3-step ransomware recovery strategy for healthcare organizations


George Crump, CMONE of StorONE

At some point, there is a good chance that ransomware will pierce the defenses you have tried to launch into your healthcare organization. When this happens, your healthcare organization needs a ransomware recovery strategy, which will improve your regular backup and recovery processes. Below is a three-step program to make sure you can recover from an attack.

Step 1: Frequent backups

Ransomware, unlike any other disaster, can affect anywhere. No data center is secure. It can also hit at any time, without warning. Traditional night-time backups can result in the loss of eight hours or more of data. The first step in a ransomware recovery strategy is to make sure that the frequency of backups increases with all the data. Modern backup server software allows you to run backups more often with block-level incremental backups, significantly reducing your backup transfer payload. Unfortunately, legacy backup storage targets cannot handle the IO load of hundreds of virtual machines or applications that send BLI backups simultaneously. The purpose of backup storage becomes the bottleneck that forces IT to select only a few VMs or applications for this level of protection. A modern solution must provide high performance to ingest hundreds of simultaneous BLI backups while maintaining a low cost.

Some vendors offer a fully flash backup device. While using a flash-only backup device solves the problem of ingestion performance for the time being, it significantly increases the cost of the backup infrastructure. Despite claims by these vendors that the flash is achieving price parity with hard disk drives (HDDs), the reality is that hard drives continue to enjoy a price advantage 10 times greater than flash drives. However, the value advantage of hard disks is only achieved if the backup storage target can properly support high-density hard disks (16 TB, 18 TB, 20 TB) without forcing the organization. to suffer a one-week recovery of support error (RAID reconstruction). times.

A modern backup solution must combine hard and flash drives to create a first-flash backup device. Maintaining this balance requires using high-density flash drives and extracting the maximum performance from these drives, allowing the solution to quickly ingest hundreds of BLI backups, keep them flash for weeks, and automatically move them to a disk. hard profitable. level as the backup data ages.

Step 2: Backup immutability

Backup data is as vulnerable to a ransomware attack as any other dataset, potentially more so because malicious actors are now specifically looking for the backup dataset first. In addition, many healthcare organizations challenge best practices and mount their backup storage repositories as an SMB mount point. The backup server software is doing an excellent job of detecting ransom software, but the backup storage should protect the backup data from an attack. The answer is immutability. The purpose of backup storage is to store each backup job in an immutable state and return to any version of the backup data, not just the latest one.

Again, some vendors offer immutable backup storage, but most of them are object storage vendors that take advantage of the immutable nature of the protocol. This inflexibility of the protocol requires that healthcare organizations move from SMB, NFS, or iSCSI assembly from their backup storage to the new protocol. Object storage is not known for high performance, so it will not keep pace with the previous high performance intake requirement, forcing the organization to potentially require two backup storage targets for Your Ransomware Recovery Strategy

A modern backup storage goal must provide 100% immutability of each backup task and be able to go back in time to any version of those backup tasks. Given the sophistication of recent ransomware attacks, the ability to backtrack should span months and even a year. Immutability must be available in all protocols, not just in object storage, so that the healthcare organization can maintain its current protocol preference, even if it is SMB. The goal of modern backup storage should also provide its immutability without impact on performance, regardless of the depth of immutable backup, so that it can continue to meet the requirements of the first step.

Step 3: True Instant Recovery

Once ransomware infects an organization, IT is in a race against time. The IT needs to determine what part of the dataset is infecting the malware, identify the uninfected backup data, retrieve that data, re-verify again, and return the applications online. Even under ideal circumstances, the process will take some time.

The good news is that state-of-the-art backup server software can create an instance of virtual machine or application data on backup storage devices, saving network transfer time. The process is often called instant recovery. Some backup server software solutions even scan the data instances before making them available.

The first two steps are critical to making instant recovery handy for ransomware recovery. First, you need to have a recent copy of the data before the attack to avoid losing several hours or even days of new and modified data. Second, IT needs to be confident that they can access backup versions that are immune to attack.

The third and most critical element is to ensure that IT can get users and applications back up and running quickly. In theory, functions similar to instant recovery should help; the problem is, again, the purpose of backup storage. Inherited backup storage offers much slower performance than unusable production equivalents. In addition, its low performance slows down the inspection process to ensure that there is no malware in the recovered data.

A modern backup storage target needs to once again take advantage of its flash level to solve this problem. The flash level should extract the maximum performance from eight to twelve flash units. If possible, the flash layer will provide the performance that the backup server software needs to quickly validate the data and make it available to production machines or virtual applications directly.

The goal of modern backup storage must also provide high availability and protection of enterprise-class data for IT to reap the benefit of time. He IT Your computer may take a while to make sure that it removes malware from the entire infrastructure before you begin moving the data set to its original location. This benefit of complete eradication of malware is only possible if the goal of modern backup storage can provide a production-class environment from which to host healthcare organization data while this eradication is underway. .

About George Crumphas

George Crumpha has over 25 years of experience in the storage industry, holding sales executive positions and engineers. Before joining StorONE, was the founder and chief analyst of Storage Switzerland.

Source link