Zero-Trust Adoption Is a Journey in Healthcare
“It’s a journey figuring out where we are now, what we have, and figuring out our gaps,” said Jon McKeeby, CIO for the National Institutes of Health Clinical Center, which has only 10 percent of its data currently in the cloud. “We want to meet the zero-trust requirements while also meeting needs around clinical and patient care. It’s a struggle for all of us to meet these requirements at the same time. We need to implement zero trust in the right way to ensure systems meet these requirements.”
McKeeby added that zero trust shouldn’t just be a “check-box maneuver.” It has to fit within an organization’s mission.
To achieve zero-trust adoption, Robert Wood, CISO for the Centers for Medicare & Medicaid Services explained that CMS is looking to leverage as many centralized services, capabilities and infrastructures as possible. The agency is focusing much of its investments on cloud technology, with most of its systems running in the cloud in some form.
Paul Suh, CISO for the National Institute of Allergy and Infectious Diseases, said that his organization is starting with the identity pillar of zero trust by using tools to determine who or what is accessing systems and data. While the organization has several security tools, Suh explained that the security team hasn’t configured them well enough to make full use the tools’ capabilities.
Many devices were connected to the network at the beginning of the pandemic, and now the organization is figuring out the right level of protection for those devices. In addition to protecting data, NIAID — and on a wider scale, NIH — is focused on how to share data with researchers, scientists, clinicians and administrators.
“Once we come up with a model on how we can share data while protecting it in the right way, that’s where zero trust will make the biggest impact,” said Suh.
Tips for Achieving a Zero-Trust Security Framework
“I’m not going to achieve level 4 maturity out of the gate. If I can get from level 1 to 2 with some investments, then I’m doing better,” said Gerald J. Caron, CIO and assistant inspector general for IT at the U.S. Department of Health and Human Services’ Office of the Inspector General. “We need to do a better job of managing effectiveness over compliance. To be effective at cybersecurity, being compliant is not enough. We need to know what we’re doing well, where we need to do more and where we have gaps.”
He emphasized the importance of going back to the five principles of zero trust to understand the framework.
“These pillars have to work together,” he said, adding that telemetry is key to understanding what’s going on within an organization’s network. “What do you know about that computer, and are you managing it? Devices have different levels of risk, and it’s important to put a risk score on them. Having that visibility allows you to give the right data to the right people at the right time.”
Zero trust means constantly checking device and identity factors in real time to see if anything changes. Wood explained that using telemetry and risk scores gets organizations part of the way to zero-trust adoption. With apps, data and devices, security teams need to determine what the action is that triggers a lockout, quarantine or downgrade of access for a user. However, an organization needs an adequate control lane and an IT environment that can interface with that control lane.
“The telemetry and risk score are important, but what are you actually able to do once you have that risk score?” he asked. “Can you codify policy triggers based on a sliding scale of risk? If you can’t do that, you’re spending money on tools you can’t do anything with.”
Caron recommended that organizations include users early in the process and look at the zero-trust implementation through the lens of the users’ workflow.
“If you do a new thing in the guise of security without understanding the workflow, they’ll find ways around it to get the job done,” he said.
The Role of Zero Trust in Organizational Priorities
Implementing zero trust can help healthcare organizations achieve other business and clinical priorities. Suh explained that zero trust is helping NIAID bring together different layers of IT, mission-driven priorities, business needs and people.
“It’s a great opportunity to push our IT teams and developers toward DevOps principles,” he said.
Achieving zero trust also relies on collaboration among departments. Wood pointed out that zero trust is a horizontal, organizationwide plan rather than a vertical, siloed approach.
“Different siloes are contributing to that horizontal plan, and everyone benefits as a result of consuming that plan,” he added.