Visibility into all segments of the network is crucial, and a mature zero-trust architecture includes orchestration tools that automate monitoring, management and threat response.
It’s a compelling approach for healthcare organizations faced with new security challenges such as the rise of telemedicine, an increasingly mobile or remote workforce, smart medical devices and services under third-party management, Nicholson says.
Restrict Device Access to Mitigate Security Risks
After its simulated malware attack, Interfaith developed a two-pronged zero-trust strategy. The medical center had already been running the VMware NSX platform, which supported the data center side of microsegmentation and provided orchestration capabilities.
On the physical side, Interfaith chose an Extreme Networks network access control appliance to manage device policies at a granular level.
A zero-trust deployment throughout the Interfaith network took nearly two years because of the painstaking groundwork required, says Frenz. His team first inventoried the nearly 5,000 devices on the medical center network, then traced all the ways the devices communicated with each other, with applications and with data repositories.
“Understanding the devices on the network and mapping traffic flow are the basis for policies and permissions,” Frenz says. “We worked one system at a time and did tests as we went to prevent breakage. You don’t want to block something a system or practitioner needs.”
To Frenz, zero trust means ensuring that each device on the network can communicate with the applications, resources and other devices it needs to — and nothing else.
“If a particular communication is not explicitly required for that device to function, it’s going to be blocked by default,” he says. “Anything that could get into our network and cause downtime or a delay can have an impact on patient care.”
Get Visibility Into Every Area of the Network
A zero-trust strategy involves significant investments of time and money, and the prospect of disruptions as users adjust to hardened access controls.
But the transition isn’t a difficult sell to healthcare administrators, says Jon Heberlin, data security director at Centura Health, which comprises 17 hospitals and numerous clinics in Colorado and western Kansas.
Zero trust protects data and devices as traditional barriers between the internal LAN and the exterior internet disappear, Heberlin says. To secure users moving between those domains, Centura Health deploys Duo Beyond to provide device visibility and access management.