How to fight ransomware: Q&A with a healthcare CISO
Cyber ââSecurity Awareness Month, a time to raise awareness nationally about the importance of cybersecurity, ends this week. So I thought this would be a great time to once again highlight how modern data protection capabilities can help organizations be more resilient before, during and after an attack, and how the right IT infrastructure can make them. overall more resilient.
We explored these topics with several of our clients at our Pure // AccelerateÂ® Digital conference. One of his clients was Martin Littman, head of technology and information security at the Kelsey-Seybold Clinic. Littman helped build a world-class infrastructure for the Kelsey-Seybold Clinic based on Pure StorageÂ® FlashBladeÂ® to ensure that medical records and data are always available to the healthcare workers who support patients in this large system. of multi-specialty clinics serving the Houston area. .
About six years ago, Kelsey-Seybold Clinic was affected and quickly recovered from a ransomware attack that prompted the organization to reassess its security strategy and create an environment of snapshots and backups of immutable data, which she developed in collaboration with Pure Storage. Here are some highlights from the recent Q&A session I had with Littman, where we talked about the clinic’s system ransomware system experience and lessons that were learned: *
AS: When you think of ransomware and other threats that could affect your environment, how does a data protection strategy fit into your overall plan?
ML: I joke that we had ransomware before ransomware was cool. Fortunately, due to the data protection strategy we had at the time, we had snapshots and multiple copies of backups so employees could keep working while we responded. And luckily, it was slow malware and a small file share. Approximately 44,000 files were repurchased which we were able to recover and restore. In the end, we got everything back and walked away from the situation.
However, this event further alerted us to the threat of ransomware and the need to be prepared to deal with it. As a result, we stepped up our data protection program and began to think about not only doing our backups to disk, but making multiple copies across multiple storage systems.
AS: How long did the cleaning process take?
ML: Frankly, because of all the backups we had, it literally took us a couple of hours. In the days that followed, we continued to search for copies of the ransomware notes. Years later we are still sometimes cross a few. As we introduced new technology, we discovered that some of these notes were not cleaned up initially. But we have not had any other ransomware event since this attack.
LIKE: What do you think are the main components of your data protection toolkit?
ML: We do several types of backups today, so if we end up with a compromised account, the other systems are protected. But when we talk about the components of data protection, it’s not just about the technology for making backups. Data protection requires a holistic approach. How do you protect your accounts? Do you have individuals with domain access rights? Do you use service accounts? How do you cycle these service accounts? Are you using privileged access management? Do you have privileged account management? Do you have two-factor authentication? When do you apply this?
LIKE: This makes perfect sense – you need to do the initial preparation and hygiene to make sure you’re ready when an event occurs. It is important to have visibility and control, to reduce the attack surface and to be able to adapt, react and recover quickly.
ML: Exactly. And you need to know what data you have and where and why you need to protect it. If you have “gold gems” that should be protected differently from “pearls” then you need to have protection at these multiple levels and not necessarily mix up all of your saves.
In a holistic information security program, you must also understand that the edge of the network today is a flexible and malleable edge wherever your endpoints are located. It’s super critical.
LIKE: Do you think an organization can really do anything to protect itself from malware infection or ransomware attack?
ML: We have really strong security, but we have to remember to stay vigilant. As strong as our program is, we must constantly improve it. Sometimes we see malware entering our environment because people are doing things that aren’t smart, like clicking things that they shouldn’t be doing. So you want to create, maintain and maintain a safety-oriented DNA in the organizational culture.
LIKE: Is there anything you could have done differently before the ransomware attack?
ML: You can always look back and say, “If only we had known this was going to happen, maybe we would have had this protection.” There hasn’t been a lot of hindsight that I regret. But I’ll throw this out: in the context of data protection, I think any architecture you develop should consider monitoring, recovery, and shared responsibility, so that you are protected against external and internal threats – like even trusted insiders can do it. presents a risk. “
* Note: Quotes have been edited for readability and brevity.