Girl showing stop sign with her hand to a coronavirus pandemic showing vaccine passport and business continuity

How To Protect ‘Vaccine Passport’ Data With Business Continuity and Disaster Recovery Plan

Over the past 12 plus months, the pandemic has taken its toll on everyone. But, even amid all of the uncertainty, there’s a silver lining: vaccinations. The second the FDA authorized the Pfizer vaccine for immediate distribution, a light at the end of the tunnel appeared. And, before we knew it, Moderna was approved, and healthcare workers, those with pre-existing conditions, and now, everyone else has become eligible. As a result, people have rushed to buy plane tickets and book hotels to take their long-overdue vacations. How do airlines and the rest of the travel industry confirm guests have been vaccinated and aren’t a risk to others?

Like the IATA and Singapore Airlines, some organizations have started to explore a ‘travel pass’ that would prove vaccination status and proof of a negative COVID-19 test. But, given the sensitive nature of health-related data, launching a digital service like this raises questions around privacy and data protection. Not to mention, cyberattacks on the healthcare sector have increased by 580% since the start of the pandemic, and vaccine passports could be the next target for cybercriminals. With sensitive health data on the line, IT teams need to be mindful of data protection and privacy when designing future vaccine passport services and create a business continuity and disaster recovery (BCDR) plan that takes actionable steps to protect data.

Determine your course of action

Cyberattacks on the healthcare sector have risen exponentially since the start of the pandemic, with 50% of healthcare CISOs facing cyberattacks focused on destroying data. If vaccine passport data enters the mix, we’ll likely see that number increase. If organizations offering these services want to stand a chance against cybercriminals stealing and encrypting sensitive health data, they need to prepare. An excellent first step is understanding the organization’s level of risk and identifying security gaps. This means conducting regular vulnerability and risk assessments that factor in every business unit and work to identify, catalog, and tier systems and applications based on their criticality to the business.

Just conducting a risk assessment isn’t enough; IT leaders must implore their team to take action based on the results. After all, risk assessments are designed to determine the best course of action for an IT team’s environment, uptime needs, and budget concerns, so they must be actually used to inform decision making. For instance, if a team finds no redundancy in their IT environment, it’s in their best interest to invest in an off-premise backup solution to solve that issue. Often, organizations opt for a hybrid or multi-cloud model to do this. Similar problem-solving approaches must be applied to other gaps that are identified during assessments.

Building an informed BCDR plan

So, you’ve performed your risk assessment, but now what? It’s time to build an informed business continuity and disaster recovery (BCDR) plan to minimize risk, which centers around data backups. It’s crucial to have access to a remote backup system, like the cloud, that ensures all data is backed up and accessible in case of an attack. Having backup copies of data before a ransomware attack occurs allows IT teams to restore systems and data to a known-good state quickly. However, your recovery plan shouldn’t solely include cloud backup because it also needs to protect against new ransomware strains that target backup files. The traditional 3-2-1 backup strategy of keeping three copies of data, in two separate locations, with one online, accessible copy being either in the cloud or offsite, isn’t going to cut it anymore. To ensure complete recovery capabilities, in addition to keeping three copies of data in two separate locations, with one online, it also now needs to include one air-gapped backup (which means the data is kept offline), making it a 3-2-1-1 backup plan.

And, what’s even worse than not having any backups at all? A backup that fails. If this occurs, threat actors will have a field day encrypting and stealing backups to solicit ransomware payments. A best practice is testing your backups ahead of time, so there are no surprises regarding downtime or data loss when it matters most. Designing a test isn’t a ‘one and done’ exercise, though – it’s equally as important to review and update disaster recovery plans as regularly as cybercriminals evolve their approaches.

But, that’s not all a team can do to protect highly sensitive health data; in addition to continuously testing and ensuring redundancy, backup data must be protected with the same level of security as production data. It’s also important to note that teams should also integrate cybersecurity and data protection tools to scan backups, detect potentially malicious activity, and ensure everything is functioning correctly.

Preparation is the best medicine

The fact of the matter is that it’s not a question of if a cyberattack will happen, but when. This means establishing a crisis team where everybody’s roles and responsibilities are clearly defined. And, while disaster recovery testing helps teams prepare on the tech front, actual humans need to work quickly and confidently to rapidly restore data and get back to normal operations in the event of a disaster. This involves defining the roles and responsibilities of each crisis team member to establish a clear chain of command and to ensure the company’s response is as seamless as possible. Pro tip: by explicitly documenting all of this information in a response plan, companies can minimize mistakes when an incident occurs because everyone will be able to refer back to the agreed-upon plan to thwart attacks.

COVID-19 drastically changed our world in so many ways, and the health IT space is no exception. With vaccine passports becoming a genuine possibility and cybercriminals becoming increasingly innovative and determined to make their payday, it’s just that much more critical that IT teams stay one step ahead to minimize people’s concerns about the safety of their data. Only then will health IT teams be equipped to stand up to and thwart attempted cyberattacks on COVID-19 vaccine passport data.