Jun 08 2023

As Cyberthreats Grow, Can Zero Trust Protect Healthcare Organizations’ Data?

Implementing an effective approach to cybersecurity in healthcare is an ongoing process.

The security challenges that healthcare organizations face are getting more daunting. Cybercriminals are more organized than ever and are even using techniques employed by legitimate IT companies, such as project management and custom development best practices. Some organized cybercrime outfits have achieved a level of expertise equivalent to that of a skilled penetration testing unit.

According to Black Kite’s 2023 Third Party Breach Report, healthcare was the industry most impacted by attacks in 2022. Last year, 34.9 percent of attacks targeted the healthcare industry, up from 33 percent in 2021.

To address these growing threats, many healthcare organizations are adopting a zero-trust approach to security that requires all users, inside and outside an organization’s network, to be authenticated, authorized and continuously validated for security configuration and posture before being granted access to applications and data.

The impetus for this trend is coming from multiple directions. A key driver is a 2021 executive order from President Biden that established a zero-trust strategy for the federal government. The policy requires agencies to meet specific security standards by the end of 2024. The Cybersecurity and Infrastructure Security Agency released the latest update to its Zero Trust Maturity Model in April, adding new guidance for organizations looking to implement this approach.

Adoption by the federal government has spurred widespread zero-trust implementation in the private sector, as executives and boards, including in healthcare, apply pressure on IT teams to address security threats. “The government adoption of zero-trust architecture is really driving the momentum in the commercial space,” says CDW Field CISO John Candillo.

READ: CDW’s white paper “Getting Zero-Trust Architecture Right for Security and Governance.”

Understanding Zero Trust Is Essential to Healthcare Success

As they engage in efforts to implement a zero-trust approach, healthcare organizations and their IT teams must understand that it is a process, not a destination. The steps an organization takes toward zero trust will evolve as numerous factors change, including the organization’s business needs, the threats it faces and the security solutions it uses.

“There are a lot of great solutions that can help,” says CDW Chief Security Technologist Jeremiah Salzberg. “But it’s important to remember that zero trust is more of an architectural strategy than a specific product or technology.”

The benefits of zero trust extend beyond an improved security posture, says Jeremy Weiss, an executive security strategist with CDW. Implementing zero-trust principles can help healthcare organizations reduce their technical debt and build more efficient operational processes. Because the approach employs network segmentation, application developers can operate securely at a quicker pace than they could otherwise.

The process of implementing zero trust also provides much clearer visibility into an IT environment than most healthcare organizations have, Salzberg says.

Health IT teams are better able to see dependencies between different systems and applications and understand how they communicate and interact. “We’ve seen some improvements in overall stability and efficiency in environments where they’ve gone to a zero-trust architecture,” Salzberg says.

Click the banner below to dive deeper into zero trust and its benefits for healthcare.

Three Key Elements of Zero Trust

As they work toward implementing a zero-trust approach, health IT teams should focus on three essential elements:

  • Visibility: IT teams need to know what data an organization has, where it resides, where it is transmitted, how it is used and who has access to it.
  • Identity: An organization must be able to determine with confidence the identity of users who are accessing specific sets of data, especially patient data
  • Governance: An organization must have rules in place for what data it maintains, how it is accessed and transmitted, who is granted access, and how they prove their identity. Additionally, the organization must have mechanisms in place to enforce these rules.

With many healthcare organizations moving data and workloads to the cloud, especially in Software as a Service deployments, maintaining visibility and control can be a significant challenge.

“It’s difficult to understand what’s actually in your environment, which systems should be talking and which systems actually are talking,” Salzberg says. “That whole analysis has always been a challenge and continues to be, but it’s fundamental for zero trust.”

EXPLORE: How to approach connected-device security from a zero-trust perspective.

A variety of tools can help organizations establish the elements of zero trust, including multifactor authentication, segmentation and microsegmentation, single sign-on solutions, secure web gateways and encryption. As they work to deploy these and other tools in a zero-trust environment, healthcare organizations must understand that this approach is a continuing pursuit.

“Zero trust is something organizations want to include in how they build and implement new applications and start to work on retrofitting old applications into the new model,” Salzberg says.

“Some people think it’s like a light switch that you can just turn on, that you can just do this and have zero trust,” Candillo adds. “It’s certainly not like that. It’s building a foundation and getting the tools and implementing them in the environments where it makes sense.”

Morsa Images/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.