Jul 10 2020

How Hospitals Can Establish a Zero Trust Security Model

As the network perimeter dissolves, healthcare organizations turn to highly segmented security measures for better visibility and restricted access.

Cybercriminals haven’t been on lockdown during the COVID-19 pandemic. Healthcare IT organizations have been battling new waves of ransomware, phishing and other malware attacks as they work to keep critical information flowing within overstretched hospitals and to remote users. 

But for healthcare institutions like Interfaith Medical Center in Brooklyn, N.Y., the need for the enhanced network security a zero-trust model can offer has long been apparent, says Christopher Frenz, Interfaith’s assistant vice president for information security. 

The concept of zero trust is literal: No actors, systems or services operating from within a security perimeter should be automatically trusted, and instead must verify anything and everything when trying to connect.

So before deploying the model, Frenz and his IT team simulated a ransomware attack on the medical center in 2015 to test how various network security technologies and strategies — as well as the people who use and manage the network — responded. 

“One control that stood out as really effective was network segmentation,” Frenz says. “It was great that we could limit the damage from malware to a single department, but that could still be disastrous to patient care. 

“That’s when we started to move toward zero trust.”

Rethink the Traditional Security Architecture

Not a specific architecture, zero trust is an approach to security that has evolved in response to the changing nature of networks, says Mark Nicholson, a principal and a cyber risk services leader at Deloitte

“Twenty years ago, we hardened the exterior of the network with layers of defenses and believed we could trust everyone and every device on the inside,” Nicholson says. “Now, data and assets have left the premises. It can be ambiguous where the organization’s domain ends and the public domain begins.”

This is why clearly defined access control policies based on user, device and service profiles are central to any zero-trust strategy, Nicholson says. Microsegmentation, which involves partitioning the network so that policies can be applied at the most granular level, is usually a key component. 

Visibility into all segments of the network is crucial, and a mature zero-trust architecture includes orchestration tools that automate monitoring, management and threat response. 

It’s a compelling approach for healthcare organizations faced with new security challenges such as the rise of telemedicine, an increasingly mobile or remote workforce, smart medical devices and services under third-party management, Nicholson says.

Restrict Device Access to Mitigate Security Risks

After its simulated malware attack, Interfaith developed a two-pronged zero-trust strategy. The medical center had already been running the VMware NSX platform, which supported the data center side of microsegmentation and provided orchestration capabilities. 

On the physical side, Interfaith chose an Extreme Networks network access control appliance to manage device policies at a granular level. 

A zero-trust deployment throughout the Interfaith network took nearly two years because of the painstaking groundwork required, says Frenz. His team first inventoried the nearly 5,000 devices on the medical center network, then traced all the ways the devices communicated with each other, with applications and with data repositories. 

READ MORE: What makes IoMT devices so difficult to secure?

“Understanding the devices on the network and mapping traffic flow are the basis for policies and permissions,” Frenz says. “We worked one system at a time and did tests as we went to prevent breakage. You don’t want to block something a system or practitioner needs.” 

To Frenz, zero trust means ensuring that each device on the network can communicate with the applications, resources and other devices it needs to — and nothing else.

“If a particular communication is not explicitly required for that device to function, it’s going to be blocked by default,” he says. “Anything that could get into our network and cause downtime or a delay can have an impact on patient care.”

Get Visibility Into Every Area of the Network

A zero-trust strategy involves significant investments of time and money, and the prospect of disruptions as users adjust to hardened access controls. 

But the transition isn’t a difficult sell to healthcare administrators, says Jon Heberlin, data security director at Centura Health, which comprises 17 hospitals and numerous clinics in Colorado and western Kansas.

Zero trust protects data and devices as traditional barriers between the internal LAN and the exterior internet disappear, Heberlin says. To secure users moving between those domains, Centura Health deploys Duo Beyond to provide device visibility and access management.

Christopher Frenz, Assistant Vice President for Information Security, Interfaith Medical Center
If a particular communication is not explicitly required for that device to function, it’s going to be blocked by default.”

Christopher Frenz Assistant Vice President for Information Security, Interfaith Medical Center

Zero trust also provides a way to secure the biomedical devices that have become essential to diagnosis and patient care. “It gives us a security posture that now includes the Internet of Things, which fell outside our old view of endpoint security,” Heberlin says.

Identity and authentication management are the backbone of any zero-trust framework, he adds. So are technologies that provide visibility into user behavior, as well as management tools that orchestrate and automate the security tools in every segment of the network. 

“You’re still building on a foundation of technologies like firewalls and intrusion detection systems, but extending your focus to devices and adding layers of security and management,” Heberlin says. “All of your policies are hardened.”

Focus on User Verification to Maintain Compliance

No matter how it’s deployed, a zero-trust strategy is all about proof.

“You continually verify compliance with stated capabilities for security, device performance and data transmission,” says Mitch Parker, CISO of Indiana University Health, which is headquartered in Indianapolis and operates 16 hospitals across the state. “You provide verification of optimum security and performance every step of the way.”

Medical devices are a prime driver of zero-trust adoption, not just because of their proliferation in healthcare settings but because data transmission has become more complicated, Parker says. Older medical devices were built to be plugged into and transmit data to a specific computer.

“Over the past two decades, we’ve moved from serial port architecture to one in which multiple devices on the network talk to multiple endpoints, and you’ve got to change your architecture to secure that traffic,” Parker says.

IU Health deploys Duo Beyond and Duo Mobile for two-factor authentication on remote user devices. For the IT staff, zero trust requires high-level networking skills and deep expertise in firewalls and other security technologies — not only for the initial deployment but for maintenance. 

The model also demands a sharper focus on lifecycle management, as devices near end of life are often unpatched. 

“Ultimately, a device is only as secure as how well you manage it,” Parker says.