Jan 30 2024

Health Systems Can Build Zero- Trust Maturity Over Time to Optimize Security Investments

The Zero Trust Maturity Model helps healthcare organizations create a roadmap for adopting areas of cybersecurity such as identity control and automation.

Cybersecurity professionals at health systems probably know something about zero trust, the methodology former Forrester Research analyst John Kindervag developed in 2009 based on the motto “never trust, always verify.”

Now, the challenge is to build zero-trust maturity over time and create a roadmap that fits within healthcare organizations’ budgets amid the rising costs of care. To help government agencies develop their roadmaps to zero trust, the federal Cybersecurity and Infrastructure Security Agency (CISA) introduced the Zero Trust Maturity Model.

“ZTMM is really important in helping healthcare organizations on a journey to achieve a better level of zero trust,” says Trevor Dearing, director of critical infrastructure solutions at Illumio. “What we’re all aiming at is helping them to achieve more resilience to make them more robust against an attack when it actually happens.”

The maturity model draws on publications such as the National Institute of Standards and Technology’s Special Publication 800-207 on zero-trust architecture. It lets healthcare organizations prioritize how to solve multiple cybersecurity issues at once, Dearing explains.

“Being able to use the maturity model to say let’s take a step up in all areas or let’s focus on moving up that ladder in certain areas is going to solve the most problems in the first go,” Dearing says.

Tamer Baker, CTO for healthcare, government and education at cloud security company Zscaler, who contributed to NIST SP 800-207, notes that ZTMM provides a “better step-by-step guide on how to mature through it,” he says. “If I’m speaking to an executive, I would normally reference the CISA model. If I’m speaking to directors and engineers, I would reference NIST.”

Click the banner below to learn how to get the most out of your zero-trust initiative.

The Levels of Zero-Trust Maturity

The ZTMM defines four levels as part of the zero-trust maturity journey.

  • Traditional: This level involves manually configuring lifecycles and assigning attributes for security and logging. At this stage, organizations address one pillar at a time with siloed pillars of enforcing policy.
  • Initial: Organizations begin using automation to assign and configure lifecycles. They also start integrating security solutions across the pillars — identity, devices, networks, applications and workloads, and data.
  • Advanced: In addition to cross-pillar coordination, organizations centralize visibility and identity control and establish changes to least-privilege policies based on their risk and posture assessments.
  • Optimal: Organizations fully automate their “just-in-time” lifecycles and establish dynamic least-privilege access as well as cross-pillar interoperability that includes continuous monitoring.

The ZTMM provides guidance to organizations on how to implement zero-trust policies across the five pillars. A zero-trust architecture improves a healthcare organization’s security and lessens the security complexity and operational overhead, according to a Palo Alto Networks blog post.

DISCOVER: Healthcare security leaders should avoid these common mistakes in zero trust.

Bill Kiely, director of cybersecurity architecture and engineering at Children’s Mercy Kansas City in Missouri, says the healthcare companies he has seen are in the initial and traditional stages, but a few have reached the advanced level. Baker agrees that most healthcare organizations are at the traditional stage today.

“It goes up from there to some of the initial levels of zero trust, which is where you start doing some automation,” he says.

Baker explains that the four levels of zero-trust maturity extend separately across the pillars of zero trust. An organization could be at one level for devices but another for networks and data, he notes.

Healthcare organizations vary in their progress of reaching zero-trust levels across pillars. Dearing says some healthcare organizations are advanced, while others are just starting out with the identity pillar. Additional health systems may have implemented multifactor authentication.

“You can end up being optimal in networks but advanced in applications and workloads or initial in data,” Dearing says. “I don’t think that organizations have the capability or the budget to very quickly reach optimal in everything, so doing the thing that addresses the most challenges is probably the most sensible way to do it.”

Dearing says healthcare organizations should not overextend themselves to get to the optimal level in one pillar at the expense of achieving progress toward initial and advanced levels in the other pillars.

Trevor Dearing
I don’t think that organizations have the capability or the budget to very quickly reach optimal in everything, so doing the thing that addresses the most challenges is probably the most sensible way to do it.”

Trevor Dearing Director of Critical Infrastructure Solutions, Illumio

What Are the Challenges of the Zero-Trust Maturity Model in Healthcare?

A challenge of implementing zero trust is the perception that it will block the work of clinicians in providing care, Baker says. Physicians may fear that security procedures could require them to spend a few extra minutes doing something, which can add up to a lot of time not seeing patients each week, Baker says.

“That’s a challenge of mindset,” Baker says. “It’s not an actual technological challenge because when you do this modernization, it makes things better for care providers. But the challenge is overcoming that mindset and that inertia.”

One solution is to speak about cybersecurity initiatives as “digital modernization” rather than as a zero-trust project, Baker suggests.

“That’s a way that I think has worked very well. We don’t even use the term zero trust because of that negative connotation,” he says.

READ MORE: Get zero trust architecture right for security and governance in healthcare.

What Are the Benefits of the Zero-Trust Maturity Model in Healthcare?

Organizations such as health systems can consolidate their work with vendors that can cover multiple pillars of zero trust, Baker suggests. Organizations will save on operational costs, including personnel.

The ZTMM provides healthcare organizations with a roadmap to track their adoption of visibility, analytics, automation and orchestration.

“As you’re enforcing your zero-trust policies, you want things to be more automated, meaning that as soon as somebody does something bad and downloads malware, for example, there has to be automation in place to stop that from spreading and moving laterally,” Baker explains.

Tech vendors can span multiple pillars of zero trust, but a partner can help take an organization to the optimal level, Baker says.

Going forward, the healthcare organizations with the largest budgets will make the quickest progress in the zero-trust roadmap, according to Kiely.

“Because there is no single tool that provides you with complete zero trust, it can take years to get tools purchased and implemented to a mature state,” Kiely says. “Healthcare companies with bigger budgets and resources could implement zero trust much quicker, in some cases in less than a year.”

laddawan punna/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT