Hackers commonly target healthcare organizations due to the amount of sensitive information and lucrative data that can be stolen or held hostage using ransomware. As a result, healthcare organizations have some of the industry’s most stringent security and compliance requirements.
In addition, as healthcare institutions design their modern IT infrastructure, security is a primary concern that CISOs and security admins must address. Protecting critical data includes ensuring data backups are adequately protected and stored with privacy and security top of mind. What security requirements around data backups should healthcare organizations prioritize?
Why data security is of utmost importance
In recent years, ransomware attacks have escalated in the number of attacks and the damage inflicted. Ransomware groups are now resorting to so-called “double-extortion” tactics to cause maximum damage and force companies into paying the ransom demanded.
Double extortion attacks not only hold data hostage and demand a ransom price, but they also threaten businesses with a data leak if the ransom is not paid. Therefore, robust, secure backups and strong security measures to contain and diffuse attacks are absolutely critical.
Ransomware groups commonly go after backups as one of the first steps when attacking to ensure businesses don’t have the means necessary to recover data. Unfortunately, along with critical data, healthcare organizations possess a treasure trove of valuable, sensitive, personally identifiable information (PII).
In the IBM Cost of a Data Breach 2022 Report, healthcare breach costs hit a new record high with an average cost of USD 10.10 million and is now the highest average cost of a breach over any other sector for 12 years in a row.
Healthcare organizations and others must protect their sensitive information and ensure backups are stored according to best practice recommendations and robust security measures. What are those?
Healthcare backup best practices
Aligning with backup best practices is essential for healthcare organizations to ensure their critical backups are protected, secure, and compliant with the Health Insurance Portability and Accountability Act (HIPAA), among others. Let’s examine the following:
- 3-2-1 backup best practices
- Data retention
- RPO considerations
- RTO considerations
- DR and site recovery
- Backup security and encryption
1. 3-2-1 backup best practices
Healthcare and other organizations benefit from following the 3-2-1 backup best practice methodology as a basic framework for aligning backups with best practices. What is the 3-2-1 backup best practice? It notes you should have the following:
- (3) copies of your data
- (2) types of storage media for your backup data
- (1) copy of your data stored offsite
The 3-2-1 backup best practice is critical because it helps you diversify where your data is stored. In addition, it makes it much more difficult for attackers to remove all copies of your critical data since these are spread across several types of media and locations where the data is stored.
When choosing a data protection solution, it must have the features and capabilities to implement the components required for the 3-2-1 backup best practice in the environment.
2. Data retention
There is no HIPAA mandate for how long records should be retained when it comes to how long general medical records should be kept. It is because each state has its own laws that specify the retention of medical records. HIPAA does not preempt state data retention laws. These laws and mandates vary between states and depend on the record type and to whom the records belong.
There are other requirements in HIPAA for how long a covered entity must retain a patient authorization, which is six years. Also, suppose some documents are subject to HIPAA data retention requirements, such as complaint and resolution documents. In that case, the records are subject to HIPAA minimum guidelines of six years, which preempts a state law that may be less than this time.
Healthcare entities must choose data protection solutions that provide fine-grained controls over data retention, allowing the business to choose the amount of backup retention they can keep, effectively meeting the HIPAA and state mandates.
3. RPO considerations
Restore Point Objective (RPO) is an essential consideration for data protection in the enterprise, including for healthcare organizations. The RPO value is the value that determines the amount of data loss that is acceptable in the event of a disaster. For example, if your RPO value is 1 hour, you back up critical resources every hour. In that case, a disaster event could destroy an hour’s worth of data if it happens 59 minutes after the last backup was taken.
Today’s organizations, including healthcare entities, require even more stringent restore point objectives to have the most current copy of their data possible. As a result, many companies are now choosing very low RPO values, such as 15-minute RPOs or continuous data protection (CDP), to protect mission-critical workloads.
Healthcare organizations and others are now seeking data protection solutions with very low CDP capabilities to protect mission-critical data and IT infrastructure systems.
4. RTO considerations
Restore Time Objective (RTO) is how long it takes to restore your critical data from a backup. It is an essential consideration for organizations. Even if you have very tight RPO values, how long will it take to restore the data destroyed in a cyberattack or disaster?
5. DR and Site Recovery
To maintain business-critical operations and have resiliency against a total site failure, an offsite facility storing your data bolsters availability. Critical-care medical facilities require operations to be online 24x7x365 to serve patients best and have quick and easy access to information, which can literally save lives.
With an offsite or cloud DR or site recovery, healthcare facilities can instantly recover entire image-based backup data or recover file-level data from the offsite backup. Protecting application data in this way allows critical applications like Exchange Server, SQL Server, SharePoint, and other services to be restored using application-consistent backups.
6. Backup security and encryption
A key component of a well-rounded and security-minded data protection solution is ensuring your backup data is fully encrypted in flight and at rest. Backup data is, after all, production data at a specific point in time. If attackers can compromise backup data easily, they have full access to your production data offline without the active security protections on live systems.
In flight, encryption ensures the data is encrypted as it is transmitted over the network. Data at rest encryption encrypts the data as it is stored on disk. Without encryption covering the network transmission and storage of backup data, it is vulnerable at some point in the workflow.
BDRSuite enables healthcare organizations to meet security and compliance best practices
As mentioned earlier, organizations can be challenged with their data protection solution’s shortcomings in protecting and securing their data appropriately. It can quickly become the weak link in securely backing up critical data. Healthcare organizations need the right solution to protect critical data from attack or human error confidently.
BDRSuite by Vembu is a fully-featured solution giving healthcare providers the tools needed to protect data securely and in a way that aligns with compliance regulation requirements, such as HIPAA. Note the following capabilities of BDRSuite by Vembu:
- It provides the tools to quickly align with 3-2-1 backup best practices – Store data on different media types, replicate data to secondary data centers, and store data in offsite or cloud DR solutions using BDRSuite
- BDRSuite allows healthcare organizations to define their retention requirements and provides unlimited retention if needed
- BDRSuite provides extremely aggressive RPO configurations, down to 15 minutes for image-level backups and CDP backups for file-level backups
- With BDRSuite offsite DR, you can instantly recover the image-based backup data as a ready-state VM on VMware/Hyper-V/KVM hypervisors, providing near-instant RTOs
- With fully-featured replication capabilities and the possibilities with offsite and cloud DR, BDRSuite provides great solutions to protect the critical and sensitive data of healthcare organizations
- BDRSuite backups are transmitted in flight and stored at rest using AES-256-bit encryption
Learn more about the BDRSuite solution and download a free trial version here
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.