The ransomware attack on UnitedHealth earlier this year has revealed critical insights regarding the importance of backup security in the healthcare industry. This incident is comparable to the Colonial Pipeline attack in its repercussions, prompting congressional testimony, extensive lawmaker scrutiny, and the possibility of new legislation. The attack led UnitedHealth to pay a ransom of $22 million and conduct a comprehensive system rebuild despite decrypting the files. In testimony, UnitedHealth’s CEO Andrew Witty highlighted the shortcomings in the company’s backup strategy, which included a lack of network segmentation or infrastructure gapping of the backups. Consequently, the attackers managed to lock the backups, blocking any recovery path from the initial attack. This incident underscores the necessity for robust backup security measures that can prevent or mitigate such breaches.
The Role of Backups in Cybersecurity
Backups have increasingly become a prime target for cybercriminals, with ransomware attacks pushing the necessity of secure backup and recovery strategies back to the forefront of IT agendas. In the past, Chief Information Security Officers (CISOs) often overlooked the security of their backups, but this is no longer sustainable in the current threat landscape. A significant number of ransomware incidents now focus directly on compromising backup environments as part of their attack strategy. Some ransomware groups, such as BlackCat, Akira, Lockbit, Phobos, and Crypto, bypass production systems entirely, aiming straight at backup systems. The rationale is clear: disrupting an organization’s ability to restore from backups greatly increases the chance that a ransom will be paid.
This evolving threat has compelled organizations to scrutinize their backup and recovery protocols. Ensuring the integrity and availability of backup data against sophisticated attacks is now a primary concern. The UnitedHealth ransomware attack is a stark reminder of the consequences of neglecting backup security. It demonstrated that even a partial compromise could impose significant operational disruptions and financial burdens. As such, it is imperative for IT infrastructure and security teams to refocus their efforts on identifying and mitigating vulnerabilities within backup and recovery systems. Secure backup practices are no longer merely a best practice but a critical element of an organization’s cybersecurity posture.
Strategies to Secure Backups
1. Network Segmentation and Air-Gapped Backup
In the ransomware attack on UnitedHealth, the lack of network segmentation and air-gapped backups was a significant weakness. Network segmentation involves dividing a network into smaller sections to prevent malware from spreading beyond the compromised area. Air-gapping involves physically isolating backup systems from network-connected systems to protect data integrity. These strategies can considerably reduce the potential damage from an attack. By isolating backup data from production environments, organizations can create recovery paths that are immune to direct attack vectors used by ransomware. Implementing these measures provides a fail-safe mechanism to ensure that backups remain unaffected by attacks targeting the primary network infrastructure.
Moreover, network segmentation and air-gapping can provide an additional layer of security when dealing with sophisticated cyber threats. These approaches minimize the attack surface and hinder malicious actors from accessing and encrypting backup files. Given that the attackers in the UnitedHealth incident were able to lock the company’s entire backup system, leveraging network segmentation and air-gapping could have provided a critical defensive barrier and maintained access to secured backup copies. These strategies equate to having an untouchable reserve that guarantees an organization’s resilience against ransomware attacks by securing a safe harbor for restoring operations.
2. Multi-Factor Authentication (MFA) and Administrative Controls
The lack of MFA played a pivotal role in the success of the UnitedHealth ransomware attack. Multi-factor authentication (MFA) provides an extra layer of security by requiring users to present multiple forms of credentials. This helps protect sensitive data from unauthorized access even if user credentials are compromised. In the case of UnitedHealth, hackers leveraged stolen credentials to infiltrate systems lacking MFA. Solutions such as StorageGuard can audit and verify MFA implementation across all backup systems, ensuring that this crucial security measure is consistently enforced.
Restricting administrative privileges is another vital aspect of backup security. These privileges are often primary targets for attackers seeking to manipulate or destroy backups. Limiting administrative access to only essential personnel and implementing strict authentication controls can significantly reduce the risk. Establishing a two-person rule for critical backup changes ensures that no single user can unilaterally make significant modifications. These restrictions make it more challenging for attackers to gain the necessary access to compromise backup systems. The combination of MFA and restricted administrative controls can substantially strengthen an organization’s defense against sophisticated cyberattacks.
Conclusion: Strengthening Backup Security
The ransomware attack on UnitedHealth exposed a major vulnerability due to the absence of network segmentation and air-gapped backups. Network segmentation means dividing a network into smaller parts to restrict malware to the infected segment. Air-gapping refers to physically separating backup systems from network-connected systems, ensuring data protection by isolating backups. These practices significantly mitigate the effects of such cyberattacks. By keeping backup data separate from production environments, organizations can safeguard recovery paths that remain unaffected by ransomware’s reach.
Additionally, implementing network segmentation and air-gapping enhances security, especially against advanced cyber threats. These strategies reduce the attack surface and prevent attackers from accessing and encrypting backup files. In the UnitedHealth incident, attackers managed to lock the entire backup system. Properly executed network segmentation and air-gapping would have established a crucial defensive barrier, securing backup copies and maintaining system resilience. Essentially, these measures ensure an untouchable reserve, enabling recovery and continuity even after an attack.
