Superintendents and other organizational leadership might wonder why county and city government, including agencies right here in Ohio, continue to be hit with ransomware. Weren’t these victims backing up their data?
While most organizations have a backup, many organizations fail to implement all the best practices necessary to ensure a rapid recovery from a ransomware attack:
- Data Criticality Analysis: A data criticality analysis is a comprehensive assessment of the data used by the organization with a ranking based on criticality. As an example, data can be ranked as “critical”, “important”, or “not important”. A frequently overlooked fact is that many organizations use cloud systems (i.e. Microsoft 365, Brittco, or Intellinetics) for critical or important data, and fail to understand the vendor’s practices. Many organizations will choose to do their own backup of cloud systems such as Microsoft 365 or Brittco.
- Protection from Malicious Deletion: A common part of the “playbook” for a ransomware attack is to locate the backup and delete it. If your IT administrator can access the backup remotely, so can an attacker. To counter the threat of malicious deletion, backup vendors have recently invented multiple protections. One is the “immutable” backup. For example, an IT administrator will configure a cloud backup with a retention period of, let’s say, 60 days. The backup software will not permit this backup to be removed until the 60 days has expired.
-
Your backups protect your data, but what is protecting your backups?
Protection of the Backup Server: For agencies that perform backup in-house (as opposed to on the cloud), the server which operates the backup should be protected. At best, protection is multi-faceted. This includes :
- Hardening the backup server
- Isolation of the server (i.e. it is not part of the “domain”)
- A separate password for the backup server.
- Recovery Testing: The most frequently omitted step is recovery testing. The reason that this is omitted is that it can be difficult and expensive depending on the network design. The best practice is to have a disaster recovery plan with “playbooks” for recovery based on different failure scenarios. The disaster recovery plan is then tested to ensure that it works properly.
HIPAA requires a data criticality analysis, data backup, and recovery testing. A thorough risk assessment (also required by HIPAA) will dig into the details of the organization’s backup/recovery regimen and identify any deficiencies and include recommendations for improvement. If it has been more than 3 years since a “thorough and accurate” risk assessment has been done, this should be prioritized. Not only is it required by HIPAA, it is makes good business sense.
We should also mention that a risk assessment will also identify and recommend best practices to avoid the ransomware attack in the first place. These practices include security awareness training, multi-factor authentication, security patching, secure configuration, and more.
Eagle Consulting offers a comprehensive array of HIPAA-related services including the risk assessment and disaster recovery planning. For additional information, please reach out at https://eagleconsultingpartners.com/contact-us/
