Close

Join the Insider Program

Explore exclusive HealthTech coverage and enjoy early access to the latest stories.

Jun 24 2022
Security

How Zero Trust Protects Patient Data Against the Most Serious Security Threats

Defending patient data is more challenging than ever, but this approach can help healthcare organizations establish a flexible cybersecurity posture.

Technologies such as wearables and remote patient monitoring tools make it easier for patients to engage with their health providers and move healthcare toward a continuous care model rather than the traditional episodic model. However, these tools are also leading to increases in the amount of health data collected by providers. In addition to health data becoming more valuable on the black market, ransomware attacks are on the rise, making data security imperative for healthcare organizations.

Two other issues have greatly increased the challenge of data security in recent years. For one, many users can now access data from virtually anywhere and on any device. Further, as organizations adopt cloud services — sometimes without the involvement or knowledge of IT teams — data has become scattered across different platforms, to the point where no one is sure where it all resides.

The result of these issues: Data is everywhere, and trying to protect it is a massive challenge.

Healthcare organizations trying to adjust to these changes also face a cybersecurity environment that is more challenging than ever. To protect data that resides in mobile devices, data centers or in the cloud, IT teams are working to establish security measures that follow workloads rather than reside in a central location.

The zero-trust approach to security has emerged as a key way for healthcare organizations to protect patient and enterprise data in this new environment. Zero trust removes the need for implicit trust and makes sure that every request for access to data or applications is validated with regard to who is requesting access and what is being requested.

DISCOVER: Learn how a zero-trust architecture improves data protection.

“Zero-trust network access creates a condition where everything has its own perimeter,” says Jeremy Weiss, executive security strategist for CDW. “This is true for both authorization and authentication.”

Zero-trust solutions are still gaining traction within healthcare, with only 8 percent of healthcare cybersecurity professionals surveyed in the “2021 HIMSS Healthcare Cybersecurity Survey” reporting that they have zero-trust solutions comprehensively (100 percent) across their organization and others indicating that zero-trust solutions were implemented to a lesser degree. However, the security improvements that zero trust offers are making it an increasingly popular approach for health IT teams looking to protect patient data and workloads. Simplicity is one of the benefits driving adoption of the approach.

“The real value is that zero trust tends to be software control,” says Buck Bell, who leads CDW’s Global Security Strategy Office. “This simplifies deployment as well as policy management. You can centralize policy and deploy it broadly.”

Click the banner to get the expertise you need to strengthen your ransomware protection capability.

Health Systems Respond to New and More Sophisticated Threats

The need for security measures such as zero trust is being driven by cybersecurity threats that grow more numerous and dangerous every year. Cybercriminals are well funded and organized, enabling them to carry out attacks that are increasingly complex and detailed. For example, social engineering attacks identify a specific target and leverage what’s important to that target to take a specific action, such as clicking a link or opening an attachment to an email.

The success of attacks such as ransomware has led to cybercrime becoming a viable business model. Further, the speed at which cybercriminals can exploit new vulnerabilities is faster than ever. For example, within hours of reports in December 2021 of a security flaw in the Log4j2 Java logging library, security professionals observed more than 100 attempts to exploit the vulnerability every minute.

The cybersecurity challenge that organizations face is exacerbated by state-sponsored cyberattacks. Government-backed hackers are well trained, well funded and coordinated in their attempts to compromise data and applications. Further, the use of cloud-based tools such as Ransomware as a Service increases the ease with which cybercriminals can carry out their attacks while also increasing the computing power at their disposal and making it easier for them to cover their tracks.

To address these threats, healthcare organizations need to be better than ever at cyberdefense. Zero trust has become a valuable part of these defenses.

Simple Steps to Protect Patient Data

As healthcare organizations look to implement zero trust, they can take some simple steps to get started. First, an assessment of an organization’s current security posture can help executives and IT professionals understand where vulnerabilities may exist, what the organization’s priorities are and what security controls are in place.

“Assessment is critical,” Bell says. “You need to know where the organization is as far as security and where data is, then you can create a roadmap toward implementing the pillars of a zero-trust model.”

Next, identity is a foundational element of zero-trust initiatives. If an organization is able to authenticate a user’s identity to a high degree of confidence, it can make better decisions about how it implements other security controls. To build this capability, many organizations implement multifactor authentication tools, as well as security controls that provide visibility into user behavior.

READ MORE: Find out why healthcare organizations should consider zero trust.

“Organizations should have a clear picture of who has access to what data at any given time,” Weiss says. “This is a major challenge.”

A zero-trust approach provides flexibility to help healthcare organizations deal with the rapid evolution of cybersecurity threats. While zero-trust principles focus on enforcing security policies around services and applications, the approach also relies on measures such as encryption and microsegmentation to protect networks. In a security landscape where unauthorized access to some assets is almost inevitable, these controls are essential to prevent cybercriminals from moving easily through an organization’s network.

“It’s impossible to foresee every threat,” Weiss says. “Zero trust is important because it helps prevent lateral movement by threats.”

anyaberkut/Getty Images