Data Guardians: The rise of secure storage solutions in healthcare
Editor’s note: This is the second of three articles, powered by CHIME Digital Health Insights and sponsored by Pure Storage, looking at the intersection of data storage and security for improved digital health operations.
Healthcare providers and payers hold ever-expanding vaults of data, from patient and operational records to financial and research information. This road of informational excess may lead to the palace of wisdom, but the palace is under heavy attack. While Chief Information Security Officers (CISOs) and IT professionals are constantly on guard against cyberattacks and data breaches, a new trend is emerging – the convergence of data storage and security.
As ransomware accelerates its march against healthcare organizations, it is forcing stronger ties between security and storage. This type of cyberattack targets data at rest, encrypting it to deny access and use —often under the threat of widespread data exposure if demands aren’t met. The data loss puts healthcare organizations’ operations and financial health at risk, not to mention the health and confidence of patients. Downtime is expensive, and recovery can be slow. Legal and regulatory fallout are unwelcome additions to this cascade of consequences.
Storage solutions that offer not only backup and recovery benefits but also data resiliency and protection capabilities can provide CISOs and other IT leaders the security and continuity they need to safeguard data at rest and resume operations.
Why CISOs need more from storage providers: Built-in security
For years, healthcare organizations have relied on separate security solutions to safeguard their data. However, the growing sophistication of cyberattacks demands a more comprehensive approach. There are several reasons why CISOs should expect storage vendors to offer robust security features as an intrinsic part of their solutions.
Evolving Threat Landscape
Cybercriminals are becoming more sophisticated, targeting data at its source – storage systems.
In 2016, Hollywood Presbyterian Medical Center in California fell victim to a Lockbit ransomware attack that encrypted their electronic health records (EHRs) and other critical data stored on their servers. The attack disrupted critical operations, forcing the hospital to postpone surgeries and divert ambulances. The attackers demanded a ransom of 40 Bitcoins (around $17,000 USD at the time) to decrypt the data. The hospital ultimately paid the ransom to regain access to their systems, highlighting the disruptive impact such attacks can have on patient care.
Humana, a major health insurance company, fell victim to a cloud supply chain attack in 2020. Hackers infiltrated a third-party vendor, a business associate of Humana, and gained access to Humana’s cloud storage environment. They accessed patient data including names, addresses, dates of birth, and Social Security numbers.
By integrating security measures directly into storage solutions, vendors are providing a first line of defense against these evolving threats.
Regulatory Compliance
Healthcare organizations are subject to a multitude of regulations, including HIPAA and HITRUST, as well as possible state level requirements. These regulations require covered entities (including payers and providers) to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). Secure storage solutions can simplify compliance by offering features that streamline data encryption, access control, and audit trails.
For instance, clean room backups are isolated copies of data stored in a separate environment with restricted access. This isolation can help protect PHI from unauthorized access and ransomware attacks, which is a growing threat in healthcare.
Clean room backups typically involve strong encryption, which can help keep PHI confidential even if a breach occurs. Further, regular backups help ensure that data can be restored to a clean state in case of corruption or attacks. Finally, having readily available backups can minimize downtime in case of a system outage or disaster.
A secure storage solution/partner checklist
- Encryption at Rest and In-Transit: Data should be encrypted at rest within the storage system and while in transit between devices and storage. Look for solutions that offer industry-standard encryption algorithms like AES-256.
- Access Control (RBAC): Role-based access control (RBAC) ensures only authorized users have access to specific data sets. This minimizes the risk of unauthorized access and data breaches.
- Immutable Backups: Ransomware attacks often target backups. Immutable backups create unalterable copies of data, ensuring a clean version is available for recovery in case of an attack.
- Threat Detection and Prevention: Advanced storage solutions might offer built-in threat detection and prevention features, like anomaly detection and intrusion prevention systems. For instance, as cyber intruders attempt to encrypt stored data, they also look to delete snapshots. Pure Storage offers read-only immutable snapshots protected by SafeMode, which prevents tampering and makes the backup data copy available for recovery without paying ransom.
- Integration with Existing Security Infrastructure: A secure storage solution should seamlessly integrate with your existing security infrastructure – firewalls, intrusion detection systems, and security information and event management (SIEM) tools.
- Disaster Recovery and Business Continuity: Look for storage solutions that facilitate robust disaster recovery (DR) and business continuity (BC) plans. The partnership joining Pure Storage’s advanced, secure data storage technology with the business resilience and recovery prowess of Recovery Points Systems (RPS) is a prime example of Disaster Recover as a Service (DRaaS). For more on recovery, check out article one of this series: From downtime to uptime: Mastering the art of digital healthcare recovery.
- Scalability and Flexibility: Healthcare data volumes are constantly growing. Secure storage solutions should scale efficiently to accommodate data growth without compromising performance. Look for vendors who prioritize fast data retrieval times and low latency to ensure smooth operation of critical healthcare applications.
- Vendor Expertise and Support: Partner with a storage vendor that possesses in-depth knowledge of healthcare data security regulations and compliance requirements. They should understand the unique security challenges faced by healthcare organizations and offer solutions tailored to these specific needs.
The convergence of storage and security represents a significant shift in the data protection landscape. By embracing secure storage solutions from these emerging data guardians, healthcare organizations can enhance data resiliency, strengthen compliance posture, and ultimately improve patient care by safeguarding sensitive information.
About Pure Storage
Pure Storage redefines the healthcare data storage experience and simplifies how healthcare organizations protect, consume and interact with data. Pure powers EHRs, enterprise imaging, back-office systems, and more with secure storage that transforms data into value, providing quicker insights for better patient care.