How Healthcare Providers Can Immunize Against Ransomware With Immutability


A recent listing of the ten biggest healthcare data breaches of 2021 in Healthcare IT News notes that, for breaches reported to the federal government, more than 40 million patient records were affected. The list of victims is diverse, from patient providers to ancillary healthcare services.

For example, Florida Healthy Kids Corporation—which offers child-centric comprehensive health services to children ages 5 through 18 who are not Medicaid-eligible—saw 3.5 million patients’ personal information exposed. Practice management vendor Practicefirst said hackers attempting to deploy ransomware had copied files from its system that contained patient and employee personally identifiable information (PII). And St. Joseph’s/Candler, the leading health system in Savannah, Georgia, saw more than 1.4 million patient records compromised by a ransomware attack.

IBM’s Cost of a Data Breach Report 2021 reaffirms why everyone in healthcare needs to take a close look at their cybersecurity and ransomware protection now: Healthcare organizations experienced the highest average cost of a data breach of any industry this year—for the eleventh year in a row—at an average total cost of $9.23 million per incident.

Start With Prevention

While there is no way to prevent every cyber attack with certainty, there are some basic steps that every healthcare organization should take to be sure they are doing everything possible to protect their data and patient records. The National Institute of Standards and Technology (NIST) offers these tips and tactics for preparing your organization for breaches and ransomware attacks:

  • Use antivirus software at all times and make sure it automatically scans your emails and removable media for ransomware and other malware
  • Keep all computer and device software patched and up-to-date
  • Use security products that block access to known internet ransomware sites
  • Configure operating systems or use third-party software to allow only authorized applications to run on computers
  • Restrict or prohibit the use of personally owned devices
  • Limit admin privileges and restrict the use of personal applications, email, chat, and social media on work computers
  • Educate users to spot social engineering schemes like phishing, so they avoid clicking on malicious links or downloading infected files

Follow Best Practices for Backups

Every industry—including healthcare—should add next-level data protection by following IDC’s new 3-2-1-1 rule. The rule is your best bet for ensuring recovery from any disaster, including a successful ransomware attack. The rules say:

  • Keep 3 copies of your data (one primary and two backups)
  • Store 2 copies locally on two formats (NAS, tape, or local drive)
  • Store 1 copy offsite in the cloud or secure storage
  • Convert 1 copy to immutable storage

Immutability Is the Key to Immunization

Immutability is the new addition to the old 3-2-1 backup rule. But it is by far the most critical element because recovery may not be possible if your backups are compromised. Immutability is when your data is converted to a write-once, read many times format that can’t be altered or deleted. Unlike data encryption, there is no key, so there should be no way to “read” or reverse the immutability.

In the 3-2-1-1 Executive Brief, IDC also notes that when paired with other data protection solutions—like continuous data protection, which can capture data on each write at very short intervals measured in seconds—that store data in immutable form, organizations with the right technology and good restore and recovery practices can access their unaltered data within minutes of a ransomware attack.

Get the Facts

It’s time to immunize your organization against ransomware and other cyberattacks. To find out your options, contact us, or learn more by watching one of our on-demand demos.