Federal warning in October prompted Rush Memorial to rethink protection of backups.
While no one was entirely ready for the hellish year that was 2020, few healthcare IT leaders have been at it longer than Jim Boyer, MBA, CIO and executive vice president of Rush Memorial Hospital in Rushville, Indiana, who assumed his position in 2002.
"For many years we've been working off of our security audits and just trying to be innovators of how do we take a small hospital and tighten security," Boyer says. "It's the same challenge as with any hospital."
But that challenge keeps mutating and growing. Back in October, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the U.S. Department of Health and Human Services released a joint advisory warning hospitals and health systems about an "increased and imminent cybercrime threat."
At a time when COVID-19 has overloaded hospitals and made downtime inconceivable, the October warning is forcing CIOs such as Boyer to rethink traditional IT designs.
Toward that end, Rush Memorial now has replaced its traditional on-premises backup technology with cloud-based backup technology that locks down its data backups separately from the rest of its network.
"Our whole strategy was to be able to be air gapped, so that we would have immutable backups," says Dan Matney, Rush Memorial's director of information services. To do so, it moved online backups to a cloud-based service known as Clumio. "It was the only vendor we knew that we would rely on to be able to give us that," Matney says.
Air Gapping Makes Backup Files Unavailable to Intruders
"Air gapping" is the practice of taking a snapshot of a set of data and placing it in a non-LAN-attached network. When intruders launch a ransomware attack, the first thing they look for is the enterprise's backup files. By air gapping, those files are simply not available anywhere on the enterprise's servers—they exist only as files on Clumio's cloud-based servers, Boyer says.
Rush Memorial implemented Clumio with a policy to back up everything that had changed within the past four hours, Matney says.
"If we get hit, we lose no more than four hours of work," he says. "While that still might be a fair amount of work, especially if it were to occur during the day, that would be a pretty minimal hit."
According to Clumio, hackers cannot access the backend infrastructure. In traditional air gap solutions, customers have to manage network security, purchase additional hardware at a secondary site, and ensure that no network access is available once the backup is completed.
Clumio not only manages all the security and moves the infrastructure access outside the reach of the hackers, but also takes the constant security upkeep off the customers hands. Clumio completes quarterly penetration testings, and has completed certification and compliance testing for ISO 27001, and 27701, HIPAA compliance, PCI DSS, and SOC 2 Type I and Type II.
Prior to working at Rush Memorial, Matney worked at a managed services provider who had four "rather large" clients that had gone through ransomware attacks. Fortunately, they had backups on tape drives that had not been encrypted by the ransomware, and only a couple of days of data were lost, he says.
The October government ransomware alert was a reminder that all IT organizations need to be proactive, not reactive, Boyer says.
"You have to get the culture of your organization to trust that the IT leaders of your organization are going to do what's necessary to keep things locked down, but also keep things operational," Boyer says.
It's all about simplifying the stack of software on Rush Memorial computers, which will help improve security.
"We try to get rid of a lot of different layers of vulnerability and simplify the process, so it's manageable," Boyer says. "We're a small hospital, so we want to keep things manageable for our teams, because if you have too many systems, the patching, securing, and whatnot becomes a landslide for the IT staff."
"We're able to isolate a workstation very quickly, and keep operations running without it being a threat," Boyer says.
Many organizations are also placing enormous emphasis on educating employees to recognize suspicious emails. "You have to educate the workforce, not to the realm of paranoia, because you wouldn't get anything done," Boyer says. "If they see something that smells or looks 'phishy,' then it is phishy."
Even when email initially enters Rush Memorial, systems in place to educate recipients about red flags, such as a questionable hyperlink. "It's going to pop up and say, this link is not safe," Boyer says. "It'll educate them on why it's not safe."
But of all the measures taken since October, it's the air-gapped backup that stands above the rest.
“You have to get the culture of your organization to trust that the IT leaders of your organization are going to do what's necessary to keep things locked down, but also keep things operational.”
Jim Boyer, MBA, CIO and executive vice president, Rush Memorial Hospital
Scott Mace is a contributing writer for HealthLeaders.
"Air gap" approach takes a snapshot of data, which is stored and managed in the cloud by a cloud backup service provider.
In case of attack, hospital loses "minimal" data -- no more than four hours of work.
Another effort simplifies the software stack to improve manageability and thus improve security.