Yet another ransomware attack has hit the news – this one notable for a number of reasons. One was the extent of the attack, another was how it disrupted the impacted healthcare organization, but probably the biggest part of the story was how a lot of this could have been avoided.
The victim was Austin Urology, and because of the number of impacted individuals, it wound up in the #2 spot on the Department of Health and Human Services' Office for Civil Rights “wall of shame” website. This is because over 260,000 individuals were potentially impacted.
As soon as Austin spotted the breach, they began remediation and also contacted their attorneys. They notified all impacted customers and offered a year’s free credit monitoring – something that appears to be almost standard practice in these cases.
Did they pay a ransom? No. Why not? Because they had backup. Within a day, Austin Urology has restored all those encrypted files back to originals, and because the breach occurred on a Sunday – i.e., not during business hours – they essentially lost nothing.
But I think the larger part of the story – or at least something every company facing ransomware (which means everybody) needs to understand is that the impact didn’t have to be that bad.
Most healthcare organizations have a need to keep patients’ records long after their care has ended; insurance, follow-ups, a number of reasons dictate keeping this information. The key takeaway, though, is that it ought to be kept offline, i.e. still in backups but not always connected to their networks. Austin’s number of active patients was a fraction of the 260,000+ contained in their entire database – yet the full database was actively connected to their network.
In the new scheme of things, it probably makes a lot of sense for IT to not only have a good data backup, but have a backup strategy so that while everything is properly backed-up, not everything is readily available to a network that’s under attack.
Rich is the Product Marketing Manager, Information Management. He's been with Barracuda since the acquisition of C2C Systems in 2014. Rich specializes in storage solutions, information management, and archiving systems. His experience includes extensive work on OEM opportunities and the legal community.
You can email Rich at email@example.com.