Data Encryption and Zero Trust: How to Protect Patient Information

Data access management is an essential component of a zero-trust security strategy.

Your browser doesn’t support HTML5 audio

The healthcare industry faces many data protection challenges, such as encrypting payment card data and meeting security requirements around personal health information (PHI) and personally identifiable information (PII) coming from Internet of Medical Things devices.

Another challenge involves protecting digital endpoints while also offering ease of access for users that require it, either on-premises or remotely, says Peter Newton, senior director of products and solutions at Fortinet.

PHI and PII are part of the data pillar of the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model. The other four pillars are identity, device, network and application workloads. The data pillar involves determining the location for data storage, who gets granted access and how data encryption occurs during transfer and storage, Newton says.

The data pillar of zero trust, which involves encryption, is the most difficult to implement because it must function as a “well-oiled machine,” according to Matt Sickles, healthcare strategist at CDW Healthcare. He calls it a “perfect” approach to examining structured, unstructured, dynamic and static data.

“To protect all the information correctly, metadata on a file as it’s traversing the network has to be linked to a persona or an individual with an identity and a role,” Sickles says. “Then, the network will adhere to the decisions that are made along the way, so that others are not going to be able to inspect or detect the information.”

Proper data management requires prewritten data security policies and continuous improvement to address signs of exposed or compromised data, Sickles says.

Related Content:

Understand how zero trust offers a foundation for authentication and access in healthcare.

Learn why healthcare organizations should begin their zero-trust implementations with identity.

Find out how to approach connected-device security from a zero-trust perspective.

Explore five common network monitoring mistakes and how to fix them with zero trust.

Dive deeper into zero trust and how it can protect application workloads in healthcare.

Uncover four adaptive cybersecurity controls to include in a zero-trust strategy.

 

How Encryption and Dynamic Support Help Protect Health Data

Interconnected health data is dynamic as it travels among multiple medical devices and hospital rooms. Clinicians move devices around from one port in the hospital to another, notes Itai Greenberg, chief strategy officer at Check Point Software Technologies. Clinicians work on rotating shifts as well.

“You need to come up with a mechanism to define a zero-trust policy that doesn’t slow day-to-day operations,” Greenberg says. Artificial intelligence tools could help manage these risk factors and support a zero-trust strategy, Greenberg suggests.

“When properly implemented as part of zero trust, data encryption ensures that data is kept confidential when stored,” Greenberg says. “However, this is not enough. Implementing the continuous verification of identities and providing least-privilege access to relevant data will reduce the attack surface and potential for attack.”

Click the banner below to dive deeper into zero trust and its benefits for healthcare.

Why Data Access Management Is Important for Healthcare

Data access management is a key component of the zero-trust data pillar. It encompasses robust authentication and role-based access control to verify users and conduct continuous monitoring of a connection for a takeover or threat, according to Greenberg.

“This could include monitoring for anomalous high-bandwidth transfers or attempts to exploit a database using an unusual query,” Greenberg says.

Sickles says health systems should consider deploying Trusted Platform Management, which is a crypto-processor on a chip that generates, stores and limits the use of cryptographic keys. 

Using TPM on top of data protection strategies provides helpful physical protection for health data, he says.

Data analytics is not used enough in healthcare, and health systems should take steps to learn more about the evolution of data, including where data is processed and transmitted and how it’s accessible, says CDW Healthcare Strategist Mike Gregory.

DISCOVER: Zero-trust lessons health IT teams can learn from the federal government.

“All of these activities start by e-discovery or analytical tools just so they have an idea of the scope of the data,” Gregory says. “And then we need to make some very astute data classification analysis for both structured and unstructured data.”

Zero-trust data access management can improve onboarding and decommissioning of accounts on a network, according to Gregory. In addition, data access management strengthens operational efficiency, speed and accuracy as data moves from point A to point B, Gregory says.

By decommissioning accounts at the right time, health systems can prevent data loss due to malicious activity, he adds. Gregory notes that healthcare data is about 250 times more valuable on the black market compared with payment card data.

Implementing data access management based on zero trust can also improve compliance with regulatory requirements. It also helps health systems avoid penalties due to improper handling of data and can reduce cybersecurity insurance premiums, Gregory says. 

A zero-trust strategy encompasses robust data authentication, network access control technologies and pervasive application access controls, according to Newton.

“When evaluating security products, the solution should be able to provide zero-trust capabilities for both cloud-based assets and on-premises assets, including providing the internal segmentation and zones of control,” Newton says.

LEARN MORE: Palo Alto Security Expert Paul Kaspian explains why healthcare needs zero trust.

Healthcare systems can use security solutions that support zero trust network access, which offers secure remote access to data and services according to specific access control policies. Some ZTNA solutions, such as Fortinet’s, differ from virtual private networks by granting access on a per-session basis.

“With ZTNA, users and devices can’t access an application unless they provide the appropriate authentication credentials,” Newton says. “ZTNA places applications behind an application gateway, creating a secure, encrypted tunnel for connectivity.” He adds that network administrators only grant access after both the device and user have been verified. 

When thinking about data in healthcare, the biggest risk to patients lies in potential changing of data rather than the access, Sickles says.

“The data investigation or data access is not the true risk here,” he says. “What we’re fearful of is data modification and manipulation to change the outcome of a patient’s clinical experience.”

More On Data Management, Network Monitoring, Patient Data Management, Authentication, Endpoint Security, Patient Privacy, Threat Prevention,