Getty Images/iStockphoto
How Zero Trust in Healthcare Can Keep Pace with the Threat Landscape
Hackers are outpacing healthcare in the overall cybersecurity race. Zero trust in healthcare can help stop attack proliferation, but it will be an uphill battle.
Healthcare has and will likely always be a prime target for cyberattacks, given its valuable data and the need for constant data access to ensure continuity of care. While awareness around these issues has drastically improved, the need for a zero trust in healthcare will be crucial moving forward given the sector’s staffing gaps, limited resources, and other challenges.
Recent reports have spotlighted the industry’s security challenges and its failure to keep pace with the ever-evolving threat landscape. IBM found healthcare leads in annual data breach costs at $7.13 million, a ranking it’s held for 10 consecutive years.
Meanwhile, Ordr research shows that many IoT and medical devices allow for the use of social media platforms, which were recalled by the Food and Drug Administration. Many providers and COVID-19 vaccine developers are operating on platforms with serious, unpatched security vulnerabilities, while the sector, as a whole, continues to feverishly struggle with adequate patch management and inventory.
But hackers aren’t waiting for providers to catch up: as healthcare continues to struggle with often basic security challenges, the threat actors are simply moving the needle at a much faster pace.
The COVID-19 pandemic, in particular, has truly highlighted the severity of the situation. Threat actors are actively targeting those developing treatments and vaccines, often pairing with foreign governments for espionage purposes.
DHS CISA, the FBI, and security researchers are continuously working to keep the industry informed, urging quick remediation. But speed and healthcare cybersecurity don’t often align.
Given the disparities, it’s imperative that the sector address these challenges now. Ideally, zero trust infrastructure could remediate issues with credential theft, authentication, authorization, and even a heavy reliance on Virtual Private Networks (VPNs).
But with limited staffing and resources, it’s important to ask: just how feasible would a zero trust model be in the healthcare sector?
Zero Trust Model
NIST describes zero trust as an evolving set of network security parameters designed to narrow defense perimeters from its current wide state, to more individualized resources. The model focuses on protecting resources, instead of network segments.
Zero trust was designed in response to enterprise trends, such as remote users and cloud-based assets not located directly within the enterprise network.
“A zero trust architecture (ZTA) uses zero trust principles to plan enterprise infrastructure and workflows,” according to NIST. “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet).”
“Authentication and authorization (both user and device) are discrete functions performed before a session to an enterprise resource is established,” it added. “Zero trust focus on protecting resources, not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”
The first US federal Chief Information Security Officer, Greg Touhill, an adjunct professor at Carnegie Mellon University's Heinz College, explained the model first came about in 2004 with a lead researcher with the Jericho Forum, a group of multinational user companies dedicated to the development of open standards.
“The same threat actors who bricked the Ukrainian power grid are able to use that same tactic and procedure to brick medical devices.”
The overall enterprise network was initially designed with a perimeter-based model, protected by antivirus software and firewalls. But those researchers concluded that the traditional perimeter has been rapidly overcome by events, mobile computing, laptops, and now, iPhones and tablets.
Administrators were merely attempting to get all of these devices to work and connect, as well as authenticated: security was not always top of mind.
OPAQ Chief Technical Officer Tom Cross explained that in the early years, security was primarily a security guard sitting at a front desk, stopping people from getting into the building. As it progressed, and more items were connected to the network, those security efforts have evolved in an attempt to keep pace with the decentralized network.
The model continued to evolve through 2010, when the term zero trust truly landed, Touhill explained. From that strategy, user profiles are designed to authenticate and only provide access to what the user is authorized to see.
“Mobility was poking too many holes in the perimeter,” Touhill noted. “Jericho came in and said we need a new model, that doesn’t presume everything is trusted... a model that authenticates first, and then only connects to what you’ve allowed it to see.”
“At its core, the idea is to go in and assume everything is not rosy,” he continued. “Don’t trust from the inside and don’t trust from the outside. Authenticate before granting access and take an identity-centric control to granting access to information.”
Basic Principles and Foundational Elements
Many organizations have moved to the cloud or are leveraging SaaS applications. Often, employees are not in the office, although the apps they’re accessing exist on the enterprise network, Cross explained. As a result, traffic is routing through the office network, even when the user is physically located elsewhere. These issues can lead to a host of authentication issues and increase the risk of exploit.
Chris Williams, Cyber Solution Architect, Capgemini North America explained that the core concept of zero trust is to treat the enterprise network like it’s the internet, assuming there are compromised machines or users on your enterprise network, as well as malicious actors all of the time.
Enterprises must assume those actors are constantly working to gain access to the rest of the enterprise for further exploits.
“So, you don’t trust anything: The network doesn’t trust the machine unless the machine has been identified and authenticated. The application doesn’t trust the user unless the user has been identified and authenticated. The database doesn’t trust the transaction unless the transaction has been properly authorized and approved,” Williams said.
“There is an audit trail for everything, so you can perform analysis for incident detection and response,” he added.
However, Saif Abed, MD, founding partner and director of cybersecurity advisory services of the AbedGraham Group, explained that this model can only be done effectively when the organization understands who their users are, their assets, and how they interact with each device during normal business operations and exceptional circumstances.
"At its core, the idea is to go in and assume everything is not rosy.”
The first step will be the most time-consuming, but it involves mapping environments, explained Abed. Enterprises must risk assess different assets from medical devices to network infrastructure, while categorizing user groups and critically understanding their behaviors and interactions.
Healthcare organizations can’t move further along in the zero trust process until this process is adequately accomplished, he added. Only then can leadership consider making bigger investments in technology that could support a zero trust model: people and processes must first be understood.
Touhill added that healthcare has a trove of devices, surgical robots, IoT, and computers, among other devices, which are usually unpatched or unmanaged. An inventory and asset management of these devices are crucial to begin a zero trust process.
But many providers are drastically wrong about just how many devices exist on the network. In one example, Touhill explained that a sample hospital said they have about 7,000 devices connected on the network. With an automated solution, they found 90,000 connected devices.
“It’s literally impossible to do asset management manually,” Touhill stressed.
Williams explained networks must be configured to control access on a connection-by -connection basis, which include deployed authentication services that can identify users and devices on an individual basis.
“In particular, modern healthcare networks have seen explosions in the use of IT technology on clinical networks where care is delivered,” Williams said. “Healthcare organizations should have some segregation of clinical capabilities from IT and Internet-connected capabilities, so that Internet-based issues cannot interfere with patient care and safety.”
“Situations where devices and users are trusted simply because they are connected need to be identified, isolated, and locked down to the greatest extent possible,” he added. “Above all else, you should assess your environment to lay out a prioritized roadmap for implementation, so the most significant vulnerabilities can be addressed, and the environment can be hardened against a possible attack in a prioritized manner.”
Benefits
In healthcare, the zero trust process should center around device health and identity and access management, explained Chace Cunningham, vice president and senior analyst at Forrester. In that way, if an attacker gains access through the network using stolen credentials, the attack can’t proliferate across the network.
“Attackers in healthcare whether they are exfiltrating data or launching a ransomware attack increasingly focus on scale,” explained Abed. “The more they can move across a network and compromise it then the more options they have in terms of the impact of their attacks.”
“Doing this often requires spoofing behaviors and identities to take advantage of existing trust paradigms,” he added. “By implementing a zero trust strategy you effectively shrink the scale of opportunity for attackers to exploit existing interactions between users/devices because identities and transactions are constantly being monitored and challenged.”
Zero trust also makes the IT environment more robust against smaller breaches and failures “that tend to be the start of headline-grabbing compromises,” Williams explained. Major cyberattacks are actually a slow process, beginning with a single server or endpoint exploit that gives control to an attacker.
“It’s literally impossible to do asset management manually.”
The hacker can then exploit the foothold to proliferate across the network and even escalate privileges, until gaining control and accomplishing the objective. But if an organization has accomplished a zero trust model, Williams said the ability to proliferate becomes increasingly difficult, as the hacker will need to obtain proper privileges and connectivity along every step of the way.
“In addition, with zero trust, every step that the attacker takes will be logged for later investigation, leaving them vulnerable to detection by cyber defense monitoring systems,” he said.
But is it Feasible?
It’s clear, all industries should be working to move into a zero trust model to combat serious risks and cybercriminal activity. But given healthcare’s current struggles to keep pace, there will be a long journey ahead when attempting to make the shift.
And some organizations will find the process easier than others.
For example, Williams explained that many of those with almost entirely cloud-based environments, minimal on-premise networks, or datacenters do have many zero trust principles implemented into their IT environment, as cloud services are typically delivered over the internet and hardened using those principles.
Highly distributed environments with limited central infrastructure, “where it is easy to isolate sites and capabilities from one another” are ideal for zero trust, as well, he added.
"Zero trust tends to be most difficult in high-tech, highly collaborative environments, like product design, where large numbers of people need access to each other’s applications and systems,” Williams said.
“In those situations, zero trust requires a high level of discipline and mature underlying infrastructure and processes,” he added. “Once in place, zero trust can provide excellent protection against targeted professional cyber attackers, by thwarting their ability to target sensitive data or to unleash ransomware attacks.”
Zero trust is not a tool, it’s a process to go through to get to the secured destination. Cross explained that an organization can never hope to eliminate every risk to create an ideal state. But the idea is to make progress to create the most secure environment possible.
For healthcare, it will begin with understanding your people, identity, and authentication, as well a full understanding of groups within the enterprise to build a strong foundation. At the end of the day, zero trust is the way to respond and where networking is going in the future, Cross added.
The future of networking and security looks like apps in the cloud, which means strong authentication must begin now.
The feasibility of zero trust will boil down to leadership, Touhill explained. Board members and C-level leadership must commit to solving the problem. While costly, the process of shifting into a zero trust model will save organizations resources and money, over time.
Reports show that with ransomware, the healthcare sector has spent more than $160 million on ransomware recovery in the last four years.
In healthcare, it’s not going to happen overnight, Touhill stressed. But given the spate of targeted cyberattacks on healthcare and COVID-19 data, the process needs to start as soon as possible. There are tools that can support the process, including a software-defined perimeter and single packet authorization, which complements a software-defined perimeter and is “kind of like a hall pass.”
Control policy enforcement will be crucial, as well. But healthcare is currently just employing blocking and tackling. With threat actors like Cozy Bear, which are known for doing more than espionage, the need for zero trust is paramount.
“The same threat actors who bricked the Ukrainian power grid are able to use that same tactic and procedure to brick medical devices,” said Touhill. “More and more people are wearing Wi-Fi-enabled devices, and this same zero trust concept can be employed to protect that tech and all devices not originally created to be hooked up to the internet.”
“We're getting to a place where technology is more adaptable and more affordable,” said Cunningham. “To move toward this model, it requires a commitment from leadership saying, ‘here’s how we’re going to approach this thing.’”