Avoiding Healthcare Data Loss in the Age of Ransomware

Implement robust data protection plans in order to enable a reduction in operations interruptions and data loss

According to a recent U.S. Government interagency report, How to Protect Your Networks from Ransomware, since early 2016 there have been, on average, 4,000 ransomware attacks per day – a dramatic increase over the 1,000 attacks per day reported in 2015. With the rapid rise of ransomware attacks across industries, including healthcare, it’s not surprising that the Health Insurance Portability and Accountability Act (HIPAA) regulations now require ransomware attacks be reported, given the impact they have on the organizations and clients they serve.

So far this year, numerous healthcare organizations including Hollywood Presbyterian Medical Center in Los Angeles, Kansas Heart Hospital in Wichita, Kansas and Methodist Hospital in Henderson, Kentucky have all experienced ransomware attacks. Losing data – whether temporarily or permanently – constitutes an unacceptable risk to healthcare organizations and interferes with patient care, employee collaboration and record accessibility.

For healthcare organizations that are already saddled with increasing demands for better, faster, more affordable care and the implementation of the latest technologies while still maintaining strict privacy and security standards, adding an additional compliance checkbox can seem overwhelming. This is particularly so for those that are taking advantage of SaaS apps like G Suite, Office 365 and Salesforce to increase agility, connectivity and accessibility. And yet, maintaining compliance and implementing processes designed to ensure the safety of protected health information (PHI) while minimizing security risks is critical to the survival of every healthcare organization.

Using SaaS Services with e-PHI

The US Department of Health and Human Services mandates that covered entities – defined as health care providers, health plans or healthcare clearinghouses – and their business associates – including selected cloud service providers (CSPs), like Google or Microsoft, or SaaS application providers such as Salesforce – must comply with HIPAA. Covered entities and their CSP / SaaS vendor are required to sign a Business Associate Agreement (BAA) if they plan to manage e-PHI in the cloud.

For any healthcare organization using G Suite, Office 365 or Salesforce, they must first learn how each of these providers individually manages e-PHI and helps the organization fulfill HIPAA requirements. For instance, some cloud providers restrict organizations to a subset of their application services so that e-PHI can be properly safeguarded, and IT administrators must configure their cloud and SaaS environments accordingly.

Next, healthcare organizations need to recognize that these applications don’t guarantee full restoration of lost data if an issue occurs on the user’s end. It could be a costly assumption that all cloud-based data is automatically backed up and can easily be restored to its original state. In reality, it’s often the responsibility of an organization’s IT department to fill in the data protection gaps by implementing a backup and recovery solution themselves. Here are a few notable gaps in the native data protection provided by cloud providers where SaaS providers will not recover lost data:

  • Deletions: Whether accidental and caused by human error or intentional and caused by a malicious insider, once a request to delete has been received and acted upon, the data is gone per the customer’s directive (and the application’s customer agreement and privacy policy).
  • Hacking: Similar to insider threats, data removed or held for ransom by hackers can be unrecoverable if there is no restorable backup in place.
  • Sync errors: Once a SaaS app is integrated with other applications, there is always a chance data will be lost due to a failed sync. This common error is not always recoverable by SaaS providers.

Ensuring Proper Data Protection and Compliance with SaaS Services

The permanent, unplanned loss of data can be disastrous for any organization, but is especially harmful for healthcare organizations. Along with the impact on patient care, employee collaboration and effectiveness, and record accessibility, it can also have serious implications on an organization’s ability to maintain compliance and ensure proper data protection, especially of PHI.

In addition to a strong cloud strategy, healthcare organizations should have a HIPAA-compliant backup solution in order to fill those gaps and protect against data loss. Here’s what to look for when considering SaaS data protection solutions for backup and recovery:

  • Cloud-to-cloud SaaS model – Choosing to backup data from the cloud into the cloud enables healthcare organizations to reduce the cost and IT maintenance requirements of traditional backup. As a result, IT staff can do more with less, while ensuring a secure copy of their SaaS data is easy to retrieve for recovery.
  • Automated and on-demand backups – In addition to manual on-demand backups whenever required, having an automated solution provides further confidence that critical patient data is being backed up.
  • Fast and accurate recovery and restoration – Recent research shows that the loss of access to data can cost more than $2 million per year to organizations even when the CSP meets their uptime Service Level Agreements (SLA). Quick and accurate data recovery will not only ensure significant cost savings, but also continuity of service to patients and the organization.
  • Solution provider stability – The protections afforded by a robust, HIPAA-compliant SaaS data protection solution are only as good as the provider’s business and operational stability. Trusted names and established companies are more likely to be there for the IT healthcare team today and into the future.

Healthcare organizations remain under pressure to provide better, faster, more affordable care, while also maintaining strict privacy and security standards. Those that have turned to cloud and SaaS technology to increase agility, collaboration and continuity of care in service of these goals must not only understand the risks and responsibilities associated with managing e-PHI in SaaS applications, but also take a proactive approach to safeguard against data loss. By implementing robust data protection plans that enable rapid recovery from data loss, these healthcare organizations will see a reduction in operations interruptions and data loss while also ensuring continuity of care.

About the Author

Jeff Erramouspe is the vice president and general manager of Spanning by Dell EMC. Jeff leads the Spanning team not just in the ways you’d expect – such as developing strategy, budgeting, and recruiting – but also by enabling great people to do their best work. This means setting goals that inspire excellence while eliminating obstacles to success.

Prior to being appointed CEO and president, Jeff was Spanning’s chief revenue officer. Before that, he was the president of Manticore Technology, which he led through three successive years of revenue growth in the highly competitive marketing automation market. He was the founding CEO of Deepfile Corporation (became StoredIQ and sold to IBM in 2012), was VP of Market Development at Digby, and served as Vignette Corporation’s first VP of marketing. He started his career with NCR Corporation and also held senior management positions at Compaq Computer Corporation. Away from work, he is a connoisseur of New Orleans jazz and loves cooking with his wife – it’s the perfect blend of planning, creativity, and gadgetry for a technology entrepreneur and CEO.

About The Author