Keep the momentum going. Explore more insights to move your business forward.
A ransomware attack can easily cripple an entire healthcare organization’s operations. It can also result in serious compliance issues and insurmountable recovery costs. Unfortunately, not every attack will be prevented—but should one occur, there are steps you can take to reduce or eliminate the damage that results.
One of the most effective methods of mitigating the effects of a ransomware attack is making immutable backups. With the right immutable backup solution, your healthcare company’s operations can continue without major disruption, even if the attack is successful.
Keep reading for an explanation of what immutable backups are and how you can use them to combat ransomware assaults.
What Are Immutable Backups?
An immutable backup is a copy of your data that no one can delete, encrypt, or change. This means that not even an account admin can alter or encrypt the data—and the same goes for an attacker.
As soon as a backup is written to immutable storage, it’s locked. It stays locked for a specific period of time, such as 30 days. Here’s what happens when you have immutable backups:
- The attacker releases ransomware into a target system.
- The ransomware starts encrypting as many files as it has access to. Each file it encrypts becomes off-limits for your employees and IT team.
- Every time the ransomware runs into an immutable backup, it can’t encrypt it.
- Your IT team detects the attack and quickly realizes that some files are now encrypted, so they can’t be used.
- The IT team can restore all immutable files. If they include data for operational apps, the ransomware attack has very little effect on day-to-day workflows.
This means that if you make immutable backups of the right data, your organization can continue its work with relatively little downtime, even if a ransomware attacker penetrates your defenses.
How Immutable Backups Work
Immutable backups work by using database settings that prevent specific actions, such as deleting, modifying, and encrypting files. They use a write once, read many policy that you can set for a certain time period.
A section of a database is, in some ways, a lot like an inventory room in a warehouse. Each “room” has its own rules. Some allow people to come in and remove items as they’d like. In other rooms, people may have the freedom to change what’s inside, perhaps by adding components that weren’t there previously.
Eventually, the contents of the inventory room are used to build whatever the factory produces. Similarly, the contents of a backup can be used to “build” the data that a business-critical app depends on.
For immutable backups, the rules governing what can happen to the data in each “room” are very strict. For instance:
- One rule says that nothing inside the backup can be encrypted, so hackers can’t encrypt it and prevent you from accessing it.
- Another rule says that the contents can’t be changed, which prevents hackers from substituting real backup data with fake data.
- And another rule says that one of the contents can be deleted, which would stop a hacker from removing data, copying it on their own server, and essentially holding it “hostage” until your organization pays a ransom.
In other words, your database’s configuration seals and protects the information inside each immutable backup.
Why Immutable Backups Are Important in Healthcare
Immutable backups are a powerful tool against ransomware—which makes them an ideal strategic weapon in healthcare’s fight against cyber criminals. The data that a healthcare organization holds is pivotal for both its operations and serving patients. Hackers know that if they encrypt healthcare data, they can simultaneously cripple day-to-day activities and threaten the business’s reputation, especially if they expose private patient information.
But when you use immutable backups, you:
- Secure the data that your organization needs to function, such as billing, payment, and imaging data.
- Gain the freedom to recover whatever information you need without having to pay a ransom.
- Prove to HIPAA auditors that you’re maintaining the integrity of the data you steward.
- Avoid interrupting care during a cyber incident because the data you need is protected and available.
Ransomware-Resistant Backup Control Checklist
You can use the checklist below to make sure your healthcare cloud solutions have a solid anti-ransomware strategy.
1. Write Once, Read Many (WORM) Storage
This ensures your backups get written once and can’t be changed or deleted until the retention time period ends. You can also adjust the time period to optimize your storage usage and minimize your healthcare cloud solutions costs.
2. Multi-Factor Authentication (MFA)
MFA is still a powerful tool, even when you use immutable backups. It keeps your backups secure even if an attacker has stolen an admin’s username and password. Otherwise, using a multi-pronged approach, a hacker could try to bypass your immutable backups by logging in with admin credentials and accessing sensitive backup data.
3. Retention Policies That Prevent Slow-Burn Ransomware Attacks
When you set your retention policies according to your needs, you can keep backup data long enough to withstand what’s known as slow-burn ransomware. This can sit dormant in your system for weeks at a time. To mitigate slow-burn attacks, you can use an extended retention policy, such as 90 days. This gives you the ability to go back several weeks into your backup history, if necessary.
4. Air-Gapping
Air-gapping involves storing backups away from primary systems. It breaks down into two categories:
- Physical airgapping, which involves storing a backup on a server that is physically disconnected and even removed from the server that provides your live application data. For instance, you can set up immutable backups using a different healthcare cloud solution altogether.
- Logical airgapping, which isolates your backups from live workload data using digital architecture. For instance, you can set up a data bunker dedicated to your backups with its own encryption, and default immutability locking.
With air gaps, you can prevent hackers who penetrate your daily workload data stores from gaining access to your backups. This is good practice whether or not you’re using immutable backups.
5. Regular Recovery Testing
By regularly testing your recovery system, you ensure that you can restore backups quickly enough to avoid excess downtime.
For instance, suppose you have an air-gapped immutable backup that you have to manually access using MFA. Once you’re inside the backup, you then have to copy files over so they can support live workloads.
This can be time-consuming. If you recently hired a new incident mitigation manager, they may not know how to do this quickly. So regular recovery testing would ensure they can access and restore backups as quickly as possible.
6. Audit Logs for Your Immutable Backups
Audit logs are useful when you have to meet compliance standards that require you to demonstrate the ongoing security of your backup solution. They're also invaluable when you have to perform a forensic analysis of an attack.
If, for instance, an inside attacker were to access your immutable backups and try to make a change, the logs would make it easier to identify who tried the attack, as well as when and where they launched the assault.
The Role of Immutable Backups in DRaaS and BaaS
Immutable backups can be the cornerstone of your Disaster Recovery as a Service (DRaaS) and Backup as a Service (BaaS) systems:
- BaaS: As a part of your BaaS setup, immutable backups support your compliance and make each backup more secure.
- DRaaS: DRaaS uses immutable backups to enable rapid system and application recoveries after ransomware or another kind of outage.
When you opt for immutable backups as you deploy DRaaS and BaaS, you add a powerful extra level of security.
Immutable Backups for Healthcare FAQ
Q: How are immutable backups different from traditional offline backups?
A: A traditional offline backup is disconnected from the system that powers your daily workloads. On the other hand, immutable backups can stay online and be air-gapped using logical infrastructure. It’s common for healthcare cloud solutions to use both traditional offline backups and online immutable backups.
Q: Can immutable backups replace all of my cybersecurity tools?
A: No. Immutable backups are an additional line of defense. You should still implement endpoint protection, network monitoring, firewalls, and other tools.
Q: Do immutable backups take longer?
A: No. An immutable backup can be performed just as quickly as a traditional one. Some types of air gapping may add extra time to your restoration process, however, because they may require manual copying and pasting and entering credentials.
Q: Are immutable backups compliant with HIPAA?
A: Yes, they support HIPAA requirements pertaining to data integrity and availability. But remember: you still have to make sure your backups meet other HIPAA standards, such as using the right encryption protocols and access controls.
Q: Can ransomware delete data in an immutable backup?
A: No—not if the backup is properly configured. No one can delete the data in the backup, not even system admins, until the retention time period expires.
Ready to use immutable backups to improve your disaster recovery system? Send our team a message today to learn how RapidScale can help.