Without a Net… Business Continuity in a Ransomware World
By Stephen Trout, , HIPAA Blog, Resources, Security

“Why wouldn’t they want a safety net?” I asked myself one day while watching “Free Solo,” a fascinating documentary about a free climber who operates “without a net.”

It seemed a fair question, especially when more than a few of these climbers have fallen to their deaths. Called “extreme sports enthusiasts,” their modus operandi is “no ropes required” – or should I say, “desired.”  

Maybe, as some studies suggest, these extreme athletes’ brains are wired to look for a kind of “high” (no pun intended) that safer sports don’t offer; or they do it to belong, to have an identity in a kind of elite social club; or simply because “the mountain was there.” 

Whatever the reason, not having a backup plan, they’ll tell you, has its merits. Curiously, this idea dovetails with another study I read (on career goals) that concluded:  

“… by making a backup plan, you are effectively constructing an emotional safety net, which may dampen your goal desire… past research suggests that those unpleasant emotions, painful as they are, are important for driving people to work toward their goals.”

In other words, the study suggests, remove the fear of potential failure and “something to catch you if you fall” and you won’t be as driven to succeed.

Interestingly, the study provided one caveat for groups and businesses:  “one option is to outsource your backup plan” to others, so you don’t have to think about it and be distracted.

Apart from being motivated by fear, the distraction part made perfect sense to me. It’s a factor we often mention, for the benefit of our healthcare providers and their patients.

If we can help free them to stay focused on their patients – by handling their business continuity plan for them – then they can pursue their passion in a more “unfettered” way.

Considering – as one report notes – that the average recovery time from a cyber attack is 21 days, a strong backup plan can save the day – literally. 

Download Now!

Downtime Disaster

Think about that: could your business withstand 21 days of downtime – or even 14? No business transactions, no ability to pay your employees – many of whom are living from paycheck to paycheck? 

And what if you’re a healthcare provider? You’d need to maintain all those business operations and continue to treat your patients. Except now, you can’t access their records. 

Actually, with the HIPAA Security Rule, there isn’t an option. Having backups of your critical data so you’re not “falling off a cliff” (so to speak) is a mandate. Replicating an exact copy of your data to a geographically distinct location is required to maintain high data availability. 

And with ransomware attacks now happening every 11 seconds, shouldn’t it be a priority to have a resilient plan for business continuity? 

Likely, you would outsource this need to a proven HIPAA MSSP (managed security service provider) as part of your compliant hosting plan. But what should you look for? 

Consistent with these ten essentials of HIPAA compliant hosting, you’ll want a backup plan that provides: 

1. Off-Site, Encrypted Backups of your Data

As mentioned, automatic, offsite backups should be in a separate, geographical location – at least 50 miles away or further. This prevents a catastrophic disaster (earthquake, fire, storm) from destroying both your servers and your backup data. In this way, you preserve critical data integrity and availability.

As in your primary data center, these backups must also be encrypted – both in transit and in storage. This is a “standard of care” for protecting health data.

Encryption replaces your data with unreadable ciphertext so that it’s unreadable until decrypted. The National Institute of Standards and Technology (NIST) recommends the Advanced Encryption Standard (AES) 128, 192, or 256-bit encryption, OpenPGP, and S/MIME.

2. State of the Art Data Center Security

It’s one thing to insist on a backup data center; it’s another to have one that meets ISO 27001 certification – an internationally accepted and independently verified security standard composed of 114 controls.

These controls include information security policies, asset management, cryptography, and physical and environmental security.

That’s why we’ve chosen Google’s world-class data centers. Importantly for healthcare, your data is systematically replicated multiple times across active servers and distributed geographically; meaning, your data is always available within a secondary system, should one system fail. Service continuity is therefore ensured by a highly redundant system.

3. Appropriate Technical Safeguards for Access

HIPAA-compliant backups must also be governed by technical controls which authenticate user access.

This will include a system of developing user IDs and passwords that are unique for each user, as well as procedures for login and logout, encryption/decryption, and emergencies.

Once a determination is made regarding the appropriate access to backups and permissions for your team, admins will set these unique user IDs. The use of two-factor authentication will also be key to protecting sign-ons and access to backups. 

We’ve seen how often this simple step gets overlooked; for instance, one study by Microsoft revealed that 78% of Microsoft 365 administrators had not activated multi-factor authentication as protection for their accounts.

When an administrator has control over an organization’s entire environment (more than a third of MS admins do), this can spell big trouble.

4. Systems Monitored 24/7 to Ensure Consistent Reliability and Uptime  

A HIPAA compliant host will maintain the high availability and integrity of data by proactively monitoring the health of each server, including those used for backups.

Monitoring includes assessing the status of the hardware, operating system (OS), and the applications running on top of the OS. 

Systems administrators and network engineers rely on these alerts for predefined conditions, such as high CPU loads and disk usage. This allows them to take action to keep systems available and running smoothly.

We should also point out that a healthy fear (or proactive awareness) of threats like phishing attacks is perfectly appropriate. This should be a strong motivator for adequate staff training – a kind of self-monitoring – so that you’re not unwittingly letting the bad guys into your system. 

You Have Business Continuity Options

More than just saying “system backups are required,” we want to take the next 3 weeks to look at some actual solutions you can leverage to keep your uptime and business going strong. 

We’ll examine 3 business continuity options we make available to our valued hosting clients: load balancers, Kubernetes, and snapshots. 

These excellent solutions all have one thing in common: you’ll alleviate a large measure of your data breach concerns – in the face of a looming ransomware attack – by letting us handle your business continuity plan for you. 

After all, why be distracted by the fear of falling? 

HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities.

Stephen is an award-winning writer with a depth of experience in healthcare security and HIPAA compliance. In addition to writing for HIPAA Vault, his work has been published in Security Magazine, New England Society for Healthcare Communications, and others. Stephen has a degree in Engineering from Temple University, and can be reached at strout@hipaavault.com.