Ransomware attacks in the healthcare space continue to increase. While healthcare payers can’t prevent an attack, they can take steps to protect themselves by focusing on detection, protection, and defense.


For this blog on ransomware and healthcare payers at risk of it, Catherine Sweeney, Senior Account Based Marketing Manager at Pure Storage, spoke with Priscilla Sandberg, Pure Storage’s Senior Strategic Healthcare Alliances Manager.  

Catherine: I’m talking today with Priscilla Sandberg, Pure healthcare alliances manager who covers the healthcare payer landscape. Priscilla, we are still seeing a rise in the number of ransomware attacks in the healthcare space. The Chief Healthcare Executive journal reported that 2023 was the worst year ever for cyberattacks aimed at healthcare organizations, with about 500 hacks reported, affecting over 106 million individuals. What’s the Pure perspective on that? 

Priscilla: You’re right. Unfortunately, even the most sophisticated organizations that deploy comprehensive hardware and software solutions are vulnerable. There is no way to 100% protect your organization. And for healthcare organizations, this is especially troubling because there are literally lives at stake. If a ransomware event happens, payer organizations can’t process authorizations, check eligibility for benefits, and often cannot connect with their providers or members.

Catherine: Wow, that’s really scary to think about. If an attack is essentially imminent for a payer, what should organizations focus on?

Priscilla: You’re right, you can’t prevent it, that is just a fact. What payer organizations should do is focus on what we consider the three top issues: detection, protection, and response. Pure and our partners play an essential part in developing a modern, tiered resilience architecture that healthcare payers can easily configure and deploy. Additionally, we have several key components to help to support rapid data and system recovery.

Catherine: Let’s talk about detection. What does that look like from a Pure perspective?

Priscilla: We’ve met with several CIOs across all different areas of healthcare. And while they love our immutable snapshots, which I’ll explain in a minute, they were looking for more of an integrated solution that helps both the storage administrators as well as the CISO detect threats before they become real issues. That’s why we partnered with Fortinet. By integrating Pure Storage products with Fortinet FortiSOAR, security-related storage events can be brought to the attention of the security operations center (SOC).

For example, if Fortinet detects that an unauthorized user is trying to eradicate a snapshot, the notice can be sent directly to the SOC team. This allows the investigation to start immediately and identify the threat before the attackers are able to compromise the system. Having the software to monitor your infrastructure along with software-defined storage protection is the most comprehensive solution. 

Also, Pure has developed a tool that customers can use to ensure they are meeting best practices for protecting their array. As part of Pure1® cloud management, users can access a Data Protection Assessment to verify protection parameters. For example, the Assessment Report will verify that you have at least one snapshot taken per day with a seven-day retention, check that data is replicated to another array protected by SafeMode™ snapshots, and verify at least 80% of the objects such as volumes on the array are protected.

Catherine: Tell me more about SafeMode snapshots and what role they play in ransomware recovery.

Priscilla: Every Pure array is configured to support a feature we call SafeMode. SafeMode provides an immutable copy of data that cannot be deleted unless the authorized personnel at a customer site call Pure directly. That means that even in the case of an attack and even if your storage credentials are compromised, your SafeMode snapshots will still be available to you. But what we’ve found is that when sites get attacked, investigators almost always lock down the infrastructure so they can do an investigation. So now what do you do? You have your snapshots ready to be restored, but you don’t have access to the infrastructure.

Catherine: OK, so Pure allows you to restore, but the question is where do you restore to?

Priscilla: Exactly. For payers, the most important thing to do is get your production systems back up. What we have been seeing in the industry is that once a site gets attacked, insurance companies send in investigators to determine the cause of the problem. Even in cases where the issue may be readily identified, insurance investigators may take days and even weeks before they release the system back to the client. The solution we’ve designed for healthcare is a first-of-its-kind ransomware recovery SLA for Evergreen//One™, our storage-as-a-service (STaaS) offering, guaranteeing a clean storage environment following an attack. 

Within 24 hours of the report of the attack, Pure will ship clean arrays, including a recovery plan, a data transfer rate, and bundled professional services. This allows our customers to speed the recovery process by having a place to recover to, along with augmented staff when you need it most. 

Catherine: So how would a healthcare payer start implementing the best practices we just discussed?

Priscilla: While all payers are in the same boat as it relates to ransomware threats, each site we work with has unique infrastructure configuration needs. What we do is take a customized approach with each organization. Determining RTO requirements, existing partners and infrastructure they currently have deployed, and what their future business goals and outcomes will be, we provide a tailored solution for each customer. Pure has an advantage because we know healthcare. We have a dedicated team here at Pure that works with each of our customers to ensure they are meeting state and federal requirements as well as meeting the expectations of their patients, clinicians, and security teams.  

Catherine: Thank you, Priscilla, that was a very informative discussion. 

For an in-depth discussion of how healthcare payers can prepare for ransomware attacks, register for our webinar on May 28, 2024: “Resisting Healthcare Ransomware: Strategies for Payers and Providers.” Priscilla Sandberg is joined by Andy Stone, Field CTO Americas for Pure Storage, and Jon Kimmerle, Senior Manager Healthcare Strategic Alliances, Pure Storage.