In part two of our healthcare series, we discussed the impact of cyberattacks on financial bottom lines and why cyber attacks have the potential to represent an existential threat to hospitals.
Now that we’ve established the importance of cyber resilience, our next installments will discuss new frameworks and approaches for cyber resilience. First, let’s explore why cyber recovery requires a fundamentally different approach from traditional disaster recovery.
The Power of Preparation
When a healthcare organization falls victim to a ransomware attack, the questions that flood the boardroom are vastly different from those asked during traditional disaster recovery scenarios.
Leaders find themselves asking difficult questions:
How did the attackers gain access?
How long have they been inside our systems?
What data was compromised?
Which systems remain trustworthy?
What malware was introduced?
Resolving this uncertainty often requires extensive analysis, which extends downtime and worsens patient outcomes. As we’ve explored previously, the statistics are alarming: ransomware attacks increase mortality rates by 28%, hospitals experience a 30% increase in medical errors during outages, average recovery times stretch to 2-3 weeks, with recovery times routinely running far beyond that.
How can you protect patient lives and preserve trust? Read this cyber resilience playbook for healthcare and learn how.
Cyber Resilience in Healthcare: A Paradigm Shift
For healthcare providers, cyber resilience goes far beyond technical recovery capabilities. It represents the organization's ability to maintain patient care continuity despite active cyber threats. True resilience requires accepting that prevention will sometimes fail, that attacks are inevitable, and that organizations must prepare to recover despite all the ambiguity and unknowns. The focus has to start with reducing that period of uncertainty following the loss of trust.
Achieving this level of cyber resilience requires a particular strategic foundation:
Identify your Minimum Viable Hospital: Time and capacity constraints make it impossible for most healthcare organizations to immediately restore all applications following an attack. This reality has given rise to the concept of the Minimum Viable Hospital (MVH): the minimum, prioritized set of applications necessary to perform core functions for a period of time until trust can be re-established and normal IT operations resume. We’ll delve more into this topic in future installments of this blog series.
Survivable, Immutable Backups: In order to quickly restore your minimum viable hospital, you need truly immutable backups of those core applications in a system that you won’t have to rebuild post-attack. Immutable backups form the cornerstone of effective cyber resilience by ensuring backup data cannot be modified, encrypted, or deleted (even by administrators) and the infrastructure needed to restore it is still working as designed.
According to a Rubrik Zero Labs study, attackers attempted to compromise backup systems in 96% of ransomware attacks—and they were at least partially successful in 74% of those attempts. This should be surprising considering every single solution on the market today claims to be immutable.
The nuance here matters. A study found that recovery costs are roughly 8X higher if backups are unavailable. Time spent rebuilding systems to get backup infrastructure running again has a high cost both in terms of patient care and financial impact. That your backup data is unchanged is good, but that it remains unchanged and you can immediately begin using it is critical.
The Ability to “Find Clean”: In a ransomware recovery context, what you don’t restore is perhaps more important than the data you do restore. The attackers could have been in your environment for weeks or months. They know you’ll restore data and attempt to cut off their access. They’ve introduced malware and remote access tools, which your data protection systems have faithfully ingested. If you restore malware or some of the attacker’s remote access tools, you can look forward to a repeat at some point in the near future.
Being able to inspect the backup data with built-in tools, at scale, without first requiring time-consuming restores is critically important to conducting a fast recovery. Knowing how long it will take you to scan all your backup data for a set of file hashes, YARA rules, and file patterns is an important thing to establish ahead of time.
Clean Environment and Orchestrated Recovery: The success of your recovery hinges on maintaining this environment's integrity through logical air-gaps, restricted access procedures, and carefully validated restoration processes. The ability to rapidly restore infrastructure services like Active Directory to previous secure states, coupled with pre-developed application restoration runbooks, creates predictability during a crisis.
But you need to be able to recover these clean backups to a clean location. Such an environment, for example an Isolated Recovery Environment (IRE), serves as the cornerstone of the recovery process. It provides a secure foundation where critical applications can be restored without risk of reinfection while the forensic investigation continues in your production environment.
Why Traditional Disaster Recovery Falls Short
Despite decades of meticulous disaster recovery planning, healthcare organizations are finding their carefully constructed contingency plans ineffective against ransomware attacks. Why, given these pervasive, extensive, and long-running preparations, are so many health organizations struggling to respond to ransomware attacks? Why are recovery times measured in multiple weeks and often in excess of a month? Why can't IT's disaster recovery preparations save these organizations?
Simply put, it's because this threat isn't what they planned for during the last 20 years.
Traditional disaster recovery planning focused on physical damage scenarios—loss of a facility, power or connectivity in a fire, earthquake, flood or hurricane —where security posture remained unchanged. However in the wake of these cyber attacks, the physical infrastructure and sites remain largely intact but everything inside those sites is now suspect. Instead of clearly visible and definable physical damage, organizations are now left coping with an invisible and insidious loss of trust in the entire IT ecosystem. Let’s compare these differences side-by-side:
Disaster Recovery: | Cyber Recovery: | |
Threats | Natural disasters, hardware failures, site outages, infrastructure disruptions | Malware and ransomware attacks, data breaches, system and identity compromises |
State of backups | Generally trustworthy unless backups are missing or compromised due to physical impacts or outages | Often the target of attacks, with possible deletion or encryption of backups, destruction of backup infrastructure, and lingering backdoors |
Recovery location | Always-on or warm failover site with replicated storage | Clean, isolated environment |
Recovery data and point in time | Most recent available data | Unknown. Forensics are needed to determine blast radius and latest malware-free backups |
Recovery time | Fast, if well-teste, with SLA-based replicated data and well-architected failover automation | Slower, unless clean points in backup data are continuously identified, Isolated Recovery Environment is on standby, and the team is well-drilled |
Teams involved | Generally just the infrastructure and application teams | Infrastructure, application, security, legal, PR and compliance teams |
Lingering effects | Some small number of patients affected by a short outage, some short-term revenue loss with most effects limited to a few months time. | Extensive patient care impacts due to a long outage, loss of exfiltrated sensitive patient data, regulatory action, extensive litigation costs, class action lawsuits, etc. with full effects felt over a 5 year span. |
How Rubrik Can Help
Rubrik's data security platform was built from the ground up to address modern cyber threats, with immutability as a core design principle. Rubrik provides:
Zero Trust Data Security: Built-in immutability prevents backup data from being encrypted or deleted, even when administrative credentials are compromised. Hardened, self-sufficient and isolated infrastructure is designed to be serviceable in the immediate aftermath of a determined attack.
Comprehensive Protection: Rubrik enables you to ensure you’re backing up your critical applications, identities, and data and ensuring immutability/survivability across on-premises, cloud, and SaaS workloads so that when the time comes, you have all you need in one place. Rubrik’s Healthcare Dashboard allows administrators to ensure at a glance that every aspect of your EMR is being protected, that it’s all succeeding, how long it took, and how it’s trending.
Threat Analytics: AI-powered anomaly detection, continuous threat monitoring, and built-in threat hunting help you find those unusual patterns and IOCs that indicate compromise so that you can determine the blast radius of an attack, rapidly quarantine infected snapshots, and ensure you’re restoring clean data. These capabilities help you quickly cut through the uncertainty.
Automated, Rapid, and Granular Recovery Capabilities: Advanced automation enables faster restoration of critical systems, reducing downtime when every minute counts. The ability to restore groups of applications, datasets, or just specific files into your IRE allows you to work efficiently. Consider this: if you had to restore your Active Directory Forest to a previous point in time onto new hardware without moving anything into your IRE, how long would it take? Would your backups of AD survive a determined attack?
The unfortunate truth is that today the attackers are constantly learning from each other. Without concerns about confidentiality, legal exposure, or the consequences of failure, the attackers are often better practiced than the defenders who are valiantly contending with limited training budgets, a host of responsibilities, and a general unwillingness to share critical details openly.
It’s important to talk with your vendor organizations about whether they’re learning, what issues they’ve encountered, how they’re using that learning, and why their products are built the way they are.
Achieving cyber resilience has to begin long before an attack occurs. That process has to start with a clear understanding of what scenario you need to be planning for, how it’s different from what you did in the past, and deploying the right technologies today to secure tomorrow's recovery.