catch it before it infects the backup.”
Sign up for Computerworld eNewsletters.