Health-ISAC Provides Zero Trust Security Guidance to Healthcare CISOs

August 31, 2022 - When properly implemented, zero trust security strategies can help healthcare organizations bolster their security efforts. However, the sector faces unique challenges surrounding IoT devices and identity and access management that are worth considering when contemplating zero trust in healthcare.

In a new white paper, Health-ISAC provided guidance for healthcare CISOs to help them understand and implement zero trust security strategies.

Zero trust as a concept has existed for more than a decade, Health-ISAC explained, but it has become even more popular in recent years. In 2021, President Biden issued an executive order on the state of the nation’s cybersecurity and called out the importance of zero trust initiatives. Now, federal agencies across the country are rolling out zero trust architectures.

Additionally, a recent report by Okta found that 58 percent of surveyed healthcare organizations had started implementing zero trust initiatives this year, compared to just 37 percent last year. The potential reasons for this uptick in zero trust adoption largely point to the volatility of the current cyber threat landscape. The healthcare sector has had to adapt and embrace innovative methods of securing its systems in order to appropriately counter cyber threats.

One of the biggest misconceptions about zero trust is that it is a singular strategy or technology. Instead, zero trust refers to a combination of strategies that all follow the same basic principle — everything inside or outside the network perimeter must be verified before access can be granted.

“Zero trust does away with the idea of a security perimeter because if an unauthorized individual gains access to the ‘trusted network’ the perimeter controls will fail to stop malicious activities. A zero trust architecture is designed to prevent data breaches and limit internal lateral movement,” Health-ISAC noted.

“In this model all traffic is untrusted and instead of securing the perimeter; it’s a matter of securing the user. Ultimately, the goal is to prevent unauthorized access to data and services combined with making access control enforcement as granular as possible.”

Zero trust strategies revolve around identity and access management, cloud security gateways, data and network security considerations, and device and application security. Rather than choosing a singular solution for zero trust, organizations must integrate the core tenets of zero trust using a variety of methods.

Zero trust implementation is not easy for any organization, but healthcare entities have to take unique considerations into account.

“Hospitals and health care settings have numerous Internet of Things devices on the network reporting back vital patient information. Defibrillators, nebulizers, oxygen pumps and other monitoring equipment are all configured to send information back to various workstations for monitoring,” Health-ISAC noted.

“Enabling these devices to communicate via encrypted channels, giving them an identity, and keeping an up-to-date inventory may prove challenging but will ultimately help secure health care networks.”

In addition to challenges surrounding IoT devices, Health-ISAC noted that the nature of healthcare requires employees to move from room to room, often with different workstations or devices. As a result, it can be challenging to establish multi-factor authentication and fine-grained authorization.

However, the benefits of zero trust largely outweigh the implementation challenges. Health-ISAC recommended that healthcare CISOs begin by assessing the current state of security within their organizations and match them to the core tenets of zero trust.

For example, healthcare organizations should ask themselves what authentication standards are currently in place, and how they might need to be modified to adhere to zero trust principles. Additionally, organizations should assess what devices are present on their networks, and what roles and responsibilities are in place to support the large-scale implementation of a least-privileged access model.

“Organizations can then start to talk to current technology vendors and find out how they can meet the core tenets of zero trust and implementing some of the components,” Health-ISAC concluded.

“The criteria may seem daunting at first but will ultimately lead to better security for the organizations in the long term.”