In Case of Emergency …
By Juliann Schaeffer
For The Record
Vol. 29 No. 10 P. 22
If the NotPetya virus taught health care organizations anything, it was that having a backup plan in place should be a top priority.
Health care organizations across the country watched as the NotPetya virus crippled Nuance customers this summer, creating havoc within many HIM departments. Whether hospitals and health systems dealt with this latest virus firsthand or monitored others who did via media reports, experts say all should take this as the most recent reason to reassess cybersecurity practices.
While no measure can eliminate the possibility of a cyberattack, a solid backup plan can ensure organizations are ready to deal with a worst-case scenario such as when health care documentation is completely unavailable. In today's climate, being proactive to address such cyberthreats is an absolute imperative.
A Growing Threat
According to Jay Vance, CMT, CHP, AHDI-F, president-elect of the Association for Healthcare Documentation Integrity (AHDI) and an at-large member of AHDI's National Leadership Board, cyberthreats are becoming more capable while cybersecurity practices lag.
"The means of gaining unauthorized access to all connected systems (internet/intranet), including those devoted to health care documentation, have proliferated exponentially and are much more easily obtainable now than ever before," he says. "You no longer even have to be a hacker to successfully hack systems; all the tools are readily available on the so-called Dark Web, if you know where to look.
"Unfortunately, cybersecurity across a broad spectrum of industries has not kept pace with the threat proliferation," Vance adds. "Health care systems are no exception, as recent attacks against several large health care-related organizations have proven. So the greatest challenge is finding the dollars to devote to cybersecurity when there is a myriad of other demands on health care funding."
Kelly McLendon, RHIA, CHPS, managing director of CompliancePro Solutions, agrees that cybersecurity isn't always an easy budget item to accommodate. But looking at cost alone is short-sighted—and could cost organizations exponentially more in the long run.
"Many organizations simply have not taken security seriously enough and allocated the correct budgetary amounts," he says. "It is a significant hit to budgets to implement better than adequate security controls, but the downside is potentially many times worse."
The more cyberattacks that see success, the more likely others will follow suit. "The more the cyberattacks are successful, the more payout the bad guys get. For this reason, there is a great deal of time and resources put into the development and the complexity of the newer threats," says Guy Baroan, president of Baroan Technologies, which provides support and guidance to medical facilities on backup plans, disaster recovery needs, and business continuity. "As they get stopped, a new one comes out that has a workaround. There are now even services that exist that can set up cyberthreats for someone for a monthly fee if they were willing to take the risk."
Organizations must realize that cyberthreats are multifactorial and can emanate from unassuming places. "We generally expect hackers to be pounding away at keyboards, trying to crack passwords or looking for weaknesses in firewalls. Realistically, the workforce is a much weaker link," says Kristin Jones, JD, attorney and chief privacy officer at Stradley Ronon Stevens & Young LLP. "It's also difficult to force busy practitioners to participate in security awareness training, particularly at a time when administrative obligations are so burdensome for providers.
"Vendors also expose providers to risk," she adds. "Vendors may operate on lean margins and may not dedicate valuable resources to a strong cybersecurity program. Health care organizations have similar issues and may not have the resources to audit their vendors' security practices. As a result, even if health care organizations have strong security practices, vendors may create a backdoor opportunity for hackers to access health information."
Being Proactive: A Cybersecurity Imperative
For health care organizations unsure of where to start in preparing for untold cybersecurity threats, Vance says the most important message is to start preparing now. "Waiting until an attack actually happens virtually guarantees serious disruptions to operations, communications, and potential loss of patient information or loss of access to patient information," he says. "Reacting to an attack after the fact should not even be an option for health care providers. Depending on the nature of the malware used in such an attack, there is no assurance that all systems can ever be restored completely."
McLendon agrees. "Hardening, segmenting, and having as many monitors as can be managed are all proactive steps that need to be instituted to the highest levels possible given any particular organization," he says. "Organizations should keep technology updated and patch against evolving threats. Preparation may not stop an attack, but it can limit the damage."
A solid backup plan is an important piece of preparing for cybersecurity threats. "Backups have to be discrete and clean so as not to be contaminated and to remain useable—and encryption is important too," McLendon says. "An organization might still get attacked, as vulnerabilities will always be present. But if the damage can be limited, it helps control the overall effects."
While it's not easy or inexpensive, Vance says health care-related organizations must be proactive in identifying every known potential threat and hardening systems against those threats. "One reason this is going to be difficult to do, and why it isn't already the norm in the health care industry, is because it costs a lot of money to identify and counteract all the weapons in the hacker's arsenal," he says.
The Makings of a Sound Backup Plan
What components constitute a solid backup plan? According to Vance, a backup plan should include alternative options for every mission-critical system that might be impacted by a successful attack. In light of recent events, he says a sound backup plan should be based on worst-case scenarios.
"Conducting a thorough inventory of all hardware and software that comprise a company's data network is an absolute necessity," says Vance on what he hopes organizations learned from the cyberattack that hit Nuance. "Many types of malware exploit unpatched, obsolete operating system software running on aging hardware.
"There should also be a worst-case scenario backup plan in place, not only to ensure continued access to patient information and ability to process that information but also to provide uninterrupted communication," he continues. "If an organization's telephone and/or e-mail systems are connected to the same network used by patient information systems, a disruption in the network means a disruption in communication as well as in the ability to process and access patient data. Additionally, the backup plan should include personnel-related guidelines that anticipate as many potential disruptive scenarios as possible. This would hopefully eliminate a great deal of confusion in case of an attack."
Baroan says there are different levels of backups with different options for frequency. But the first thing organizations should consider, no matter what type of backup plan they're putting together, is the recovery time objective (RTO) and the recovery point objective (RPO).
"RTO is the time it takes an organization to recover from a disaster if they needed to. RPO is the time since the last backup that the data exist," he explains. "For example, if the backup takes place at 11 PM daily, you come to the office the next day, start work, and at 4 PM the system crashes. The last backup is from 11 PM the previous night. How is that information from the time you started to the time the system crashed reentered? Is it easy to gather and reenter?"
Every hospital or health care organization has a different RTO and RPO. The real question management needs to ask is: How much time can the system be down before it really hurts us? Is the answer two, four, or 24 hours—or never?
"Once this is understood, review what is in place now and the RTO and RPO it offers," Baroan says. "Many times we find that the business RTO and RPO objective is not in line with what is in place. This must be understood and adjusted to meet a business's needs."
According to Brian Wells, director of health care strategy for Merlin International, these two measures—along with the criticality score for all applications—guide the development of a backup plan that can encompass restoring systems from the last good backup for some applications to maintaining a real-time duplicate of all critical systems running in a geographically disparate data center.
"Hospitals tend to have very complex IT environments with a mixture of interconnected applications that are often locally and remotely hosted," he says. "Therefore, a system outage can take many forms. It can be some or all of the hospital's data/voice network. It can be a major (EMR) or minor (cafeteria point of sale) application. It can be the entire data center. The development of a solid backup plan requires determining the criticality of each application and piece of the overall IT infrastructure."
Bryce Austin, CISM, owner of TCE Strategy, an advisory services business specializing in cybersecurity strategy, and author of Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives, says a solid backup plan has the following components:
• Completeness: Critical data must be identified in order to back them up, Austin says, adding that finding all of them can be more difficult than it sounds.
• An air-gap: Because ransomware has been developed that seeks out backup files and deletes them before encrypting production data, Austin says backups that are kept offline cannot be hacked. "They cannot be deleted maliciously. Air-gapped backups are often considered old-school, but they are critical in providing a get-out-of-jail-free card against current ransomware threats," he says.
• A known age: Some situations call for backups that are less than an hour old. Others can be done once per month and serve all business needs. "If an RPO has not been established for your data, you don't know the ramifications of having to restore from a backup," Austin says.
• A test: Lastly, Austin says backups are useful only if they can be restored. "I have run into numerous occasions where good backups were useless in a real emergency because they did not contain all required data. They were much older than they should have been or they were never configured correctly in the first place," he explains. "The only way to know for certain is to test your backups to verify that they can be successfully restored. In addition, backups can take more than a full day to restore, and your systems remain offline during the restore process. Knowing the time required to perform a restore is an important piece of the backup puzzle."
Wells echoes the importance of testing. "A key component of a backup plan is conducting regular testing to ensure backup systems are working and IT and operational staff know what steps to follow to switch from primary systems to backup systems," he says. "This testing must include the steps to switch back to the primary from the backup when the cause of the outage has been repaired. All outages should be followed by a root cause analysis and a review of the people, processes, and technologies involved in managing the outage."
While testing is crucial, it's not easy, a reason many organizations may be tempted to skip the process. Don't, cautions Avani Desai, CISSP, CISA, CIA, CSA, CCSK, CIPP, principal and executive vice president of Schellman & Company, an independent security and privacy compliance assessor.
"The most important step is to make sure that backups are tested frequently because you need to be able to fully restore any loss of data," Desai says. "Organizations may do tabletop exercises, but all these are useless if the backup process does not work completely, accurately, and on time. Therefore, a full backup and recovery test needs to be done regularly.
"You won't see companies do this because pulling tapes from off site and testing them isn't as easy as a mock tabletop. It is time consuming and takes an effort to get everyone to stop what they are doing and focus on what could happen instead of what actually did happen today."
Working with a disaster recovery center may also offer extra protection. "Disaster recovery centers, combined with redundant internet and infrastructure links, are the no. 1 thing medical providers can use to maintain resilient operations," says Ron Winward, a security evangelist at Radware. "When properly designed, these centers can be fully operational and redundant and back online in subsecond intervals. However, it is no easy task.
"Disaster recovery sites are just as vulnerable to breaches as primary sites, and they should all have the same level of security protections in place," Winward advises. "Make sure that you're protecting them with the same tools you would a primary site. Schedule times for regular fail-over tests just like you would do with the electrical generators for the hospital. It's critical to know that the network will work when you need it to."
Christopher Merrill, MBA, VP of sales for VoiceWare, a disaster recovery vendor, says looking for solutions that don't use https can reduce vulnerabilities by requiring alternative non-https pathways that can operate as "hot" standbys and be used in parallel.
"Virtually all cybersecurity threats depend on exploiting weaknesses inherent to standard operating system and network standards," he says. "Weaning the organization from its https dependency removes information assets from hackers' playgrounds."
Prepare Now and Save Later
With numerous malware attacks on record, Vance says there should be ample information available regarding what potential threats are lurking as well as examples of what should and should not be done to ameliorate these dangers. Prepare sufficiently now and you may save time and money many times over in the long run.
"Running what-if scenarios using existing backup plans in light of known attack vectors may be time consuming and costly, but these factors pale in comparison to the potential time and resources consumed by a successful network penetration," Vance says.
— Juliann Schaeffer is a freelance writer and editor based in Alburtis, Pennsylvania.