Disaster Recovery as a Service (DRaaS) solutions are rapidly gaining acceptance in healthcare, and for good reason. In Evolve IP’s 2016 Disaster Recovery and Business Continuity Survey while 89% of healthcare firms indicate that disaster recovery compliance is a requirement, only 53% of healthcare respondents feel very prepared for a disaster through DRaaS or internal services. There are other concerning statistics from healthcare as well. For example, 33% of firms are still using backup tapes. 47% are using a mirror site, but many of these are within 50 miles of the primary site (not a DRaaS best practice), and 49% feel that their disaster recovery program is underfunded. These statistics contrast greatly with the urgency you might expect given the everyday news stories and real-life examples (see two recent examples below) of how cyberattacks are impacting the healthcare industry.
By now, there’s no longer an education gap regarding the reality of these threats or the existence of DRaaS and related service models. Especially since 33% of companies surveyed reported having a disaster event within the last year. However there is still a major gap — whether it’s a lack of executive buy-in, budget challenges, or simply IT inertia – that leaves the healthcare industry as a whole poorly prepared to defend itself.
Among the confusing issues for many, is the notion that a “disaster” is some type of rare but violent event. In fact, in our experience providing DRaaS services to the healthcare industry and others, the most common disaster scenarios (and the most damaging from a business perspective) stem from common every day events. For example, a server reaches the end of its 3-to-5-year lifecycle at an inopportune moment. In this situation, and without DRaaS, the business can be disabled until the hardware can be repaired or data is recovered from backups. Another possibility is that a cybercriminal executes a phishing attack on your employees. The attack fools an employee into clicking on a bad link that appears to be legitimate. Then, before you know it, personal user data is breached and exposed.
This is exactly what happened in a recent cyberattack that impacted the Washington University School of Medicine. Over 80,000 patient records were breached as a result of a phishing attack. Separate from ransomware attacks, but part of a related methodology, phishing attacks can be the source of a data breach or might be a precursor to a ransomware attack. Once criminal has caused an employee to click on the “bad” email, any number of attacks can be deployed. For example, passwords can be stolen through a keylogging program that may get installed behind the scenes on the user’s computer. Then every time they log into their account and enter their real password credentials, the criminal is watching remotely and recording the characters that the user is typing in. This can ultimately lead to a deeper infiltration when the criminal starts using the stolen password information to gain network and/or application access. Data can be slowly stolen over time or a more aggressive and disruptive ransomware attack can be executed.
Get the facts on ransomware with our Ransomware is Dead Webinar:
Ransomware is a simpler, and increasingly common form of attack because of its more immediate negative impact (for more details see our 10-minute guide to ransomware protection). The compromised email account is used as an open window through which the attacker simply delivers a virus that encrypts file folders or servers so that they can’t be used. If there’s a DRaaS solution in place, the threat can be averted in a matter of hours. If not, the attackers can hold the IT assets for ransom until their financial demands are met. A very recent example of this in healthcare is when Urology Austin was hit with a ransomware attack.
What we tell people is to focus on “recoverability” as the key thought. No matter what happens, or what type of new attack is created, businesses with IT systems that support and contain patient data, systems, and processes need to be recoverable. The questions are very simple. If servers were unavailable and due to an attack, what would you do? Will you be recovered in an hour? In four hours? A day? A week? Or longer? With the severity of attacks that we’ve seen, longer time frames are very realistic possibilities. That’s why business continuity plans should include DRaaS or a robust internal disaster recovery component to protect critical computing tasks and communication capabilities. Putting these protections in place and practicing them many times before an incident occurs can make a significant difference in the outcome for your business.