Exploring Zero Trust Security in Healthcare, How It Protects Health Data
A zero trust security model can help healthcare organizations safeguard their interconnected networks and devices while protecting sensitive health data.
Under the watchful eye of a zero trust security model, no device or user is automatically trusted before being vetted by strict authentication processes. Zero trust is not a single technology or tactic, but a set of cyber defenses that collectively look for threats outside and within a network perimeter.
The healthcare sector is at a particularly high risk from a security standpoint, as exhibited by the increasing number of ransomware attacks and data breaches occurring daily. Recently, a lawsuit marked the first-ever allegations of a patient death resulting directly from a ransomware attack.
Valuable protected health information (PHI), medical devices, and even refrigerators that hold life-saving vaccines and treatments are all connected to a healthcare organization’s network. When that network gets hacked, it can wreak havoc on an entire health system.
Healthcare organizations without proper cybersecurity safeguards are putting patient data and lives on the line. Although implementing a new cybersecurity model is not a small task, the benefits outweigh the potential downsides.
What is zero trust?
The term “zero trust” was coined in 2010 by John Kindervag, an analyst at Forrester Research. The approach was founded upon the idea that an organization should operate under the assumption that anything inside or outside its network perimeters should not be trusted. Every new component should be verified independently before it can access the organization’s network.
“Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated,” the National Institute of Standards and Technology (NIST) explained in its zero trust architecture publication, released in August 2020.
“Zero trust architecture is an end-to-end approach to enterprise resource and data security that encompasses identity (person and nonperson entities), credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure.”
Zero trust is not a single technology or tactic, but a holistic approach to cybersecurity that sets guiding principles for workflow and operations. Many organizations already have some elements of zero trust embedded in existing cybersecurity protocols.
“Organizations need to implement comprehensive information security and resiliency practices for zero trust to be effective,” NIST continued.
“When balanced with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and best practices, a [zero trust architecture] can protect against common threats and improve an organization’s security posture by using a managed risk approach.”
A zero trust architecture requires organizations to adhere to a few basic tenets: all data sources are considered resources, all communication is secured regardless of network location, and access to individual organizational resources is granted on a per-session basis.
In addition, the organization must monitor the security posture of all assets regularly and determine resource access using a dynamic policy. Authentication and authorization should also be strict and limited.
The White House recently announced that the entire federal government would shift toward a zero trust architecture, in light of a series of ransomware attacks on US critical infrastructure. In conjunction, the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Agency (CISA) released a preliminary draft of strategies and guidance to support the shift, building upon the Department of Defense’s (DOD) existing guidance.
“The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted,” the DOD explained in a previous version of its Zero Trust Reference Architecture document.
“Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”
Assuming that every application, transaction, and device are threats by default puts organizations—especially healthcare organizations—in the optimal position in the event that one of those elements is in fact trying to exploit the network.
Benefits of zero trust in healthcare
Healthcare organizations possess data that is extremely valuable on the black market. In addition, hackers can choose from EHRs, mobile devices, vendors, cloud applications, remote employees, and medical devices as potential entry points into an organization’s network. It is imperative to keep those devices and data safe for the sake of patient safety.
“Given the interconnected nature of the future with IoMT devices, augmented reality, robotics and more, it is clear that the current perimeter-based security model that most healthcare organizations use will no longer be effective,” HHS’s Health Sector Cybersecurity Coordination Center (HC3) wrote.
“To stay ahead of these trends, healthcare organizations must continue to invest in the basics while making a fundamental shift from the castle-and-moat approach to a zero trust model.”
The healthcare sector has a lot to lose when it comes to cyberattacks, but cybersecurity investments are a low priority for many hospitals and health systems. Research shows that most hospitals lack the resources to adequately secure their supply chain systems. In addition, 64 percent of surveyed hospital IT teams admitted to being unprotected against some of the most common cybersecurity vulnerabilities.
There is a clear need for widespread cybersecurity improvements across the healthcare industry and implementing a zero trust architecture is a great place to start.
Zero trust may not prevent cyberattacks altogether, but it will make networks more robust against smaller breaches and attacks. If a threat actor manages to get credentials and manipulate one device, it is unlikely that they will get much further with a zero trust architecture in place.
The system will constantly place barriers in the hacker’s way, preventing them from gaining access to the entire organization’s network through one crack in the foundation.
How to implement a zero trust architecture
Shifting toward a zero trust architecture is a huge undertaking, but with the right champions and thoroughly developed plans and processes in place, the initial headache of implementing new security protocols will pay off.
Healthcare data breaches and ransomware attacks can incur costs upwards of $9.23 million per incident on average, according to a recent report by IBM Security and the Ponemon Institute.
However, the report also found that organizations that had implemented mitigation tactics and technologies lowered their costs significantly.
“For cloud-based data breaches studied, organizations that had implemented a hybrid cloud approach had lower data breach costs ($3.61 million) than those who had a primarily public cloud ($4.80 million) or primarily private cloud approach ($4.55 million,)” the study explained.
HC3 recommended that organizations begin zero trust implementation by employing a software-defined perimeter (SDP). SDP is a computer security approach that effectively hides internet-connected infrastructure, such as servers and routers, so that unauthorized third parties cannot see it. With this approach, the network perimeter is based in software rather than hardware and is less vulnerable to hackers.
Organizations should also consider Mesh VPNs, which use a peer-to-peer (P2P) architecture so that every device in the network can connect directly to a peer without going through a central gateway. Mesh VPNs are typically less expensive and easier to scale, HC3 noted.
Healthcare organizations may also benefit from a modern network access control (NAC) platform that can enforce access control and identify every device and user on the network before granting access. This approach provides continuous monitoring and ensures that every device and user is authenticated and trusted.
As the federal government shifts toward a zero trust architecture, private sector organizations will likely start to make widespread changes as well.
In healthcare, zero trust allows organizations to automate authentication processes so that hospitals and health systems can focus on caring for patients instead of dealing with the aftermath of a cyberattack.