How Zero Trust Can Protect Application Workloads in Healthcare

Whether it’s an application layer or a container, healthcare systems can vet application workloads using a zero-trust framework.

Your browser doesn’t support HTML5 audio

As healthcare organizations face threats to the security of personally identifiable information in applications such as electronic health records, they need a zero-trust approach to keep their systems safe.

A zero-trust strategy incorporates strict identify verification and device posture checking each time users access an application and for every application session, says Peter Newton, senior director of products and solutions at Fortinet

Organizations must secure application workloads at the application layer as well as in containers. Application workload represents one of the five zero-trust pillars outlined in the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model. The other pillars include identity, device, network and data.

“The pillars work together to enforce the policies of zero trust for user and device access across all resources,” Newton says. “Workload in this circumstance refers to the entire stack of applications and back-end software that enables users and customers to interact with business infrastructure. As client-facing applications have become a common vector for cyberattacks, the whole stack must be treated with zero-trust-compliant controls.”

Related Content:

Dive deeper into how zero trust offers a foundation for authentication and access in healthcare.

Learn why healthcare organizations should begin their zero-trust implementations with identity.

Find out how to approach connected-device security from a zero-trust perspective.

Explore five common network monitoring mistakes and how to fix them with zero trust.

Understand how data encryption protects patient information from malicious actors.

Uncover four adaptive cybersecurity controls to include in a zero-trust strategy.

 

Health systems face a challenge in protecting a variety of workloads, explains Itai Greenberg, chief strategy officer at Check Point Software Technologies. Types of workloads include containers and serverless computing, an execution model of cloud computing in which machine resources are available on demand with third-party vendors managing the servers. Weak security in the supply chain for healthcare applications threatens workloads, Greenberg says.

In healthcare, workloads process patient data so doctors can access it and provide proper care for patients, he adds.

“Without zero-trust security, the application and data can be easily compromised, which could impact the healthcare provided to their patients,” says Greenberg.

CDW Healthcare Strategist Mike Gregory says that the more critical and sensitive the workload, the more it requires security controls. IT leaders must conduct a thorough analysis of workloads to gauge which warrant access permissions.

“Because autonomous requests can originate from devices, users or other workloads, multiple layers of security may be necessary to achieve zero trust for the application layer,” Gregory says.

Click the banner below to dive deeper into zero trust and its benefits for healthcare.

Zero-Trust Network Access Can Strengthen Application Workloads

To bolster the security of application workloads, networks must verify every user before they receive permission to access critical resources, Newton says. Network administrators then log the access for later analysis or auditing.

“This verification applies regardless of whether the user is trying to access those resources remotely or is already within the network perimeter, helping to ensure a higher security posture for organizations, and it is especially powerful for organizations with a hybrid workforce,” Newton says.

Health systems can use a type of IT security solution called zero-trust network access (ZTNA), which delivers secure remote access to a health system’s applications according to an organization’s specific access control policies.

“ZTNA takes the principles of zero trust and applies them to application access,” Newton says. “Its per-session controls mean that users and devices are authenticated and monitored every time they seek to access an application, effectively closing security gaps that can arise from things like unattended devices.”

DISCOVER: Zero trust lessons health IT teams can learn from the federal government.

Automation helps health organizations integrate security systems with applications, says Greenberg.

“Once the security is attached to the application and knows the application, it’s much easier for you to implement a zero-trust approach because there is a symbiotic relationship between the application and the security,” Greenberg says. “If the security is detached from the workload, then everything needs to be configured manually, and that’s not a good practice, and not even viable in the digital world.”

In addition, healthcare systems must understand how applications operate within their environment, Gregory notes.

He adds that a key strategy entails vetting application workloads. “That, to me, is the critical step toward identifying the controls and the security policies needed to achieve zero-trust principles,” Gregory says.

More On Endpoint Security, Risk Assessment, Threat Prevention,