Faced with rising threats, healthcare IT leaders are increasingly turning to zero trust. As a cybersecurity framework, zero trust requires all users, both inside and outside an organization’s network, to be authenticated, authorized and continuously validated before they gain access to applications and data. Zero trust is a strategy, not a product.
Given the inevitability of breaches, zero trust works on the assumption that cybercriminals likely have already compromised the environment and prevents them from attacking from within. In short: Never trust, always verify.
In 2023, 61% of organizations had a zero-trust initiative in place, up from just 24% two years earlier, according to a global Okta survey of information security decision-makers. In 2024, over 41% of technology and security professionals say they are in the advanced stage of zero-trust implementation, while 12% say they have achieved optimal maturity, according to a recent CDW survey of over 950 respondents.
While any large organization has a complex array of systems, devices and security tools, that complexity is exacerbated in healthcare organizations with numerous sites, users and mission-critical devices. Healthcare environments tend to have “a lack of physical security, diverse sets of users and an extremely broad set of connected devices in the form of medical IoT,” says Qiang Huang, vice president of product management for cloud-delivered security services at Palo Alto Networks.
These complications make zero trust even more necessary for health systems.
Click the banner below to read the 2024 CDW Cybersecurity Research Report.
Preparing for Zero-Trust Implementation in Healthcare
What is the first step health systems should take in adopting a zero-trust approach? “Obtain visibility into all healthcare systems and medical devices,” Huang says. Greater visibility also leads to operational and clinical workflow benefits, such as more accurate asset inventories, improved compliance and better insight into asset utilization, he adds.
The next step: Perform a risk assessment. “Assess the criticality and overall risk of these systems, devices and communication flow,” Huang says.
Once the organization exhaustively inventories all its systems and devices and their corresponding risks, it can then work to secure them through zero trust.
DIVE DEEPER: Avoid zero-trust tool fatigue with these essential insights.
Succeeding in Zero Trust Without Burdening Clinicians
Zero trust, Huang says, follows three fundamental principles: least-privileged access policies, network segmentation and continuous behavioral monitoring. “Even though zero trust is often thought of in the context of users, the same principles can be successfully applied to health systems and medical IoT,” he says.
Least-privileged access allows access only when a user’s identity and context are verified, and only the minimum amount of access to data, resources and applications that users need to do their jobs. By contrast, giving users privilege to data and apps they don’t need increases the risk of a breach. Least-privileged access strikes a delicate balance between security and usability, minimizing the attack surface while at the same time enhancing operational performance and reducing the impact of human error.
Network segmentation divides the network into multiple segments that each act as a small network, localizing issues and enhancing security by forming a second line of defense. While network segmentation prevents unauthorized users from gaining access to valuable assets such as protected health information, continuous behavior monitoring establishes normal patterns so that it can detect anomalous behavior.
Health IT leaders realize their cybersecurity strategies should not tax already time-strapped clinicians — for instance, by requiring them to sign into multiple applications every day. An advantage of zero trust is that it protects patient data and other data without placing a heavy burden on clinicians. Zero trust should be felt, but not seen. “When done well, zero-trust policies and controls should work successfully behind the scenes with no noticeable impact on clinicians,” Huang says.
For example, least-privileged access applied to a medical device reduces the risk of a security breach in the event the device is compromised, while also allowing it to function normally within a clinical setting.
Clinicians also play a role in effective zero-trust strategy. “Every user in an organization, including clinicians in a healthcare environment, has a responsibility to help protect the organization from a security breach,” Huang says. In a clinical environment, that responsibility involves practicing good physical security protocols, protecting credentials and reporting suspicious behavior that could indicate a malicious attack.
“That said, when done well, a zero-trust approach should require very little from the clinical staff and present a seamless experience,” he says.
