Q&A: Mount Sinai’s Chris Frenz on Best Practices for Zero-Trust Implementation

BIZTECH: When did you first get interested in zero trust as an architecture and as a general framework?

FRENZ: Actually, back in 2015, the hospital I worked for at the time became very concerned about the possibility of a ransomware or other widespread malware attack hitting the organization. One of the things we decided to do was simulate what it would look like if a malware attack were to hit the hospital.

We took what’s called the EICAR test string — if anybody is unfamiliar with that, it’s a harmless string of characters that years ago all the anti-virus makers got together and agreed to treat as a virus. It provides a safe but effective way to test malware defenses — and I wrote a script that would take the EICAR test string and attempt to copy it to every PC within the hospital.

READ MORE: Why healthcare organizations should consider zero trust.

Now, this was an exercise that was executed without anyone else in IT being aware. We launched a script and simulated the malware spreading through the organization. By doing the exercise, we learned quite a bit about which controls were effective, which controls didn’t work and, in some cases, how people responded to the attack, both in terms of the users and in terms of incident response.

One of the controls that stood out as really effective from doing that test was network segmentation. And the interesting thing we saw is that the network segmentation we had, which was by department, mostly of access control lists and virtual LANs, did a good job of keeping that threat contained to just that particular department. But as a hospital, one of the things we learned is that if we were to lose an entire clinical department to ransomware or other types of attacks, it was going to be disastrous to clinical operations at the hospital and potentially patient safety. So, we began to think about ways we could take network segmentation to the next level. And that’s what kicked off our zero-trust initiative.

BIZTECH: When you were looking at network segmentation in those early stages of that zero-trust initiative, what kind of challenges did you encounter?

FRENZ: The first major challenge was establishing an asset inventory. For anybody starting on a zero-trust initiative, one of your first challenges is figuring out everything that’s on the network. Establishing this inventory is the first stage. After that, the biggest challenge is figuring out how all those various assets talk to each other. It’s important to figure out those different traffic flows and map them out in the organization.

In terms of our zero-trust initiative, we started by interviewing the administrators for the various systems. In some cases, they knew the traffic flows. In some cases, we were able to pull it from vendor documentation. In some cases, we used the NetFlow traffic analysis or various tools like that. And in some cases, we had to resort to tools like Wireshark to discover the traffic flows.

MORE FROM HEALTHTECH: How can hospitals establish a zero trust security model?

That’s one thing that’s changed since 2015. A lot of the more modern zero-trust tools do a much better job of giving insight into the traffic that occurs between systems. So, it’s gotten a little bit easier, but that’s still where your biggest challenge is going to be. And I recommend anybody doing a zero-trust initiative spend time completely learning those traffic flows. The better picture you have of the traffic that’s required in your organization, the less likely you’re going to be to break something when it comes time to put the policies in place, because once identified, traffic flows will form the basis of your zero trust policies.

BIZTECH: Let’s take a little bit of time to talk about what you call evidence-based security. What does that incorporate and how did it factor into your plans when you were trying to adopt zero trust?

FRENZ: I’m very big on security testing. One of the things I like to do is find ways to quantify security, make security measurable. And the EICAR test example is an example of that, by simulating an attack or some other security incident, developing metrics around that to determine how well your security controls are working or not working and using that to identify improvements in security. I really liked that approach because it gives you a clear idea of what works and what doesn’t work. As you make changes to the organization, you can quantitatively see if you’re making an improvement or not. I find that a very effective way to make security decisions.

BIZTECH: Did you find that a lot of the different tactics that you learned in the first go-round were able to be transferred to Mount Sinai? Or did you find that there were quirks between the different organizations that you had to account for?

FRENZ: It was basically the same approach of doing the asset inventory first and then taking the asset inventory and using that to figure out the data flows. Those techniques were definitely transferable. The other important lesson to learn from the first time that’s made it a little easier doing it a second time around is not to try to bite off too much at once. It’s important to understand that zero trust is not something that you’re going to just flip a switch one day and be all zero trust. Zero trust is a process, and you’re going to want to roll it out over time to avoid breaking stuff.

In my previous organization, we started with the servers first because it was a heavily virtualized environment, and there were some legacy servers at the time. We decided that a lot of the risk was there. So, we began with the servers and a lot of low-hanging fruit. We did things like DNS servers, DHCP servers, NTP servers, and things where the ports and protocols were well understood and the chance of breaking something was minimal. So that allowed the team to scale up, learn the tools and move on from there.

At Mount Sinai, we’re taking a similar approach. We did a lot of simple systems where we understood the ports and protocols first, once again, to learn the tools. We’re a little less virtualized at Mount Sinai, but we’re doing our workstations next. And that’s also largely due to changing risk factors. One of the more recent determinations is that ransomware has been hitting hospitals hard. We’re worried about effective workstations becoming the initial point of compromise and being used as a staging ground for attacking other systems within the organization.

BIZTECH: What can other healthcare leaders do to incorporate some of these same tactics into their own organizations? Are there any other kinds of tactics they can adopt to put their organizations on the same path?

FRENZ: On the zero-trust side, I would say that, one, it’s important to remember that it’s not going to be a single project. Zero trust is more of a mindset. And I would say it’s something for which you don’t want to let perfect be the enemy of good. You’re not going to be able to have a perfect zero-trust architecture quickly. It’s going to take time, but it doesn’t mean that the process is not worth starting. I would begin the zero-trust initiative, start mapping out those assets, start mapping out the traffic. There’s a lot of value there just from the process itself. So you begin that journey, start looking at ways you can segment the network.

The other thing I would advise is that zero trust is an excellent security control, but defense in depth is still critical. Zero trust is very effective. It’s a great way to do security, but no one single security control is a panacea for all security needs. So, it’s a great tool to have in your security arsenal, but it shouldn’t be the only one.