Applying the Seven Tenets of Zero Trust in Health IT Environments
In addition to five pillars, there are also seven tenets of zero trust that IT leaders should follow, as described in the National Institute of Standards and Technology’s SP 800-207 Zero Trust Architecture. They are:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy — including the observable state of client identity, application/service and the requesting asset — and may include other behavioral and environmental attributes.
- The organization monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization is dynamic and strictly enforced before access is allowed.
- The organization collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
For healthcare organizations, these tenets apply to all devices used to access the network, as well as all the data they generate and applications they access. Often, health IT teams don’t have the resources to adopt all of these tenets overnight. Therefore, IT teams and users must approach zero trust as a journey.
DISCOVER: Healthcare security leaders should avoid these common mistakes in zero trust.
Zero-Trust Security Is a Journey with Levels of Implementation
There are ways to measure each stage of a health system’s journey from traditional security through optimal zero-trust maturity. CISA has mapped each of the four stages of maturity against its five pillars, giving organizations the opportunity to grow their cybersecurity strategies over time.
Traditional: Most organizations will begin the zero-trust journey at this first stage. In a traditional model, most security processes will be manual. Health systems may have manual deployments of threat protection solutions, manual configurations, minimal encryptions and static access controls.
Initial: As organizations begin to evaluate their security posture through a zero-trust lens, they should aim to move to the initial model. In this environment, the IT team can begin to implement automation for protections like access expiration and some threat protection.
Advanced: The next stage is the advanced zero-trust maturity model. Here, organizations will take into account protections such as phishing-resistant multifactor authentication, session-based access, encrypted network traffic and data at rest, and redundant but highly available data stores with static data loss prevention.
Optimal: An optimal model features full automation with self-reporting solutions, least privilege access and centralized visibility with situational awareness. This level features continuous user validation, access controls with microperimeters and continuous data inventorying with automated data categorization.
It’s unrealistic for health systems, or any healthcare organization, to strive for an optimal environment right out of the gate. Achieving optimal zero trust is a long-term goal that IT professionals can plan for and work toward, securing their environments through smaller changes along the way.
For organizations that are only just considering zero trust, and for those that have already begun to forge ahead, the best place to start is with a security assessment. This helps to establish a baseline by offering visibility into their current security landscape.
UP NEXT: Get zero trust architecture right for security and governance in healthcare.