Oct 21 2020

Why Healthcare Orgs Should Consider Zero Trust

Digital transformation is driving the rapid evolution of IT in healthcare. It’s also contributing to an increasingly complex network infrastructure.

Data breaches in healthcare are on the rise yet again.

After reaching what seemed to be the year’s monthly low in April, with just under 450,000 records exposed, the number of monthly compromised health records has reversed its course and grown steadily ever since. According to HIPAA Journal, over 2 million records were compromised in the month of August alone, bringing 2020’s yearly total to over 13 million.

As organizations continue in their shift to cloud-based and mobile-first business operating environments — a transition that has accelerated during the COVID-19 pandemic — the traditional, perimeter-based security approach is becoming a less viable option for protection.

This raises the question: How can healthcare security teams do a better job of guarding against cyberattacks and guaranteeing the security of their patients’ records as their network perimeter continues to disintegrate?

The short answer? An effective defense against attacks today requires a zero-trust approach to security that questions each and every device accessing the organization’s network, along with every action that takes place.

What Is Zero Trust?

Zero trust is an approach to security that has evolved from the very nature of today’s changing networks. Yet as the approach becomes standard in healthcare, varying definitions remain.

In their book Zero Trust Networks: Building Secure Systems in Untrusted Networks, authors Evan Gilman and Doug Barth explain that zero trust is built on five fundamental assertions:

  • The network is always assumed to be hostile.
  • External and internal threats exist on the network at all times.
  • Network locality is not sufficient for deciding trust in a network.
  • Every device, user and network flow is authenticated and authorized.
  • Policies must be dynamic and calculated from as many sources of data as possible.

In sum, zero trust is an information security framework that requires strict verification for every person, device and application on a network, regardless of location or seniority — the goal being to significantly reduce the risks associated with lateral movements on a network.

The National Institute of Standards and Technology expands on this, defining zero trust in the following way:

Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.

No matter how it’s defined, the collective understanding of zero trust remains the same and highlights the importance of access control in achieving one thing: the elimination of unauthorized access to health data and services.

READ MORE: Learn how hospitals can establish a zero trust security model.

Does Healthcare Need Zero Trust?

Healthcare is — and will continue to be — a prime suspect for cyberattacks, given the value of its data and its need to ensure continuity of care. And with staff continuing to operate in a remote work environment for the foreseeable future, the potential for authentication issues only increases the risk of exploit.

In fact, of the 300 plus data breaches that have occurred to date this year, almost 90 percent can be attributed either to hacking and IT incidents or unauthorized access. That’s why the need for a zero-trust strategy in healthcare, with its clearly defined access control policies based on users and devices, has become paramount to maintaining the integrity of patient data and moving digital initiatives forward.

However, from rethinking traditional security architectures to restricting device access based on user authentication, the process can take time. Christopher Frenz, former assistant vice president for information security at Interfaith Medical Center, recently told HealthTech that Interfaith took two years to lay the groundwork for zero trust, not because the deployment was difficult but out of an abundance of caution.

The Brooklyn, N.Y.-based team took great care to thoroughly inventory nearly 5,000 devices, map out their communications, and limit which devices and applications they could communicate with.

“Understanding the devices on the network and mapping traffic flow are the basis for policies and permissions,” said Frenz. “If a particular communication is not explicitly required for that device to function, it’s going to be blocked by default. Anything that could get into our network and cause downtime or a delay can have an impact on patient care.”

While deploying zero trust certainly requires high-level networking skills and deep expertise in security technologies, this shouldn’t discourage security teams from implementing a zero-trust approach. Organizations might be surprised to find they already have the tools they need to get started.

Technology such as device visibility solutions and network segmentation can go a long way in helping an organization develop a zero-trust architectural model that can adapt rapidly to evolving cybersecurity threats. But it all starts with taking stock of the current environment and identifying opportunities to enhance security controls, especially when it comes to patient data.

Chainarong Prasertthai/Getty Images