Feb 20 2023

Zero Trust Offers a Foundation for Authentication and Access in Healthcare

The security approach provides a framework to determine which clinicians and hospital staff can access critical applications. This can protect patient data amid an increase in cyberattacks.

Who should you trust to access hospital records? As the healthcare industry deals with a barrage of cyberattacks that threaten patient data, operations and even patient outcomes, it needs a comprehensive strategy to secure access to health devices and platforms. Both health IT leaders and clinicians are responsible for protecting patient data and supporting the continuum of care.

Zero trust has emerged as a security strategy that can help prevent unauthorized access to health data. The goal is to define the scope of trust and ensure that the flow of information occurs properly, according to Kapil Raina, vice president of zero trust and identity marketing at CrowdStrike.

FOC Sidebar


What Is Zero Trust?

The zero-trust security model was developed in 2009 by former Forrester Research analyst John Kindervag with the motto “never trust, always verify.” All users, devices, workloads and data should be untrusted by default and governed by the principle of least-privilege access, Forrester Research analysts David Holmes and Jess Burn wrote in a blog post.

“Zero trust is fundamentally making a decision on whether one resource should have access to another resource at this moment in time,” Raina says. Resources could be a doctor, lab technician or other privileged user or application attempting to access another application.

In addition to authorizing users, zero trust also entails testing to see if a mobile device is on the correct operating system, if a browser is secure and if a version of software such as Java or Chrome is correct, says Kris Kistler, senior vice president for information security and corporate systems at Virgin Pulse, which offers a health, well-being and navigation platform.

A zero-trust strategy calls for continuous multifactor authentication, especially if a user logs in from multiple locations or IP addresses, according to Kistler.

Zero trust has evolved beyond a castle-and-moat architecture of good and bad users to involve more interdependent Software as a Service applications, Kistler explains. Zero trust also incorporates strong encryption of data both in transit and at rest.

The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency outlined five pillars of zero trust in its Zero Trust Maturity Model, which provides guidance on how companies can comply with the federal government’s executive order on zero trust.  

  • Identity: Defines the attributes that determine which users have access to which resources
  • Device: Includes IoT devices, mobile phones, laptops and servers that connect to networks
  • Network/environment: Defines how to segment and control networks and manage data flow
  • Application workload: Outlines how to secure and manage application delivery, including the application layer along with containers
  • Data: Refers to how data is protected on devices, applications and networks, both in transit and at rest

When it comes to zero trust, there is an opportunity for healthcare organizations to learn from federal government agencies’ implementation experiences.

Click the banner below to dive deeper into zero trust and its benefits for healthcare.

Zero Trust and NIST SP 800-207

The National Institutes of Standards and Technology brought private and public partnerships together to discuss how to develop a framework to defend against attacks. On Aug. 11, 2020, NIST released “Special Publication (SP) 800-207: Zero Trust Architecture,” which discussed deployment models and recommended a roadmap for how to carry out a zero-trust architecture approach in an organization.

“NIST 800-207 is the base foundation if anyone wants to follow zero trust,” Raina says. “It’s not just for public or federal agencies, but also for private institutions.”

How the Zero-Trust Security Model Benefits Healthcare Organizations

Zero trust can help secure a healthcare ecosystem that includes multiple types of users such as doctors, nurses and lab technicians who require access to consoles and applications for various purposes, Raina says.

“In the healthcare environment, you have to deal with multiple personas and multiple levels of access to the same data,” Raina notes. “You have the supply chain of data that can sit either in your environment or in a third party, such as an electronic health record.”

Zero trust can help manage the scope of access to healthcare data in applications such as the EHR and billing systems, Raina says. Health systems can issue multifactor authentication challenges to physicians if the use of credentials show behavioral abnormalities inconsistent with their profiles or histories, Raina says.

The security framework also incorporates analytics and logging, which are important to healthcare when it comes to meeting HIPAA and HITRUST regulations, says Kistler. Healthcare organizations can monitor who is accessing data and whether they are writing to a file or accessing data as read-only, he says.

Zero trust can also enable faster access to lab results for health providers with more efficient, single authorization access if all the parties are using zero trust, Kistler says. Data transfer among labs, doctors and specialists can then happen in minutes rather than days or weeks with today’s application program interface integrations, he says. 

More secure data transfer with zero trust also brings more efficient insurance authorizations and approval of coverage, Kistler says.

LEARN MORE: Palo Alto Security Expert Paul Kaspian explains why healthcare needs zero trust.

How Zero Trust Compares with Other Cybersecurity Strategies

Zero Trust works with other cybersecurity strategies such as least privilege and cybersecurity mesh to provide a complete approach to authentication. Here is a comparison of zero trust and some other key security concepts.

Zero Trust vs. SASE

Secure Access Service Edge, or SASE (pronounced “sassy,” a term coined by Gartner), is the convergence of WAN and network security services into a single, cloud-delivered service model.

SASE allows applications to communicate between multiple systems and lets healthcare organizations access resources securely from the endpoint to the cloud, says Raina.

Zero trust differs from SASE because it focuses on granting access to authenticated users, while SASE also incorporates network and security services and grants access based on identity. Zero trust can be simpler to operate with narrower functionality, so more companies are choosing zero trust in the short term, according to CrowdStrike.

Zero Trust vs. Least Privilege

Zero trust enables healthcare organizations to enforce policies of least privilege, in which they grant the least amount of credentials necessary for the tasks required, Raina explains. For example, doctors would only have access to the health records necessary for a specific plan of care.

“Least privilege is, how do I give a user application access to what they need to do, but the minimum level of access for the minimum amount of time,” Raina says.

Zero trust expands on least privilege by adding conditional testing and repeated verifications, according to Kistler.

“Often, it adds just-in-time access right where you have to request access to a certain resource,” he says. “Then it’s granted, and then it’s taken away after two hours or 12 hours.”

DISCOVER: How CDW services can help healthcare organizations implement zero trust.

Zero Trust vs. Perimeter Security

Raina describes perimeter security as an older concept referring to a legacy, on-premises network environment.

“Most organizations could not even tell you where the perimeter is,” Raina says. “There is no concept of the perimeter anymore in today’s modern environment.”

Zero trust expands beyond the old perimeter style with firewall layers to encompass a multilayer defense, according to Kistler. That includes strong authentication and conditional access rather than having a trusted side and an untrusted side where bad actors operate, per Palo Alto Networks.

“It broadens business enablement and allow us to provide more options to our IT staff and to our companies that want to connect securely,” Kistler says.

Zero Trust vs. Cybersecurity Mesh

Raina compares a cybersecurity mesh to having guards at a fixed checkpoint who can communicate with each other and who trust people to enter with the right credentials. Zero trust does not have requirements for fixed checkpoints and requires that security layers are assessed as necessary so that access can be granted in real time, he says.

“Cybersecurity mesh focuses on extending consistent security controls across widely distributed assets,” Kistler says. “And while that’s certainly a valuable thing to have, that really just meets one component of a full zero-trust architecture design.”

When it comes to zero trust in healthcare, turning to the cloud will be key, according to Raina.

“In the concept of zero trust and healthcare, really having a consolidated platform approach that’s cloud-native and understands the adversary goes a long way in executing zero trust more effectively, both from a security perspective and also from a cost and operations perspective,” Raina says.

Jon Buckley/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT