Jun 28 2022

Why Healthcare Organizations Should Begin Their Zero-Trust Implementations with Identity

With patient data and critical infrastructure at risk, healthcare organizations need to strengthen their security postures. A robust zero-trust identity strategy is a good place to start.

Remote work, virtual care technology and the proliferation of mobile devices for clinician workflows and Internet of Medical Things devices for patient care are increasing the attack surface for healthcare organizations. Some organizations can have as many as 10,000 medical devices within their environments.

Patient data is some of the most valuable information cybercriminals can target, meaning that healthcare organizations are often targeted in cyberattacks.

One of the leading areas in cyber exploitation is the use of stolen credentials and account privilege escalation. This type of activity can lead to ransomware, denial of service or other attacks that can compromise healthcare organizations’ networks and potentially impact patient care.

Healthcare organizations lacking identity maturity could become easy targets for cybercriminals, who are then able to go about their activities undetected. For example, many healthcare organizations lack a holistic multifactor authentication strategy. An attacker can exploit this weakness and drop malicious payload inside a private network. Zero trust can solve this problem, and a strong identity strategy is where healthcare organizations should start.

Zero Trust Visual Sidebar Header


What Is a Zero-Trust Identity Strategy?

Identity is the foundation of a zero-trust framework rather than just a step in its implementation. A healthcare organization’s zero-trust environment cannot exist without considering all the discrete characteristics of identity anatomy. This should be embedded in every aspect of the zero-trust infrastructure. However, zero-trust identity cannot be achieved through a point solution. The realization of a zero-trust strategy should consider people, processes and technology.

Zero-trust identity begins with governance, frameworks and workflows. Identity registrations, authentication mechanisms, access policies, analytics, and automation and orchestration engines should all be correlated and coded to execute under a single policy governance structure. In a private ecosystem, every entity is vetted by an integrated policy-as-code engine to ensure that it is known by the network.

The goal of a zero-trust identity strategy is to confirm each person’s identity when they attempt to access a healthcare organization’s resources. When a sign-on attempt is made, the environment references a vetted identity store to verify a digital entity’s identity and whether it has current state privileges to access a specific resource. That applies whether the resource is a device, service, application or data.

DISCOVER: How zero trust protects patient data against the most serious security threats.

How to Implement a Zero-Trust Identity Strategy

A successful plan considers the participation of an interdepartmental governance framework. The absence of a holistic, identity-centric framework may increase the attack surface and leave an organization with a false sense of security.

A typical engagement within a zero-trust identity strategy is broken down into three major evaluation components:

  • Component Relationship: This includes the hardware and hardware interoperability. Interoperability is essential to achieve end-to-end monitoring and policy execution. All security solutions should be able to communicate to ensure the entire network is secure.
  • Workflow Planning: This includes business processes, data mapping and the categorization of workflows.
  • Access Policies: These policies should be considered from a component perspective as well as holistically.

It’s common to lead the path with a discovery of network components, services, data flow and core business applications to build the nucleus of a zero-trust architecture. This is followed by an assessment of existing network policies such as firewalls, intrusion detection prevention systems, virtual LAN configurations and data loss prevention systems that may exist in the ecosystem. The deployment phase then begins and employs this reference architecture, followed by the main policy engine.

All the policies that every component is executing individually are being correlated and funneled up to a main policy that coordinates every single event from end to end. Once in operation, the environment and policy rules are monitored continuously for effectiveness.

Click the banner below to dive deeper into zero trust and its benefits for healthcare.

Considerations for a Zero-Trust Identity Strategy in Healthcare

Healthcare organizations should resist the temptation to set up zero-trust architectures on their own. There are many solutions on the market today that claim to achieve zero trust. While the hardware is extremely important, it is only about 20 percent of achieving zero trust. Eighty percent of the effort will be handling governance and understanding workflow, then jotting this down into executable code for the system to manage.

To organize this type of identity-centric approach to security, it seasoned professionals must assist with the planning, evaluation and deployment of zero trust to ensure a successful outcome. In successful deployments, governance is at the fore of interdepartmental collaboration. This is the approach that works best for zero-trust implementation. In healthcare, there are special challenges to consider, particularly around medical devices and certain workflows that are unique to the delivery of care. These challenges are best handled when organizations embrace partnerships as part of their strategies.

CDW knows healthcare. Many of our strategic advisers and technical competencies come from the healthcare environment itself. CDW has the experience in performing zero-trust assessments, enabling healthcare organizations to align their entire infrastructures and business operations into this cohesive framework. CDW offers advisory services, professional services, products and managed services to address each component of the zero-trust model.

This article is part of HealthTech’s MonITor blog series. Please join the discussion on Twitter by using #WellnessIT.


Illustration by LJ Davids

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.