Data protection was the topic on the table when HTN spoke with BridgeHead Software about the digital and IT challenges facing NHS trusts in 2022.
Following the company’s live webcast with us on 8 March 2022, which focused on what healthcare organisations can do when ransomware or malware hit, we spoke to the presenters to drill down further into their knowledge and expertise.
A hugely important aspect when considering the NHS’s digital progress across the past few years, having a robust data protection strategy is crucial to both the prevention of cyberattacks and also recovery from them.
The BridgeHead Software panel consisted of Gareth Griffiths, Executive Director and RAPid Product Manager; and Andrew Clark, the company’s Business Development Manager for EMEA.
Here’s their guidance on data protection trends, backups, the importance of the Cloud, and the key things to consider when forming a strategy of your own…
What data protection trends are you currently seeing in healthcare?
Gareth: The biggest concern we’re seeing is around the growth of cyber crime and ransomware in particular. I saw a stat recently from Cyber Crime Ventures that, if it was measured as a country, cyber crime would be the third largest economy after the USA and China – which is pretty scary.
Over 80 per cent of UK organisations have been hit by ransomware in the last year and 38 per cent of them elected to pay, while 44 per cent didn’t, which is good, but I’d like to see that stat higher.
Even the ones who pay don’t always get their data back – and over 60 per cent admitted that they had had to cancel in-person appointments because of cyber attacks. If we can help systems to recover quickly, organisations won’t pay. I’d love to say ransomware will die out but it won’t – we can, however, reduce the profitability of it.
There are two sides to it – trying to stop malware getting in and trying to recover and protect the data. We currently have organisations talking to us about how they can improve this [area] and fix the gaps. This means we’re seeing an increase in Cloud services and people are modernising their approaches and realising there may be better ways of doing this. Cloud is an area for storage – it’s large-scale and there is physical security – and increasing use of these services is a trend.
Andrew: Around the NHS, particularly in England, we’re seeing a lot of activity focusing on trusts, giving them better tools to improve their cyber security. For example, there has been an NHS Digital national audit process taking place over the last few years, and over 130 different trusts in NHS England took part in our assessment of their security.
It does show that there is a trend occurring around data protection and cyber security, from the top down, into the trusts.
Something else that we’ll be watching very keenly at BridgeHead is the formation of the new Transformation Directorate, with the merging of NHSX, NHSD, NHSI, etc. Obviously, it’s still formulating but it will be interesting to see the level of focus they apply to cyber security. I’m hoping it will be high up on their agenda.
Data protection is a broad term – how would you define it?
Gareth: Data protection isn’t one thing. If you think of a medieval fort – you have an outer perimeter, an inner perimeter and then the keep. It’s about layers of protection. Data protection is very similar and, of course, includes physically protecting the data and applying backup and archiving methods to ensure it can be recovered. But it also covers many other aspects.
You’ve got to think about your compliance and governance regulations. There are rules; and data privacy is really important, especially in healthcare. That’s something that is also under threat from cyber crime because, not only do they want to encrypt your data, they want to steal the data and, in some cases, maliciously publish.
It’s also about staff training – have you got good working practices in place? For example, if a member of staff receives an email from a questionable source, what do they do?
There’s also keeping your software up to date and, most importantly, your backup software. New vulnerabilities keep being discovered and those can be built into older applications. If you don’t have the latest software, you may have vulnerabilities that you don’t even know about.
If you’re going to keep the data from old legacy applications, those are a big source of vulnerability because they’re often not being updated. Today, we still find people using Windows 2003. If you’ve got legacy applications, we advise you to retire the application completely, but place the data into a clinical archive where can still be accessed as part of the patient record.
When we think about cyber crime, we think about malware and ransomware. Prevention is obviously really important. In our view, however, while you do your best to prepare and prevent – a detailed and rehearsed response plan is absolutely critical. It’s no good figuring out what you’re going to do when it happens, you need to have figured it out and tried it beforehand, because you will inevitably have gaps.
Practice – that’s a very big part of what data protection is about; and it’s not at the forefront of people’s minds. When you’re not in the middle of an incident, data protection can be easily relegated in favour of other ‘more pressing’ issues. What we are trying to do is bring it back to the forefront.
Andrew: One thing I’m interested in, whether that’s with clinicians or people in IT, is [issues] around legacy application retirement.
Recently, I was talking to a trust that had what they called ‘the feral 500’ – 500 different systems that had been accumulated and created over the years. Most of those were still used by clinicians but are on very old technology and sitting on old hardware. That presents a massive threat to cyber attacks. As we become more sophisticated around data protection, we are seeing more healthcare organisations focusing on retiring their legacy applications. These applications carry significant risk to security, with potentially dire consequences if successfully breached.
Given the shift to digital during the pandemic – how important is it to have a robust backup and disaster recovery strategy?
Gareth: Protection is more important than ever, it’s become so critical, but backups have always been important. I live and breathe backups and it drives me around the bend when people ignore backup failures – but it still happens.
The one good thing about paper records is that malware can’t reach them. However, they are difficult to communicate and are vulnerable to physical damage, so now everyone is going digital. But that has introduced new vulnerabilities, so you have to think differently.
Data is the lifeblood of healthcare and we are becoming increasingly dependent on digital systems. But people can get complacent now because the hardware is so reliable. There may be physical disasters, such as losing a whole computer room, but the actual equipment malfunctioning doesn’t happen as much anymore – so you can be lulled into a false sense of security.
The two threats that remain are: people making mistakes, which is the biggest cause of small scale [problems]; and now we also have the likes of ransomware and malware deliberately causing problems. This means that you must implement a no-trust model.
How can healthcare organisations counter sophisticated malware and ransomware attacks on backups?
Gareth: Five years ago, nobody thought about protecting the backups or that someone might attack them. There’s a well-established rule that people talk about, the 3-2-1 rule, which means that you have three copies of your data – production plus two back ups – on two different devices and then at least one copy off-site, so that there’s no one single point of failure.
That’s a bare minimum, but doesn’t always cover what you need to protect. You may have a copy of the data – but is that copy good? If nobody can access that data, it’s a serious problem. Also, if cyber criminals can attack your backups, there is a lot more pressure to pay. So, it’s really important that the backups themselves cannot be attacked, even if malware gains privileged access to the backup servers.
There are two aspects to protecting your backups – air gaps and immutability. Air gaps mean the data is not directly accessible, but you need to make sure it’s on a different system and that there is a barrier in between, like a strongly-authenticated API between where the backup runs and where the data is stored. Immutability, meanwhile, makes it impossible for the backup software (or any bad actor) to delete or change anything. That’s an increasing trend and one we’re starting to home in on. The backups need to be safe, so that not even backup software could overwrite them.
Referring back to your comment on adoption of the Cloud for data protection, can you tell us what you’re seeing in the market currently?
Gareth: We’re definitely seeing a big increase in health organisations using the Cloud for data protection. As I said earlier, the big Cloud providers have the scale to provide physical protection and can look after data – with lots of redundancy and safety, as well.
To restore data from tape that’s stored off-site can take hours or days, and that isn’t good enough for today’s environment – we can’t afford to be down for that length of time. Tapes are good but they’ve had their day, in my opinion.
As an alternative, Cloud storage has the security and the scale, and can make the cost per terabyte relatively low. With modern de-duplication and processing techniques, the actual volume is much smaller and the bandwidth requirements are less. The network speeds can make this a viable structure and it has led to creation of BridgeHead’s Cloud Backup as a Service (CBaaS) and Cloud Backup and Recovery (CBaR).
What do the terms CBaaS and CBaR mean – and how might they be used?
Gareth: We need to distinguish between backing up to the Cloud and recovering in the Cloud. CBaaS – Cloud Backup as a Service – essentially means replacing tape with Cloud storage.
What we mean by ‘as a Service’ is that the NHS increasingly outsources some aspects of its operations, so that it can focus on the fundamentals of patient care. Within IT, everyone agrees that checking the backups is important – but if a patient care application is down, that’s going to have a higher priority. Issues with delivery of service will always tend to trump the backups because nothing immediately happens if the backups don’t run. You can still provide care. It’s like insurance – probably nothing will happen, but you don’t want to be that person whose house burnt down but you forgot to renew your insurance.
How do we make sure backups are properly monitored? Why not outsource that to a group whose sole function is caring that the backups are done? That’s what we mean by Cloud Backup as a Service. They will be run in the same place but monitored and checked by a group who are dedicated to it.
But you also have to have somewhere to restore backups for a DR test, while keeping your production systems running. There are a number of options here – you can have your own secondary data centre or a temporary data centre in a truck, or you might want to consider using public Cloud. You need hardware for a short period to do the test and that’s exactly what Cloud services are good for – you can create a temporary data centre in the Cloud, restore and test, then wipe it out to avoid ongoing costs.
I wouldn’t want to trivialise the work involved – it’s hard – but the good news is that it can all be scripted and automated with repeatable tools like terraform, which is where Cloud Backup and Recovery (CBaR) comes in. It has everything that CBaaS has but, as well as being able to restore to production, you’re able to restore quickly to Cloud servers. This is the key to testing – in a disaster, you will likely be unable to restore to the production data centre. Either the equipment is not available due to damage or the systems are still being examined for forensics. You have to have a clean set of servers, so that you can test restores.
We’re seeing a trickle of this starting now – but I suspect it will become a flood.
Finally, what key takeaways would you share with our readers re: considering a healthcare organisation’s data protection strategy?
Gareth: I’d say there are three takeaways: do everything you can to protect but plan to fail – that is, plan for a disaster; protect the backups – 3-2-1 is a good start but it’s not nearly enough, you need to protect them with immutability and make sure they are checked; and finally, do disaster recovery (DR) tests to iron out the snags and delays, and make sure it’s all documented so that anyone can action the plan, in case the usual staff are not available.
Andrew: With data protection it’s a holistic approach that really provides those benefits. It’s not just about having the latest antivirus software, or ensuring that users are trained – although these are both very important. But, as we have emphasised, you have to think about the backups, particularly in regard to use of Clouds and legacy application retirement, and the protection that you need to add to all of the data across your healthcare organisation.