Jan 30 2024

What Is Zero-Trust Security? Key Principles of the Model

Zero trust is a security model in which every attempt to access an organization’s network and resources is vetted continuously. CISA recommends focusing on five “pillars” as you create a zero-trust environment.

In the face of increasingly intelligent cybercriminals and rising threats, healthcare organizations must protect their networks and online environments from attacks. Fifty-four percent of organizations experienced an average of four ransomware in the past two years, and 68 percent of that group said that an attack negatively impacted patient care and safety, according to the Ponemon Institute. With that in mind, cybersecurity can no longer be a priority only for IT teams; it must be a priority for all healthcare stakeholders.

IBM’s 2023 “Cost of a Data Breach” report ranks social engineering techniques such as phishing scams as one of the top causes of security breaches, making training a vital component of any health system’s cybersecurity posture. But training alone won’t protect a network from criminals.

As a result, more organizations are turning to zero-trust security strategies.

Click the banner below to learn how to get the most out of your zero-trust initiative.

Zero trust, which started as an alternative to the “trust but verify” method of cybersecurity, has become a popular buzzword for IT teams and tech users. Here’s what it really means for a healthcare organization’s security approach, and how health IT leaders can get started:

What Is a Zero-Trust Security Model in Healthcare?

Zero trust is a security model in which access an organization’s network and resources are monitored continuously. It is a cybersecurity mindset, not a final state of security that health systems can hope to achieve.

In a zero-trust architecture, every attempt to access a hospital’s network, data or applications must be verified and approved. This applies to internal and external requests for access. This means that all users, including clinicians, healthcare staff and patients, should be vetted when attempting to access an organization’s network and materials.

According to the Cybersecurity and Infrastructure Security Agency (CISA), the implementation of zero trust should span five pillars:

  1. Identity
  2. Devices
  3. Networks
  4. Applications and workloads
  5. Data


ZT Infographic


Applying the Seven Tenets of Zero Trust in Health IT Environments

In addition to five pillars, there are also seven tenets of zero trust that IT leaders should follow, as described in the National Institute of Standards and Technology’s SP 800-207 Zero Trust Architecture. They are:

  1. All data sources and computing services are considered resources.
  2. All communication is secured regardless of network location.
  3. Access to individual resources is granted on a per-session basis.
  4. Access to resources is determined by dynamic policy — including the observable state of client identity, application/service and the requesting asset — and may include other behavioral and environmental attributes.
  5. The organization monitors and measures the integrity and security posture of all owned and associated assets.
  6. All resource authentication and authorization is dynamic and strictly enforced before access is allowed.
  7. The organization collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

For healthcare organizations, these tenets apply to all devices used to access the network, as well as all the data they generate and applications they access. Often, health IT teams don’t have the resources to adopt all of these tenets overnight. Therefore, IT teams and users must approach zero trust as a journey.

DISCOVER: Healthcare security leaders should avoid these common mistakes in zero trust.

Zero-Trust Security Is a Journey with Levels of Implementation

There are ways to measure each stage of a health system’s journey from traditional security through optimal zero-trust maturity. CISA has mapped each of the four stages of maturity against its five pillars, giving organizations the opportunity to grow their cybersecurity strategies over time.

Traditional: Most organizations will begin the zero-trust journey at this first stage. In a traditional model, most security processes will be manual. Health systems may have manual deployments of threat protection solutions, manual configurations, minimal encryptions and static access controls.

Initial: As organizations begin to evaluate their security posture through a zero-trust lens, they should aim to move to the initial model. In this environment, the IT team can begin to implement automation for protections like access expiration and some threat protection.

Advanced: The next stage is the advanced zero-trust maturity model. Here, organizations will take into account protections such as phishing-resistant multifactor authentication, session-based access, encrypted network traffic and data at rest, and redundant but highly available data stores with static data loss prevention.

Optimal: An optimal model features full automation with self-reporting solutions, least privilege access and centralized visibility with situational awareness. This level features continuous user validation, access controls with microperimeters and continuous data inventorying with automated data categorization.

It’s unrealistic for health systems, or any healthcare organization, to strive for an optimal environment right out of the gate. Achieving optimal zero trust is a long-term goal that IT professionals can plan for and work toward, securing their environments through smaller changes along the way.

For organizations that are only just considering zero trust, and for those that have already begun to forge ahead, the best place to start is with a security assessment. This helps to establish a baseline by offering visibility into their current security landscape.

UP NEXT: Get zero trust architecture right for security and governance in healthcare.

sturti/getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.