Healthcare organizations are taking a “never trust, always verify” approach to cyber security as threats emerge across their IT systems.
Whether it is remote workers, IoT-connected medical devices, or vendors requesting access, more organizations are protecting their networks with a “zero trust” approach that requires every transaction to be verified, said Balaji Venkataraman, The HCI Group’s cyber security leader.
“Healthcare organizations face a barrage of significant security incidents such as phishing, ransomware, and social engineering attacks, in addition to the challenges faced by dealing with the COVID-19 pandemic,” according to the 2020 HIMSS Cybersecurity Survey, which found that 70% of organizations had experienced “signification security incidents” in the past 12 months. Incidents like phishing, credential harvesting, and ransomware attacks are disrupting business operations and costing organizations money.
Organizations are applying zero trust in cyber security to keep pace with the threat landscape.
Defining zero trust
Balaji Venkataraman has customized a zero-trust approach for healthcare organizations, based in part on guidance from the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST). According to NIST SP 800-207:
“Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. Zero trust architecture is an end-to-end approach to enterprise resource and data security that encompasses identity (person and nonperson entities), credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure. The initial focus should be on restricting resources to those with a need to access and grant only the minimum privileges (e.g., read, write, delete) needed to perform the mission.”
Balaji Venkataraman says the top zero trust priorities for healthcare organizations are:
- Increased risk due to third-parties
- Insider threat prevention
- Environment separation and ring fencing
- Visibility across environments and communications
- Accelerated compliance and reporting
- Reputation protection, resilience building, and attack surface reduction
An end-to-end zero trust strategy provides personas (user, devices, sensors, networks, applications, systems, etc.) to access the information, after verifying the entire context of information access leading to ZERO TRUST. Balaji Venkataraman says below are some of the key requirements for securing the Healthcare digital enterprise through Zero trust solutions.
- Zero attack surface
- Connect a user to an app, not to a network
- Proxy architecture, not pass-through
- Multi-tenant architecture, Micro Segmentation
- Secure Access Service Edge (SASE)
- Continuous Monitoring and Analytics
- Orchestration and Automation
Enabling zero trust in healthcare
Healthcare organizations with their interconnected nature of IT, IoT and IoMT devices, augmented reality, robotics and more, it is clear that the current perimeter-based security model that most healthcare organizations use will no longer be effective to protect against advanced threats. To stay ahead of these trends, healthcare organizations must continue to invest in the basics while making a fundamental shift from the perimeter-based security approach to a Zero Trust model.
Clinical zero trust addresses healthcare-specific issues such as medical devices, patient privacy, and virtual care. “IT leaders can work within their own systems or individual departments to define their own approach; one that will limit susceptibility without hindering virtual or in-person patient care,” according to a Cisco blog post about clinical zero trust. “The goal is ensuring that all stakeholders understand and participate willingly in their role in securing health IT systems while not impeding care delivery.”
The Office of Information Security for the U.S. Department of Health & Human Services (HHS) offers the following suggestions enabling zero trust in healthcare.
- Create a software-defined perimeter (SDP) instead of basing the network on hardware.
- Form a peer-to-peer (P2P) architecture by meshing virtual private networks (VPNs),
- Establish modern network access control (NAC) by identifying every device and user on the network before granting access and monitoring the network and devices continuously.
“Don’t trust anyone!,” HHS cautions, suggesting that an organization deny all access until its network can authorize users/devices.
Balaji Venkataraman recommends that a healthcare organization begin by forming a cross-departmental zero trust group with stakeholders from Security, Infrastructure, and Privacy, for example. Then the organization can prioritize remote access, identities, or micro-segmentation based on its needs and resources. “Zero trust within the organization is critical,” Venkataraman said.
Creating a culture in which all key stakeholders understand their vested interest in securing the enterprise builds confidence in zero trust, which is increasingly important as organizations seek protection in a rapidly expanding threat landscape.
Always verify. Never trust. That has become the approach.