The Importance of Cyber Recovery for Healthcare


As the Veritas team prepares for HIMSS 2024, to join health IT experts, leaders, innovators, and thought leaders March 11-15, 2024, it is a good time to reflect on the unique cybersecurity difficulties that face the healthcare industry. It is no surprise that hospitals and health organizations have been increasingly targeted by bad actors.  Their methods have included everything from ransomware blocking access to hospital systems and forcing them to go back to paper-only records to stealing Personal Identifiable Information (PII) to sell on the dark web.

The healthcare industry is experiencing higher than-average risk. In a recent Data Risk Management study, 76% of respondents experienced a successful ransomware attack in which an attacker gained access to the system. Additionally, 65% have experienced data loss from actions other than ransomware.

Thoughts on the Aftermath of a Breach on a Healthcare Provider

I make it a point to check in with customers who had a breach after their data recovery operations are over to learn from their experience and understand how we might develop new, better functionality. When I consider the last few healthcare providers I've spoken to, I've noticed a consistent theme: the need to understand the inventory of systems that will need to be recovered and the unique map showing exactly what kind of sensitive data is stored where. While the teams were truly equipped with the right policies, the reality was that they all needed help with keeping up with the reality of how data spreads across the enterprise in emails, file shares, phones, tablets, and recordings on Zoom or Teams.

Even after the primary recovery operations were completed successfully, the organizations needed help implementing the lessons learned from the attack to ensure they would be better prepared next time. It wasn't that they didn't have tools, but they ensured that they were using the tooling to the best of their ability while changing processes and re-training humans to keep sensitive data in the right places. Ultimately, the answer is automation, ensuring operations teams can see policy violations and access dark or under-permissioned data. This leads to the risk that the wrong people will have access to our most sensitive records. As policy violations are detected, actions can be taken to encrypt, archive, delete, or correctly permission. This kind of data posture management goes deeper than just classifying the data.

This isn't just a preventative suggestion. Data resilience is becoming a regulatory requirement worldwide. Last year, the Securities and Exchange Commission adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose material information regarding their cybersecurity risk management, strategy, and governance annually. Also adopted were laws requiring disclosure within four days, at least one cyber expert on boards of directors, and regular risk assessments and recovery plans, to name a few.  

In addition to the EU Cyber Security Act, the Digital Operational Resilience Act (DORA—EU regulation 2022/2554) released its first set of final draft technical standards. Financial entities and critical third-party technology service providers must implement these technical standards in their information and communication technology (ICT) systems by January 17, 2025. While DORA focuses on the operational resilience of the financial system as a whole, it is easy to see how rules for the protection, detection, containment, recovery, and repair capabilities against ICT-related incidents could expand into other regulated industries, like healthcare.

Last year, HIPPA (US Health Insurance Portability and Accountability Act) added encryption requirements and security guidance to the access controls and transmission security. While HIPAA data at rest encryption requirements are specific to any ePHI (electronic Protected Health Information) maintained on particular devices, "it is a good idea to apply the HIPAA data at rest encryption requirements to as much data as possible to prevent hackers getting into a network at its weakest point and navigating laterally through the network."

For good measure, many countries have adopted new laws mandating that organizations have a Chief Information Security Officer (CISO). For example, in September 2023, the Australian federal government introduced new rules, making the appointment of CISOs at its largest agencies mandatory.

How Veritas Can Help Heal Your Data Management

So, what does this mean for your healthcare organization? If you want solid cyber recovery, step one is knowing where your data is, what it is, and having a plan for orchestrating across technology, data, and teams. Identify ways your organization can prevent security threats, reduce regulatory risk, and optimize storage through our Dark Data Assessment.

At Veritas, we have developed the Veritas 360 Defense, which combines core capabilities from the Veritas portfolio with pre-integrated solutions from our ecosystem of cybersecurity partners. Veritas 360 Defense can help harden your security posture, reduce the impact of single- and double-extortion ransomware attacks, and ensure recovery with the speed and confidence necessary to boost resilience. 

Learn more about combining your data security, protection, and governance for complete cyber resiliency with Veritas 360 Defense. And if you will be at HIMSS this week, be sure to stop by booth #1634 for live presentations and demos or book a meeting in advance.

Tim Burlowski
Global Lead Cyber Resilience and Data Protection Strategy