Where Are Healthcare Organizations in Their Zero-Trust Journeys?
While healthcare organizations are following the National Institute of Standards and Technology’s SP 800-207 and the Zero Trust Maturity Model from the Cybersecurity and Infrastructure Security Agency (CISA), many are still trying to implement zero-trust controls from version one of the models. Some healthcare systems are looking toward version two and beginning to address governance for each area of the model, but they’re in the minority.
The next step in the zero-trust journey for many healthcare organizations is to gain complete visibility of their environments, including identities, devices and data assets. While many healthcare systems have started this process, IT teams often lose visibility of their data in the cloud or in the custody of third-party providers. It is critical for data owners to know where their data is, who is using it and for what reasons.
Considerations for Healthcare Systems Implementing Zero-Trust
A healthcare organization should not introduce new solutions without having a clear understanding of its control gaps, the extent to which its current solutions are deployed, and the workflows that enable its environment. Management must consider charging the entire organization with the success of a zero-trust strategy, rather than assigning responsibility to an individual or a particular tool. If an organization brings in an identity and access management solution to solve a vulnerability issue, the security team needs to ensure that it works with the organization’s existing systems and tools. Interoperability is key to having full visibility of an IT environment, which enables the organization to fill gaps in its security controls.
If an organization realizes it is lacking a privileged access management solution and decides to buy and implement one without doing the homework of assessing how it will be used within its current environment, the solution likely won’t work as hoped.
When implementing a new solution, IT leaders need to justify their decision. They need to consider the objectives of the solution and how it fits within their overall vision in terms of how it will be used, who will be impacted and how it will impact workflows. With that understanding, IT teams can mitigate workflow impacts and gain a higher level of acceptance among staff and clinicians.
CISOs continue to improve when it comes to educating organizational leadership about the benefits of adopting a zero-trust approach to protect the organization against ransomware attacks. They know that buying a shiny tool isn’t the solution, and that it is important to purchase solutions that fill a gap and bind security controls together to create an overarching security solution.
However, healthcare security leaders are experiencing a lot of pressure from executives, who are seeing ransomware attacks on hospital after hospital, resulting in downtime periods that can exceed 100 days. Whether that mandate is coming from cyber insurance carriers or hospital board directives, security professionals are under enormous stress to increase the speed of deployment. Rushing through a deployment due to budget constraints or lack of appropriate resources can lead to further frustration, system misconfiguration or underutilization, and increasing risk.
If a system is misconfigured, it can lead to an ineffective solution that creates a false sense of security.
Another important consideration for healthcare organizations is addressing the aftermath of successful attacks. We are finding that many organizations never attempt to recover their systems, which may lead to longer recovery times, extensive data loss or both. If an attack compromises the system, there will be intense pressure on the IT team to get the organization operational again, and it won’t be able to do so quickly. Recovering a system after a cyber incident is a unique process and requires different skills than those of a typical business continuity and disaster recovery specialist.
Healthcare systems should pause and assess their ability to recover systems in the event of an attack. It is unwise for an organization to implement tools for protection without understanding how to recover if bad actors successfully bypass security controls in the environment.