What Is Zero Trust?
Zero trust is an approach to security that has evolved from the very nature of today’s changing networks. Yet as the approach becomes standard in healthcare, varying definitions remain.
In their book Zero Trust Networks: Building Secure Systems in Untrusted Networks, authors Evan Gilman and Doug Barth explain that zero trust is built on five fundamental assertions:
- The network is always assumed to be hostile.
- External and internal threats exist on the network at all times.
- Network locality is not sufficient for deciding trust in a network.
- Every device, user and network flow is authenticated and authorized.
- Policies must be dynamic and calculated from as many sources of data as possible.
In sum, zero trust is an information security framework that requires strict verification for every person, device and application on a network, regardless of location or seniority — the goal being to significantly reduce the risks associated with lateral movements on a network.
The National Institute of Standards and Technology expands on this, defining zero trust in the following way:
Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.
No matter how it’s defined, the collective understanding of zero trust remains the same and highlights the importance of access control in achieving one thing: the elimination of unauthorized access to health data and services.
Does Healthcare Need Zero Trust?
Healthcare is — and will continue to be — a prime suspect for cyberattacks, given the value of its data and its need to ensure continuity of care. And with staff continuing to operate in a remote work environment for the foreseeable future, the potential for authentication issues only increases the risk of exploit.
In fact, of the 300 plus data breaches that have occurred to date this year, almost 90 percent can be attributed either to hacking and IT incidents or unauthorized access. That’s why the need for a zero-trust strategy in healthcare, with its clearly defined access control policies based on users and devices, has become paramount to maintaining the integrity of patient data and moving digital initiatives forward.
However, from rethinking traditional security architectures to restricting device access based on user authentication, the process can take time. Christopher Frenz, former assistant vice president for information security at Interfaith Medical Center, recently told HealthTech that Interfaith took two years to lay the groundwork for zero trust, not because the deployment was difficult but out of an abundance of caution.
The Brooklyn, N.Y.-based team took great care to thoroughly inventory nearly 5,000 devices, map out their communications, and limit which devices and applications they could communicate with.