Security

How Is Zero Trust Working in Healthcare Today?

Many health organizations have begun implementing the strategy to bolster security, but how is the industry doing with it overall?

Mike Gregory

Mike Gregory is CDW's Healthcare Security Strategist and former Information Security Officer at Community Foundation of Northwest Indiana, Inc. He brings over 36 years’ experience in various information technology services, 16 years in healthcare. He has a great depth of understanding of information security and healthcare operations to drive initiatives in data protection, compliance and risk management, regulatory auditing and mature and privacy security programs.

Nelson Carreira

Nelson Carreira is an Executive Healthcare Strategist for CDW.

Healthcare leaders are increasingly prioritizing security in response to increasing cyberattacks on the industry. This is leading to improved communication among security leaders, CIOs and other C-suite executives. However, while many healthcare security professionals are familiar with zero trust and its ability to better protect patient data and healthcare IT environments, implementation across the industry still lacks strategy, definition and maturity, no matter the size or resources of an organization.

Today’s healthcare leaders have an awareness of what can happen when they don’t have effective security controls in place, which is resulting in more dialogue between IT and executive teams. This understanding of the need for increased security has led to culture changes over time. For example, healthcare staff, including clinicians, are now comfortable with taking an extra step to access their workflows securely. There’s even more evidence for interdepartmental communication and collaboration among different agencies.

Now that healthcare leaders grasp the importance of zero trust and security investments, it’s time for IT teams to explore how a zero-trust model can work across the entire system.

Click the banner below to learn how to get the most out of your zero-trust initiative.

Where Are Healthcare Organizations in Their Zero-Trust Journeys?

While healthcare organizations are following the National Institute of Standards and Technology’s SP 800-207 and the Zero Trust Maturity Model from the Cybersecurity and Infrastructure Security Agency (CISA), many are still trying to implement zero-trust controls from version one of the models. Some healthcare systems are looking toward version two and beginning to address governance for each area of the model, but they’re in the minority.

The next step in the zero-trust journey for many healthcare organizations is to gain complete visibility of their environments, including identities, devices and data assets. While many healthcare systems have started this process, IT teams often lose visibility of their data in the cloud or in the custody of third-party providers. It is critical for data owners to know where their data is, who is using it and for what reasons.

DISCOVER: Healthcare security leaders should avoid these common mistakes in zero trust.

Considerations for Healthcare Systems Implementing Zero-Trust

A healthcare organization should not introduce new solutions without having a clear understanding of its control gaps, the extent to which its current solutions are deployed, and the workflows that enable its environment. Management must consider charging the entire organization with the success of a zero-trust strategy, rather than assigning responsibility to an individual or a particular tool. If an organization brings in an identity and access management solution to solve a vulnerability issue, the security team needs to ensure that it works with the organization’s existing systems and tools. Interoperability is key to having full visibility of an IT environment, which enables the organization to fill gaps in its security controls.

If an organization realizes it is lacking a privileged access management solution and decides to buy and implement one without doing the homework of assessing how it will be used within its current environment, the solution likely won’t work as hoped.

When implementing a new solution, IT leaders need to justify their decision. They need to consider the objectives of the solution and how it fits within their overall vision in terms of how it will be used, who will be impacted and how it will impact workflows. With that understanding, IT teams can mitigate workflow impacts and gain a higher level of acceptance among staff and clinicians.

CISOs continue to improve when it comes to educating organizational leadership about the benefits of adopting a zero-trust approach to protect the organization against ransomware attacks. They know that buying a shiny tool isn’t the solution, and that it is important to purchase solutions that fill a gap and bind security controls together to create an overarching security solution.

DIVE DEEPER: What is zero-trust security? Learn key principles of the model.

However, healthcare security leaders are experiencing a lot of pressure from executives, who are seeing ransomware attacks on hospital after hospital, resulting in downtime periods that can exceed 100 days. Whether that mandate is coming from cyber insurance carriers or hospital board directives, security professionals are under enormous stress to increase the speed of deployment. Rushing through a deployment due to budget constraints or lack of appropriate resources can lead to further frustration, system misconfiguration or underutilization, and increasing risk.

If a system is misconfigured, it can lead to an ineffective solution that creates a false sense of security.

Another important consideration for healthcare organizations is addressing the aftermath of successful attacks. We are finding that many organizations never attempt to recover their systems, which may lead to longer recovery times, extensive data loss or both. If an attack compromises the system, there will be intense pressure on the IT team to get the organization operational again, and it won’t be able to do so quickly. Recovering a system after a cyber incident is a unique process and requires different skills than those of a typical business continuity and disaster recovery specialist.

Healthcare systems should pause and assess their ability to recover systems in the event of an attack. It is unwise for an organization to implement tools for protection without understanding how to recover if bad actors successfully bypass security controls in the environment.

If a system is misconfigured, it can lead to an ineffective solution that creates a false sense of security.”

Can a Partner Help Healthcare Organizations Implement Zero Trust?

It is difficult today for healthcare IT managers to acquire personnel with the necessary skill sets to fully integrate a security solution into an existing ecosystem. This can also lead to a poor implementation experience that can discourage an organization, and IT leaders may decide to remove the solution. If an organization lacks the skilled staff to carry out a zero-trust strategy, it should consider partnering with a security expert.

Partners such as CDW can help healthcare IT teams evaluate their current state and create a zero-trust roadmap that aligns with their resources and desired business outcomes. It is important that organizations find a partner with knowledge and experience in implementing zero-trust principles in the healthcare space and a good perspective on frameworks such as those from CISA and NIST.

CDW has a wealth of experience with zero trust and can guide implementation across complex systems with strategic and tactical capabilities. Whether an organization is just beginning its zero-trust journey or has already started working toward the model, CDW can help the IT team assess its existing security posture and provide recommendations to meet obtainable outcomes.

EXPLORE: What is a rapid maturity assessment and why is it useful in zero trust?

We encourage healthcare organizations to start with a SPARQ assessment, which quantifies an organization’s risk in dollars, allowing leadership to allocate resources effectively for cybersecurity. For example, the assessment could inform organizational leadership that not having multifactor authentication in place could mean losing up to $10 million per cyber incident, which is a substantial sum.

It’s also crucial that organizations undergo recoverability exercises to ensure that if an attack is successful, the healthcare system can recover its data and minimize downtime. CDW offers a recovery assessment that identifies deficiencies and allows organizations to reverse-engineer their security controls to ensure that the business can quickly resume operations with minimal impact to patient care.

When choosing a partner, healthcare IT teams should ensure they have the capabilities and resources to advise, assess, implement and manage all of the complexities of zero trust in healthcare. CDW has a team of former healthcare IT leaders on staff who understand the industry and can help an organization create an end-to-end roadmap that will connect its current state to its desired outcomes.

This article is part of HealthTech’s MonITor blog series.