Attempting to immunize healthcare customers against cyberattacks, StorageCraft introduced a bundle of products and services optimized for hospitals and medium-sized healthcare practices.
StorageCraft for Healthcare packages the vendor’s OneXafe appliance, integrated data protection software and cloud-based disaster recovery as a service, priced at $63,248 for 120 TB of capacity. None of the components are new — the same versions of StorageCraft backup hardware and software are available piecemeal and to nonhealthcare customers.
However, the bundle of StorageCraft backup and object storage can give healthcare organizations fast data recovery in case of an attack.
Shridar Subramanian, StorageCraft vice president of product management and marketing, said IT in the healthcare industry has a unique set of security challenges different from other segments such as education or finance. He pointed to statistics from insurance company Beazley that show healthcare firms file more ransomware claims than any other industry.
“They’re underserved in terms of the technology that they deploy, and it’s more than just backup. It’s data management and data protection as well,” Subramanian said.
He said StorageCraft is selling its bundle for healthcare through channel partners.
StorageCraft created bundles of its products last year targeting educational institutions.
Subramanian clarified that the StorageCraft backup and recovery tools do not prevent ransomware, which often gets through by exploiting human vulnerabilities rather than technological weaknesses. Instead, StorageCraft for Healthcare allows for a quick recovery to clean files.
“We do not actively prevent ransomware,” Subramanian said. “What we are about is being able to recover after the fact so that you have the data immediately and the whole healthcare organization does not stumble.”
Complex challenges for healthcare IT
Steven Hill, senior analyst at 451 Research, said healthcare organizations make tempting targets for ransomware attacks compared to other verticals because of an added layer of urgency.
Patient data locked behind unauthorized encryption from ransomware potentially creates a matter of life and death, and raises the likelihood that the ransom gets paid.
Steven Hillsenior analyst, 451 Research
“The criminals behind ransomware don’t really care who they target,” Hill said. “All they want is fast money, which makes healthcare a desirable target because of the relative urgency involved in recovering that data. Healthcare is a target that offers both a large potential pool of non-IT users to exploit and data that’s extremely important.”
Hill said it doesn’t help that hospitals often invest less in IT security than other industries that make rich ransomware targets, such as financial services.
George Crump, president of IT analyst firm Storage Switzerland, said healthcare organizations are also vulnerable due to medical devices. Crump said medical devices often come with their own computers, running hardware and software separate from the rest of a hospital’s IT infrastructure, while needing to connect to it all the same.
“These things are horribly maintained,” Crump said of the computers attached to medical devices. “The vendor is not an IT company, they’re an MRI company or whatever.
“So what I see happening in most cases is that infiltration happens on those compromised systems, not on the core IT systems. IT couldn’t touch those systems even if they wanted to. And unplugging a high-end medical device from your network and prohibiting the doctors from doing their job is equally unattractive.”
This particular vulnerability could be blocked if hospitals refused to buy medical devices that don’t meet their IT teams’ security guidelines, or if the vendors of these devices were responsible for keeping their systems upgraded. However, Crump expressed doubts that either of these situations ever happen.
And although Crump agreed the healthcare sector is a juicy ransomware target, he also warned that Beazley’s breach numbers may be inflated for healthcare. Crump and Hill pointed out that healthcare organizations are obligated to publicly report cyberattacks, while other industries (barring finance) do not have as strict reporting regulations.