I think we're under attack." This or similar is often the first reaction to cyberattacks in companies. Be it a suspicious volume of data (traffic) at the firewall, a conspicuous number of accesses from unknown IPs, usually from the other side of the world, or noticeable changes in the performance of individual systems, cyber attacks are versatile in nature and, above all, not obvious. An attacker usually moves around the victim's internal network for weeks and months to gain information and understand internal operations in order to plan the real attack.
Attacks are often about extorting money by encrypting data (ransom). This is now a billion-dollar industry. However, the motivation may also be that the attacker is acting for ideological reasons, seeking attention, or because of personal negative experiences. Another motivation may be to spy on or harm competitors.
Backup - the last line of defense
Securing operating systems, firewalls, anti-virus software and procuring specialized Security Information and Event Management (SIEM) solutions as a defense strategy have long been the focus of IT managers. Another IT application has been moving more and more into the spotlight in recent years: (mostly centralized) data protection, known in the trade as backup or data protection.
Reasons for this are:
- Backups are the last line of defense when data is manipulated or encrypted.
- All of a company's relevant data is stored in the central data backup, often in unencrypted formats.
- If the attacker succeeds in destroying or manipulating the backup, the willingness to pay increases significantly in the case of an environment encrypted by ransomware.
In its report "Ransomware Threat Situation, Prevention & Response 2021," the German Federal Office for Information Security (BSI) describes the central importance of data backup in defending against ransomware attacks by saying, "A backup is the most important protective measure for ensuring data availability in the event of a ransomware incident."
Protect patient data effectively
Being able to ensure a rapid response in the event of an attack by protecting and restoring key enterprise data and applications can be a matter of life and death in the hospital environment. Sensitive data is processed here, and its loss or disclosure can be particularly explosive or damaging. To prevent this, there are several design principles and functionalities.
A modern data protection concept is based on the 3-2-1 rule: Three independent copies of each file, on two different media. One of these copies is not accessible or modifiable.
Three copies ensure fast availability and recovery of the data - ideally very close to the production data. In addition, there are further data copies on logically separate systems, which are used if the first backup copy is destroyed.
An offline copy is the last lifeline in case the backup servers were also successfully attacked and destroyed. Traditionally, this copy is stored on tapes, which are ideally kept in a safe place. Restoring from these tapes takes longer, but is not vulnerable online.

Resilient backup infrastructures
Building on this design is the concept of cyber resilience. This means that data backup systems actively protect and are protected against cyber attacks by being designed to be resilient. This resilience is achieved through various approaches, primarily through hardened, preconfigured and specialized backup servers (appliances) and continuous monitoring of the performance and stability of the backup servers. Alarms are generated in the event of bottlenecks or error messages.
Another security feature is the separation of duties. This means that no user has administrative rights to production and/or backup data and cannot accidentally or intentionally destroy primary data or the associated backups.
Meanwhile immutable storage systems have been in use for several years. These follow the Write Once Read Many (WORM) approach: data can only be written once and is then permanently or for a certain time no longer changeable and therefore protected against deletion. Especially for patient data such as X-ray images and other diagnostic data, special storage appliances or cloud services are used that offer this functionality.
All these precautions ensure that the backup infrastructure is not compromised in the event of a cyber attack - but is that enough in today's world? No, because reliable and high-performance recovery can only be guaranted by ensuring that all backed-up data is free of malware and tampering, and that restores can be performed quickly and prioritized according to the importance of the affected systems.
Cyber Resilience through Modern Data Protection
Modern Data Protection solutions think one step further and offer solutions to check the quality of the backup data itself, because the central question is: Is my backup affected by the attack or is it "clean"? Because only then can a restore be the right response to a cyber attack.
Noticeable bit patterns or a sudden sharp deviation in backup volume with a deteriorating deduplication or compression rate can indicate encrypted production data. Indexing and analysis of backup data is the latest trend to have it centrally scanned in a cloud for known malicious bit patterns, file extensions or other anomalies and trigger events.
Combining all of these measures provide a robust and reliable response to ransomware attacks, but offer little protection against configuration errors, targeted tampering or software bugs within the backed-up data. Backups must be restored regularly to continuously test that the data backup is free of errors. Only these tests ensure that the backup strategy is complete and the backup data is valid.
Best Practice for a Modern Data Protection Approach
Since this cannot be done manually with many hundreds to thousands of backup sources, it must be automated.
One example is the continuous restore of virtual servers in a sealed-off environment (clean room) to check that they are free of errors. In addition, these backups are scanned for ransomware using an up-to-date virus scanner. If an infection is found, a security alert is triggered and the entire backup environment is analyzed for this infection. Administrators are provided with a simple visualization of the spread and a decision support tool to find the best "clean" backups.
This way, dormant viruses and malware are found in backups even if they have not yet broken out. With this approach, we ensure backups are running clean and their defenses against ransomware are active.
This article was published in IT-Sicherheit Spezial Krankenhäuser on 28.02.2022.